SaaS Platform Security

Meta4 Technology
2020

www.meta4.com
About this document
The purpose of this document is to present

Confidential – Client Meta4, A Cegid

Confidentiality Level
Company use
Last Update January 2020

This document is the property of Meta4, A Cegid Company, and as such the information contained
herein is strictly confidential.
The reproduction of the whole content or parts of it, in any media, or transfer to third parties, and
for purposes other than evaluation by the client, is strictly forbidden without previous authorization.
It is expressly forbidden to pass this on to third parties, even with the purpose of evaluation for the
client, except with prior written authorization from Meta4, A Cegid Company in each case.
The obligation of confidentially is indefinitely binding, and therefore it should be respected by the
client beyond the decision-making period itself.

© 2020 Meta4 Spain, S.A.U. All rights reserved.

WARNING: This document is protected by copyright law and international treaties. Permitted use of
this documentation is limited exclusively in relation to the Meta4, A Cegid Company Solutions and
any unauthorized use will be pursued to the full extent of the law. Do not reproduce, modify nor
distribute without the owner’s permission.

Meta4 – Confidential – January 2020 Page 2/12

For exclusive use of Insert Customer here
Contents

1 Introduction................................................................................................................. 4

2 Physical security ........................................................................................................ 5

3 Security in communications ..................................................................................... 6

4 Application security ................................................................................................... 7

4.1 Access control - Roles ................................................................................... 7

4.2 User account administration ......................................................................... 7

4.3 Transport .......................................................................................................... 8

4.4 Auditing ............................................................................................................ 8

4.5 Single Sign On ................................................................................................. 8

4.6 Two Factor authentication ............................................................................. 8

5 Infrastructure Security .............................................................................................. 9

5.1 Firewalls/IPS .................................................................................................... 9

5.2 Antivirus ........................................................................................................... 9

5.3 FTPs/sFTP ........................................................................................................ 9

6 Backup : Methodologies and policies ................................................................... 10

7 Disaster recovery plan ............................................................................................ 11

8 Data privacy, security procedures & certifications ............................................. 12

Meta4 – Confidential – January 2020 Page 3/12

For exclusive use of Insert Customer here
1 INTRODUCTION

Meta4 provides the best-in-class security for customer data. The security measures adopted by
Meta4 for the SaaS platform can be summarized in:
• DataCenters security or Physical Security.
• Communication security.
• Application security.
• Infrastructure security.
• Backup policy
• Disaster recovery capabilities and plan.
All these points are detailed in this document to explain the security in place in the Meta4 SaaS
platform to ensure the highest quality level of data security.

Meta4 – Confidential – January 2020 Page 4/12

For exclusive use of Insert Customer here
2 PHYSICAL SECURITY
First Class Datacenters
To prevent disasters that entail halting the service provided by Meta4 to its clients, the platform has
been designed on the high-availability model in the main infrastructure.
The Datacenters involved in both the main and the auxiliary infrastructure for disasters and backups
also comply with the conditions necessary to prevent disasters:
• Fail-safe energy with three different supply points from three different substations.
Redundant-parallel UPS, each unit with its own batteries with enough capacity to sustain
the charge for 10 minutes. Four backup generators equipped with redundant start-up
devices with independent energy sources. These generators are sized for 130% of the
capacity of the Data Centers at full performance, with tanks large enough to operate for
24h without refuelling.
• Fail-safe communications. Output to the Internet from the infrastructure is comprised of
two redundant 2.4Gbps STM-16 links to the Tier-1 Internet network that links every
continent.
• Early Fire detection and extinguishing systems with optical, smoke and heat detectors
connected to an automatic extinguishing system.
• Environment control system that ensures proper dissipation of heat, designed on the n+1
engineering model such that the unavailability of up to 50% of the elements would not
have a degrading effect on the environment. Around 22ºC and 50% humidity with
redundant air flow systems.
• Redundant equipment and parts are available to make emergency replacements in case
of failure, with direct support from infrastructure component vendors.
• Hours of operation 24 hours a day, 365 days a year.
Security at the Datacenters:
• Facilities and administration operations ISO27001 certified.
• CCTV monitored 24/7 in the exterior and interior zones of the Data Centre.
• Access control: Surveillance cameras, intrusion alarms and 24-hour security personnel
keep watch over the security and integrity of all Datacenters. Video surveillance is
monitored at the security guard station located at the main entrance, at the Network
Operations Centre (NOC), and it is recorded digitally on tape. The Data Centre uses a
card-controlled access system with a control listed requiring pre-approved access and
entry/exit procedures.

Meta4 – Confidential – January 2020 Page 5/12

For exclusive use of Insert Customer here
3 SECURITY IN COMMUNICATIONS
All communications established with Meta4’s Business Services use TLS 1.2 with 256 bit encryption
including:
• PeopleNet HR Core R.I.A interface
• PeopleNet ESS/MSS module
• SaaS Integration standards: Web Services and FTP integration for Formatted File
exchange.
Security in transport by means of the 256bits TLS https protocol with certificates between the DC
and the client, both for the HR user and for the ESS/MSS user and for all data exchange between the
platform and our clients.
Internal communications between involved DCs and Meta4 offices are established using private
secured dedicated lines. Administrative and monitoring tasks are performed using different network
domains from production purposes.

Meta4 – Confidential – January 2020 Page 6/12

For exclusive use of Insert Customer here
4 APPLICATION SECURITY

The security subsystem is a key piece in an integrated HR management system. The information
managed by Meta4 (personal information, compensation, salaries, medical record, and so on) is very
sensitive information.
That is why the application includes the mechanisms required to:
• Prevent unauthorized users from accessing the system.
• Guarantee the confidentiality of certain information.
• Prevent unauthorized users from running operations and processes.
• Log all operations carried out by the users in the system components: information stored
and read in tables, processes run, and so on.
The Meta4 security system has for different levels of security:
• Security at the field and record level in the database table (Data Security)
• Security at the process level.
• Security at the interface level.
• Security in transport.

All logic executions in Meta4 are carried out based on the user’s roles. An “application role” is a set
of permissions that enable the application to access data (companies, groups of companies, and so
on) and run logic components. These permissions apply to all Meta4 elements (screens and menus,
processes, workflows and job scheduler tasks). The role concept in Meta4 security facilitates the
design and maintenance of the security schemas in the application.

Default Meta4 password policy is:

• Must not contain the user's account name or parts of the user's full name that exceed two
consecutive characters
• Be at least 8 characters in length
• Contain characters from 3 of the following four categories:
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Base 10 digits (0 through 9)
o Non-alphabetic characters (for example, !, $, #, %)
• Password expiry: 90 days
• Password history: 10
• Password change request at first login.

Meta4 – Confidential – January 2020 Page 7/12

For exclusive use of Insert Customer here
 • Password reset procedure for employees based on key questions.
Customer can request modifications to this configuration only to be more restrictive.
Customer is responsible of user provisioning and role assignment in the Customer Configuration
Area, Meta4 provides tools to facilitate customers to create massively ESS/MSS users and to deliver
the credentials in a secure way to the employees. Meta4 also provides with specific reports that
enable customers to control and review ACLs.

Security in transport by means of the 256bit TLS 1.2 https protocol with certificates between the DC
and the client, both for the HR user and for the ESS/MSS user.

The platform is audit-enabled by means of activity logs on all tiers of the application: web, application
and data. It is also possible to audit application and data processes at the access, modification, insert
and delete levels. Reports are available for customers to analyze this relevant information. These
reports will be only accessible for privileged users pointed by customers.

All platform servers and security devices including IPS, firewalls and load balancers are audited for
access and at OS level for relevant events and all logs collected by a central log server where logs
are stored, retained and rotated for monitor and analysis. Access to this central server is strictly
restricted to authorized Meta4 personal in charge of audit monitoring and configuration.

The Meta4 SaaS platform provides the capability to integrate with a Single Sign-On (SSO) system
through Out-of- the-Box SAML support: Using standard SAML V2 protocol to configure SSO with
federated identity management systems. SAML is broadly adopted by many systems to integrate
heterogeneous services and identity providers. SAML is standard and flexible enabling easy
integration with corporate systems. The customer specifies which Identity Provider should be
connected to the SaaS services in a very flexible way.

The Meta4 SaaS platform also provides the capability to add a second level of security during the
access to the SaaS Services with 2FA with Google Authenticator. This feature increases the security
by requesting an additional authenticator factor sending a OTP to the user’s smartphone. This feature
can be configured for specific populations allowing to increase the security for users accessing more
sensitive applications.

Meta4 – Confidential – January 2020 Page 8/12

For exclusive use of Insert Customer here
5 INFRASTRUCTURE SECURITY

The Firewalls used on the platform are capable of generating a double DMZ to isolate the platform
in three secured zones, meaning that data access is isolated by two levels of Firewall.

SourceFire IPS specific devices configured and managed periodically by the Meta4 systems
department together with the security department of the hosting provider. The IPS devices are
connected to the platform monitoring system to generate the pertinent alerts in the event of any
possible attacks that might occur.

All software and all production platform environments are scanned by an Antivirus. All administrator
environments are also scanned constantly. The antivirus scanning is connected to the alert
monitoring on the platform, and the antivirus applications are completely updated with the latest
security patches provided by the manufacturer.

The platform has a dedicated secure FTP (FTPs and sFTP) server for secure management of content
uploading and downloading as a result of process scheduling and the input/output interfaces
implemented for each client.

Meta4 – Confidential – January 2020 Page 9/12

For exclusive use of Insert Customer here
6 BACKUP : METHODOLOGIES AND POLICIES
The policy and procedure for backing up the different environments detailed in the sections above
are designed to recover data and environments in less than 6 hours, with a loss of data of less than
4 hours; that is:

Recovery Time Objective (RTO): 6 hours

Recovery Point Objective (RPO): Less than 4 hours

The backup will be done on the primary DC storage system through Snapshots based on NetApp
technology that enables a hot copy (without stopping) of all information, both at the data and file
level and in the configuration of the machines and virtual environments. In parallel, an encrypted
replica is electronically made of all information to the SAN pool at the Contingency Centre so that
the data are available at all times for restoring from both DCs.

In addition, an encrypted third copy is made on an external tape vaulted to Iron Mountain, including:

• Monthly backup stored two years.

• Yearly backup stored for the duration of the contract.

Recovery tests are run on the tape backups every 3 months to guarantee that the backup processes
are functional and enable proper data recovery. The disk backup recovery tests are run daily, since
the secondary DC runs the DB and environment data restore daily.

Meta4 – Confidential – January 2020 Page 10/12

For exclusive use of Insert Customer here
7 DISASTER RECOVERY PLAN
As part of the Disaster Recovery Plan, there is a disaster recovery platform at an international Data
Centre (EU) with 100% availability to incorporate the production environment in this infrastructure
in case of disaster.

Characteristics of the Disaster Recovery platform:

• This environment will provide service for the duration of the disaster to the production
environment of the Meta4 product, as well as the CSS system (client relations portal). This
environment does not have HA or balancing; that is, the platform is similar in the
characteristics of the elements of the main environment, but without element duplication.
• This environment contains the latest copies of the environments and data due to the
backup policy applied on the platform. The secondary environment, therefore, is active
with the data copies made of the main environment with the periodicity specified in
section 6 of this document.
• Access to the DR environment by dedicated line, separate from the main environment for
Meta4 operations.

The disaster plan includes teams and procedures to guarantee the continuity of the service in the
event of a severe disaster that leaves some or all of the facilities and infrastructures at the main DC
unusable:

• Team responsible for communication with clients and plan activation.

• Team responsible for service activation in DR and diversion of the service to the DR.
• Team responsible for recovering the service at the main DC and transferring environments
and data.
• Diversion of the backup policy from the main environment to the auxiliary environment
for the duration of the period during which the auxiliary environment acts as the primary.
• Periodical DRP simulations are conducted; this does not affect production activity at all.

Meta4 – Confidential – January 2020 Page 11/12

For exclusive use of Insert Customer here
8 DATA PRIVACY, SECURITY PROCEDURES & CERTIFICATIONS
Maintaining the Confidentiality, Integrity and Availability of customer’s data inside Meta4 solutions
is a key responsibility of our company. To ensure the best procedures are followed to mitigate the
risks related to this service delivery Meta4 has opted for a core security standard certification.

Meta4 holds ISO27001:2013 certification that demonstrates the key controls of this security standard
are followed to manage and administrate the Meta4 SaaS platform and infrastructure.

Interoute as the subcontracted part to externally host and manage this infrastructure also holds
ISO27001 certification for Datacenters and operation teams involved. Interoute is also audited
accordingly to SOC1 and SOC2 Type 2 standards.

Meta4 complies legally and technically to the new GDPR which offers one of the most advanced and
consolidated data privacy protection security levels. As a key data processor for our cloud customers
Meta4 provides all the information that evidences compliance with the requirements established by
GDPR which helps our customers with most of the responsibilities as data controller:

• Treatment Map
• Analysis of Impact on Privacy
• Risk analysis
• Security measures according to high risk data
• Continuous improvement in your security measures (PDCA)
• Compliance audit report by a third party

Meta4 – Confidential – January 2020 Page 12/12

For exclusive use of Insert Customer here