Quality, Security and Trust

    Thales operates an in-house digital incubator, Thales Digital Factory (TDF), designed to refine start-up ideas from within our organisation and accelerate them to become real-world digital products. Each project is nurtured with highly skilled engineers and processes to allow a quick transition from idea to the releasable digital product. Each project includes architecture and design in the infrastructure and a defined process to ensure security.

    We continuously consider our users, reviewing and updating existing processes, architecture and design to ensure continuous improvement and evolution.

    Thales is a global leader in data encryption, and we secure millions of bank transactions around the world, every day. Never compromising on quality, we live and breathe security; which is why you know your data is always safe and compliant with data protection regulations.

    At ScaleFlyt, we work hard to ensure you will never need to worry about the security of your, or your client’s, data.

    We understand the importance of maintaining and building trust with our Customers and Partners, and we are committed to keeping customer information safe from unauthorised access or processing. We implement a defence-in-depth approach to security, which is a fundamental necessity for our business, and a core value of how we behave as an organisation.

     

    Thales has a dedicated team of security specialists, responsible for ensuring risk assessments are conducted and regularly reviewed.

    Thales’s security team have a wealth of experience across multiple methodologies for risk management which includes ISO 27001, NIST, HMG UK Information Security 1 and 2, and Industrial Control Systems (ICS) framework. ScaleFlyt operates a risk management framework developed aligned with the Cloud Security Alliance (CSA), Cloud Control Methodology (CCM).

    ScaleFlyt is hosted on Microsoft Azure; providing high levels of physical and network security with a high level of availability and resilience and resides in Western Europe. Microsoft Azure maintains an audited security program, which includes SOC 2 and ISO 27001 compliance.

    Microsoft Azure leverages the most advanced facilities infrastructure such as power, networking, and security with (N+1) redundancy architectures as a minimum. ScaleFlyt’s uptime is 99% minimum.

    The physical, environmental, and infrastructure security protections, including continuity and recovery plans amongst others, are independently validated and include but are not limited to ISO27001 and PCI-DSS certification and SOC 1, 2, 3 reports.

    The ScaleFlyt infrastructure is designed with security protections in mind. Network security protections are designed to prevent unauthorised network access to and within the product infrastructure. These security controls include but are not limited to containerisation technology, enterprise-grade routing and network access control lists (firewalling).

    Patches are applied regularly for all released vendor patches applicable to the service. For emergencies, example, out-of-band zero-day related vulnerabilities, we follow the formal change process.

    Logs and events are monitored in real-time with integration into a Security Information Event Monitoring (SIEM) solution managed and controlled by a Security Operations Centre (SOC) team. Events are triaged, investigated, categorised, organised and escalated dependent on severity following a defined playbook process with developers, security experts and support operations teams taking appropriate action.

    Server-level authentication uses public-key cryptography (PKI) and token-based two-factor authentication (2FA), ensuring strict access controls and active security monitoring for access related events.

    Thales has implemented a Web Application Firewall (WAF) for the ScaleFlyt application that actively monitors real-time traffic at the application layer. Custom blocking rules are identified, assessed and implemented as part of the ongoing fine-tuning activities. Microsoft Azure provides Distributed Denial of Service (DDoS) protection.

    The ScaleFlyt development team are UK-based, employees of Thales UK Ltd, with a wide range of technical skillset; these skills include User Interface Design (UI) to cybersecurity specialist allowing a rapid design, scoping and implementation.

    ScaleFlyt development utilises SCRUM agile methodologies and principals for optimal turn around times from user stories to implementation and value creation. Development occurs in multiple environments where key activities are conducted as part of the release pipeline. Each release must pass through a range of security, performance and quality gates giving ScaleFlyt confidence each release has met strict criteria. ScaleFlyt releases to production multiple times per week, ensuring the product is continuously improving and generating value to customers.

    ScaleFlyt utilizes a Continuous Integration and Continuous Deployment strategy to ensure coding standards and quality.

    New code is proposed, approved, merged and deployed. Code reviews and quality assurance performed by specialized teams with excellent knowledge of the project, supplemented by additional key resources as required. For ScaleFlyt, security experts are part of the overall process to ensure secure by design principles, new security requirements are captured, implemented and remain effective.

    Tests in development and/or test environments include analysis of source code quality, unit and integration, quality, build, static security and dependency check, functional checks, dynamic application security testing, and vulnerability scans with remediation activities undertaken to mitigate vulnerabilities following a risk-based approach.

    ScaleFlyt has vulnerability scans periodically performed on the infrastructure and application in addition to security auditing tools built into the deployment pipeline. Penetration tests are conducted at least every cycle. The scope of penetration tests evolves as the service changes and new functionality added in order to ensure the service remains as secure as possible.

    The adopted formal process ensures remediation activities completed in a timely manner consummate to the severity identified prior to release to production. Thales hires security specialists to ensure that all projects are designed and implemented in a secure by design way.

    SOARIZON uses an industry standard PCI-compliant global payment services provider to process online card transactions and ensure that customer payment information is always processed and stored securely.

    ScaleFlyt will never store, process or collect your credit card information used to make purchases. 
     
    In order to protect your card data, Thales use a global PCI (Payment Card Industry) compliant provider to ensure the data is processed securely. 

    All connections to the ScaleFlyt service use a certificate, which enforces secure protocols (TLS 1.2 or higher) to ensure data is encrypted end-to-end, regular tests are conducted to ensure compliance. Data at rest is encrypted including backups that are FIPS140-2 compliant.

    ScaleFlyt utilizes Microsoft Identity and Access Management (IAM) for registration and logon. This provides the option to register/logon using an existing account from a social provider (Microsoft, Google and LinkedIn) in addition to creating a new account.ScaleFlyt does not store any passwords and uses Oauth2 for the authentication framework.

    The SOC provides a 24 x 7 x 365 coverage to monitor and are able to respond quickly to security and privacy events. Pre-defined incident types ‘playbooks’ are created taking into consideration current and historical trends to facilitate timely incident tracking, escalation, and communication. Automated processes such as non-compliance alerts, malicious activity and anomalous events are in place, and continually updated based on latest trends.

    We adhere to  all data privacy and protection regulations applicable to your use of our services, including (but not limited to) the UK Data Protection Act 2018, the European Union (EU) General Data Protection Regulation, and the California ConsumerPrivacy Act 2018.
     
    Our Privacy Policy can be found here.

    Soarizon Security front page

    Download the full quality and security PDF

    iso-27001-logo     Microsoft-Azure-Logo