Security Standards Compliance

VueOps SiteLine℠ is a multi-tenant platform, which is a type of software architecture that allows for isolating tenants while letting you use the same infrastructure, database, and/or computing resources. Although the tenants share the same software, you will not know anything about each other, you can’t access someone else’s data, and your own data is fully confidential.

Our current security and privacy objectives address the Top 10 Open Web Application Security Project (OWASP) Security and Privacy Risks as we progress toward compliance with security standards, for example, SOC2 and ISO 27K.

Physical Infrastructure

SiteLine physical infrastructure is hosted and managed on Heroku using Amazon's Web Services (AWS). We have completed the AWS Well-Architected Review to establish architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.

SiteLine data, hosted on Amazon, continually undergoes an assessment to ensure compliance with industry standards. Amazon’s data center operations have been accredited under numerous standards.

Physical Security, Fire Detection/Suppression, Climate Control, and Management

Our platform utilizes ISO 27001 and FISMA-certified data centers managed by Amazon.

Internet Communication

Firewalls

Firewalls are utilized to restrict access to systems from external networks and between systems internally.

Personal Identification Information

SiteLine stores user email, telephone, and password. There is no transaction or HIPAA information in SiteLine.

Building information in SiteLine consists of locations, for example, levels and rooms, and building equipment that manages environmental, water, power, and waste systems, etc. It does not typically store information about process equipment.

Typically, this information receives a low classification level from our customer’s IT department when we work through the details as part of the IT security assessment process.

All SiteLine application-level data is backed up utilizing Heroku’s infrastructure and stored in the United States of America (AWS USA East Region). Servers are hardened by minimizing the external footprint.

SiteLine ensures that all TLS connections are terminated using correct certifications, and follow best practices, such as perfect forward secrecy. Communications are secured using HTTPS protocols, which encrypts and authenticates communications using TLS 1.2.

Information Protection

Our platform protects against DDOS attacks using Cloudflare services and we perform quarterly source code vulnerability scans. This allows us to identify coding best practice issues and ensures software component updates.

Access

In addition, we provide robust access control features, including:

• Strong password policy
• Multi-factor authentication
• reCAPTCHA to guard against BOT access
• Single Sign On per customer request

Organization

Segregation of Duties

The primary segregation of duties is between development and operations teams.  Our information security policies include the separation of development from the staging and production environments.

Deployment to staging and production is strictly controlled by the operations team including administrative and application access based on least privilege principles.

System access is limited to VueOps-designated team members and requires a username and key authentication.

VueOps Team Members

VueOps team members are at-will employees and therefore can be terminated at any time with due process and cause. SiteLine data security breaches found to be the cause of a team member could be cause for termination. Team members are required to take cyber security training courses and have access to information protection applications.  

Third Parties

VueOps has developed a third-party risk assessment program and conducts periodic reviews, typically annually, of third-party products and services that are incorporated into the product platform.