Perceptor Inspection Technologies Security & Compliance Statement
Perceptor Inspection Technologies Security & Compliance StatementIntroduction
At Perceptor Inspection Technologies Ltd we take security and compliance very seriously. We place our customers concerns to protect and ensure the security and integrity of their data at the heart of our product development.
This document, which sets out to provide a high-level insight into our policies and approach to security and compliance, is commercially sensitive, confidential and provided to valued prospective customers on the strict understand that this information remains confidential between the parties.
Keeping it confidential is beneficial and critical to our future business partnership.
"We treat the integrity of our platform and application with the utmost respect and recognise the need to have security and compliance at the forefront of our development schedule at all times. All of our stakeholders can trust us to provide a secure platform today and in the future."
Mark Worlidge – Founder & CEO, Perceptor Inspection Technologies Ltd
Software Dependencies
Like any large software application our Perceptor software has dependencies. To help us manage and have visibility on all dependencies we actively manage and review these. To this end we have recently invested significant resource to migrate our application to run in .NET 8, which is the latest release, so we can keep the product up to date with the latest security enhancements as they are released by Microsoft.
In addition, where possible we have replaced DLLs with NuGET packages so they can be actively managed and reported against to identify any out of date dependencies or vulnerabilities. We regularly check the dependencies of our software using OWASP (Open Worldwide Application Security Project) Dependency Check so that any dependencies we use which have vulnerabilities can be identified and fixed without delay.
A copy of the latest OWASP report can be provided to trusted parties on request.
Subscription Infrastructure
We offer Perceptor IoT in two licence platforms and our Azure Perceptor Cloud Tenancy offers a secure segregated subscription and authenticated data transfer from the IoT Device to the Cloud. This utilizes the latest in-built security to ensure that customers data remains secure to them:
- Encrypted secure customer key vault
- Multi Factor Authentication login
- Self-signed certificates
- TLS encryption
- OAuth 2.0 authentication
- IP address listing
- Unique devices IDs
Lifetime OnPrem
For customers that wish to provide their own hardware platform and host their own SQL server instance, Perceptor IoT is available as an OnPrem Lifetime solution. With the same authentication and authorisation methods as the subscription offering, Perceptor IoT can be integrated with Entra ID or, if no access to the internet is allowed, with a Local User Management capability. For security reasons our recommendation is to utilize Entra ID but customers can elect to adopt local user management at their own risk, should they prefer.
Lifetime OnPrem does not offer the same level of security as the Subscription which benefits from an encrypted secure customer key vault but it does still include:
- Self-signed certificates
- TLS encryption
- IP address listing
- Unique devices IDs
Authentication and Authorisation
Authentication can be made by a person logging in via Microsoft Entra ID or, for machine to machine authentication, a self signed certificate.
Perceptor IoT integrates with Microsoft Entra ID and can be registered with the customer’s own Entra ID or, for an annual fee, utilize Perceptor’s Entra ID. Our Perceptor Entra ID Tenant default position is that all users are subscribed into Multi-Factor Authentication (MFA). To remove this, a monthly per user licence fee is payable.
Having registered Perceptor IoT with your Enterprise Applications in Entra ID, the users are added to a Group. Once in this Group they can be imported into the Perceptor app and assigned to User Role Groups, within which permissions can be set. This ensures Operators can only run the system while Supervisors and Administrators have varying elevated permissions.
SOC 2 Compliance
SOC 2 was developed by the American Institute of CPAs (AICPA) and provides the framework for how organizations should manage customer data. At the core of the standard is the five trust service principles - security, availability, processing integrity, confidentiality and privacy.
In developing Perceptor IoT we have followed industry best practice and taken all the steps in building the product and infrastructure in such a way to ensure we fully meet these core principles. To support and validate this we are completing our organizational and product SOC 2 Type 1 Compliance utilizing an industry leading compliance platform, Secureframe. This will help us to achieve and maintain continuous security and privacy compliance going forwards.
On successful completion of our SOC 2 compliance audit, we will publish the report and make this available on our website.
Penetration Testing
To not only identify any vulnerabilities in our platform but to also build trust in our unrivalled product solution, our infrastructure, desktop application, web APIs and licence server will all be subjected to regular penetration testing. To ensure this penetration testing is in accordance with an internationally recognised standard, this test is carried out by an external Crest Accredited Member Organization and follows the internationally recognised ‘CREST Defensible Penetration Test’ specification.
In recognition of the good discipline and credibility SOC 2 brings to an organization, the Management and Leadership Team have implemented a set of security policies governed by our Information Security Management System (ISMS). All policies are actively reviewed on an on-going basis to ensure they are up to date with industry best practices.
Threat Monitoring through SIEM
At the forefront of our mind as a credible vendor and developer is to protect our infrastructure and customer data by utilizing latest technologies and adopting Enterprise security. To defend our infrastructure, we utilize Microsoft Defender for Servers and Microsoft Sentinel for our Perceptor Cloud tenancy. Sentinel works 24/7 to uncover sophisticated threats and responds decisively with an intelligent, comprehensive security information and event management (SIEM) solution to give a proactive threat detection.
Not only is our Perceptor Tenant protected but all Perceptor IoT devices are automatically registered and included in our Sentinel domain.
Sentinel does not apply to Lifetime customer deployments as this remains outside our control and resides on their IT infrastructure.
Failover and Data Backup
All Perceptor Cloud customers on a subscription plan benefit from Azure local site replication, automatic failover and continuous data backup for continuity of service and data recovery.
Lifetime customers are responsible for managing their own servers, service availability, security patches, failover and data backups.
GDPR and CCPA
Utilizing best in industry processes, Perceptor Inspection Technologies Ltd is fully compliant to GDPR and CCPA. We respect people’s privacy and ensure that their data is safe with us with policies in place to provide full data transparency along with deletion of data should it be requested.
Our privacy policy can be viewed here.