Silcube is hosted on Microsoft Azure data centres. The application is run on an Azure-hosted Linux-based virtual machine. Data is stored on Azure elastic SQL cloud service, encrypted at rest.
The application is built on Java and SQL databases in the back end and modern UI frameworks such as VueJS in the front end.
The application is run, and data is hosted in the EU area in Microsoft’s Irish, Dutch, or Finnish data centres unless another Azure location is agreed upon with the client.
Silcube’s cybersecurity is based on the following elements:
1. Continuous Risk Assessment: Silcube considers the technical, architectural, and personnel-related risks in all of its operations.
2. Processes: Silcube has a clear process for password and certificate management, access control, and incident response.
3. Employee training and awareness: Silcube regularly trains its staff on cybersecurity.
4. Incident response: Silcube has a process for rapid action when a security incident is occurring or imminent, including methods of contacting key personnel and their deputies outside work hours.
5. Regular testing and monitoring: Silcube tests its software through unit tests, exploratory tests, and penetration tests.
6. Updates. Silcube maintains an up-to-date technical stack and systematically eliminates technical debt from for example deprecated software modules.
7. Continuous improvement: Silcube continuously evaluates and improves its cybersecurity risk management program to stay current.
8. Encryption and access control: Silcube uses encryption and access control mechanisms to protect sensitive data and limit access to authorized personnel only.
9. Data backup and recovery: Silcube has a robust data backup and recovery plan in place to ensure that critical data can be restored in the event of a cyberattack or other disaster.
10. Regulatory compliance: Silcube complies with laws and regulations applicable to it.
11. Threat intelligence: Silcube actively monitors for potential cybersecurity threats and leverages threat intelligence to proactively identify and respond to emerging threats.
Silcube follows a thorough risk assessment process through the following key steps: Identify targets: Identify potential targets. Identify threats: Identify the threats facing the targets and the attack vector. They include but are not limited to personnel-related risks such as social engineering, or physical theft. Identify vulnerabilities: Identify known or potential vulnerabilities that could be exploited, including those related to staff errors. Prioritization based on likelihood and damage: Priority of an ongoing security practice (for example mandatory use of prepared statements to prevent SQL injections) or any corrective actions (for example update or refactoring of code) is based on the likelihood of the risk and the damage caused. Develop mitigation strategies: Risks that cannot be prevented are mitigated by defining actions that are monitored. Implement and monitor: The efficiency of risk management is regularly reviewed and tested.
Silcube uses OWASP Application Security Verification Standard in ensuring platform security and testing thereof. Silcube relies on Microsoft Azure services and best practices for best-in class security architecture for data and software execution environments.
When an incident is reported or identified, the person noticing it, announces it at Silcube’s internal communication system Slack or Teams and ensures the information is passed to the primary expert (typically the Chief Architect), keeping the whole Incident Response Team informed. Security incidents are prioritized as Critical (the highest level, until downgraded) in Silcube’s prioritization and require immediate action. Incident response is ensured by managing that there always is on-call personnel that can react to an incident no later than 24 hours after it is reported and faster if separately escalated. The incident response team has personal phone numbers of each other available. After an incident or risk of it is analysed, the Chief Architect will define priority for corrective actions. In case the corrective actions are nontechnical, the CEO or a delegate will define them. Recovery of data is critical for our client’s business continuity. The data recovery relies on database-level support at Microsoft Azure, and it is tested to function properly. We regularly store backups of all data in Microsoft Azure services to ensure disaster recovery capabilities. Client data is geo-redundant. Multiple backups are stored, enabling recovery to a specific point in time in the preceding 30-day period. Customers' data is securely stored with no risks to the physical location of storage. In case of a disaster, Silcube can restore all data from backups upon request.
All data is hosted in the Microsoft Azure platform which provides a solid secure foundation with excellent availability and reliability. All actions are logged and auditable to make sure no malicious activities are performed by malicious parties. All servers are backed up frequently with full backups and fast restoration capabilities which ensures that the data is not lost or any malicious alterations to the data can be recovered when discovered.
To ensure secure data storage and delivery, each company's data in Silcube is stored effectively separated from each other to avoid the risk of data contamination and to enable simple extraction of each client’s data in a fully functional database structure. Silcube uses only secure HTTPS connections for all information delivery, encrypting all data in transit. Application logs are stored in secure environments with the same security standards as application servers and can only be accessed by team members with system administrator roles. Users with a company administrator role can set up detailed permissions to control what other users within the company can do in Silcube, such as managing trades, counterparty data, or generating reports. All backups, databases, and application servers are encrypted to meet the requirements of FIPS 140-2 standard. AES 256-bit encryption is used, one of the strongest block ciphers available. All keys are kept in Azure Key Vault. Master keys are kept in secure password-safe systems.
User authentication is supported by 2-factor authentication. Inside the system, Silcube provides granular access controls to control the view, edit, and approval rights of users.
Silcube implements the following steps to screen employees and contractors:
• Check credit data of the new employees and subcontractors having access to client data
• Interview all new hires by a minimum of three in-house persons
• Verify references from all hires
• Require personal confidentiality undertaking from all hires
• Open access to data and systems is always restricted to a need-to-know basis
• For high-risk positions, Silcube may choose security checks via Suojelupoliisi (the Finnish Intelligence & Security Service).
All contractor and employment agreements contain a non-disclosure provision, whose importance is emphasized to each counterparty at signing.
Security awareness training is performed throughout the organization on a yearly basis. Silcube has a policy about regular (annual) information security and compliance training and training for new hires. All new hires and contractor personnel must sign a confidentiality agreement in employment contracts and subcontracting agreements.
Silcube has a contract including non-disclosure provisions with each of its partners. The access to the systems, data, and source code are limited to a need-to-know basis. Silcube fosters long-standing relationships with its clients and partners and brings partners and new employees in step by step, continuously monitoring integrity and responsibility.
We rely on data security processes and commitments from best-in-class partners like Microsoft. For others, we primarily avoid exposing any confidential or sensitive data or material to third parties and in each case limit access to it to what is necessary for performing the work. Partnerships with software developers are based on agreements including non-disclosure agreements. Silcube does not rely on security by obscurity. Therefore, access to source code does not provide access to client data. Instead, data is protected by encryption and key vaults, and the introduction of back doors or other malicious code is prevented by a central code repository providing full trackability of any code proposed to be included, code reviews, unit tests, and the ability to revert to any previous version of the software in the repository in minutes.
Customer data is protected on the database level so that any personally identifiable information is masked/removed before leaving the database unless specific permissions to query that information are given to a user. All client communications are encrypted with TLS 1.2 or newer standards. When requested by the customer or upon contract termination, Silcube executes a complete deletion of all data.
Silcube protects client data with several measures. First, each company's data is stored separately to avoid the risk of contamination. All data in transit is encrypted using secure HTTPS connections, and all application logs are stored in secure environments that can only be accessed by system administrators. Furthermore, data backups, databases, and application servers are encrypted to meet the requirements of FIPS 140-2 standard using AES 256-bit encryption, with all keys kept in Azure Key Vault. User authentication is supported by 2-factor authentication, and granular access controls are provided within the system to control the view, edit, and approval rights of users. Moreover, Silcube performs data backup and recovery measures to ensure that critical data can be restored in the event of a cyberattack or disaster. Any personally identifiable information is masked/removed before leaving the database unless specific permissions to query that information are given to a user.
Silcube complies with data protection laws and regulations through a series of practices. In its normal operation, Silcube adheres to the data protection laws of Finland and the EU General Data Protection Regulation (GDPR). It handles client data based on Data Protection Agreements that are annexed to all agreements. If other legal frameworks have been agreed upon with a client in a Service Level Agreement (SLA), those commitments are followed. When working with third-party services like Microsoft, Silcube relies on the GDPR covenants provided by these companies. Upon customer request or contract termination, Silcube executes a complete deletion of all data, ensuring the right to be forgotten as stated in the GDPR.