Shared Responsibility

2CLIX knows that your security and privacy are important and cares deeply about them.

This document aims to describe the responsibilities involved in the supply chain of the service of the Quality Portal of 2CLIX TECNOLOGIA EIRELLI.

DEFINITION

The Quality Portal is classified as a SaaS-type service: Software as a Service, providing a web-based application that requires an account with valid access and an internet connection in order to be used.

To ensure the continuity and availability of the services provided by 2clix, the Quality Portal has its infrastructure based on cloud computing services, by contracting the provider QTS to use its servers. This service is provided under an IaaS model. In this case, the data center provides the data center infrastructure and contracted servers as the service to be delivered to the organization.

This creates the following service chain:

CHAIN OF RESPONSIBILITY

Client

The Quality Portal is mainly based on the functionality of creating forms, filling them in, and displaying reports. For this purpose, it relies on a platform that offers extensive customization throughout the system. As it is a SaaS, it is precisely in these customizations that the Client’s responsibility lies.

By default, the system has its own logon system, standard form fields that do not request personal data, and access permission models based on the type of user. From this standard model, the client’s users can modify the environment as desired to meet their needs. These customizations include:

  • Integration with external AD, such as Azure AD and Google Auth;
  • Blocking external access to the platform by means of IP restrictions;
  • Configuring the strength level required for passwords when using the platform’s logon;
  • Configuring the number of login attempts a user can make before being blocked;
  • Configuring the lockout time for incorrect access attempts;
  • Creating the initial password to be used for the first access of new users;
  • Creating additional fields in registration forms (Users and Monitoring Spreadsheets);
  • Integration with Zendesk to consult tickets during a monitoring activity;
  • Creating custom user types;
  • Changing access permissions for all user types.

These customizations allow the user to build the application according to their needs, but they also give the user responsibility for the level of security of access to their environment. They also allow, through the customization of registration forms, that users create registration fields that will contain personal information or sensitive personal information. In such cases, the system will have options to indicate that field as “sensitive personal data”, and the user must select this option when creating the field.

Therefore, it is expected that the client will take responsibility for the responsible use of the platform by its users, as well as for the customizations and configurations of its environment and the types of data that will be used in the Quality Portal.

Data Center

By providing an IaaS-type service, the Data Center is responsible for ensuring the physical security of the servers and network, as well as guaranteeing 24/7 service availability. It is responsible for the data center’s physical network, equipment, authorized personnel and redundancy measures for backup, internet connection, and prevention of environmental, mechanical, or electrical failures.

2clix

2clix is responsible for maintaining the Server Operating System, access control, installed software, and monitoring. It is also responsible for protecting stored data, generating backups and testing them, maintaining the database, configuring the Firewall and VPNs, as well as using HTTPS connections for access to the Quality Portal, keeping certificates up to date.

Thus, the organization’s responsibility lies in what is within the Cloud architecture provided by the Data Center, especially in the data that enters and leaves the servers.

The organization is therefore responsible for the following security controls and processes:

  • Controlling access to the server via VPN or FTP;
  • Updating the server’s Operating System and software;
  • Applying security patches;
  • Creating, maintaining, and editing Firewall rules;
  • Monitoring server access logs and events;
  • Creating data backup routines, encrypting them, and testing the backups;
  • Maintaining DNS and HTTPS certificates;
  • Restoring Quality Portal services and its data on an auxiliary server in the event of a serious failure in the Data Center or main equipment;
  • Keeping the data inventory up to date;
  • Encrypting data flagged as sensitive;
  • Controlling access by its employees and suppliers;
  • Monitoring network and servers;
  • Monitoring the Database;
  • Handling vulnerabilities and application security;
  • Maintaining the Quality Portal;
  • Hardening of the equipment.

 

Newsletter

Turn customer service into results.

Get exclusive tips and content on quality monitoring, CX management, and service efficiency.

By clicking "Sign up", you confirm that you agree to our Terms & Conditions.

Scroll to Top