Professional Documents
Culture Documents
SaaS Platform Security 2020
SaaS Platform Security 2020
SaaS Platform Security 2020
Meta4 Technology
2020
www.meta4.com
About this document
The purpose of this document is to present
This document is the property of Meta4, A Cegid Company, and as such the information contained
herein is strictly confidential.
The reproduction of the whole content or parts of it, in any media, or transfer to third parties, and
for purposes other than evaluation by the client, is strictly forbidden without previous authorization.
It is expressly forbidden to pass this on to third parties, even with the purpose of evaluation for the
client, except with prior written authorization from Meta4, A Cegid Company in each case.
The obligation of confidentially is indefinitely binding, and therefore it should be respected by the
client beyond the decision-making period itself.
WARNING: This document is protected by copyright law and international treaties. Permitted use of
this documentation is limited exclusively in relation to the Meta4, A Cegid Company Solutions and
any unauthorized use will be pursued to the full extent of the law. Do not reproduce, modify nor
distribute without the owner’s permission.
1 Introduction................................................................................................................. 4
Meta4 provides the best-in-class security for customer data. The security measures adopted by
Meta4 for the SaaS platform can be summarized in:
• DataCenters security or Physical Security.
• Communication security.
• Application security.
• Infrastructure security.
• Backup policy
• Disaster recovery capabilities and plan.
All these points are detailed in this document to explain the security in place in the Meta4 SaaS
platform to ensure the highest quality level of data security.
The security subsystem is a key piece in an integrated HR management system. The information
managed by Meta4 (personal information, compensation, salaries, medical record, and so on) is very
sensitive information.
That is why the application includes the mechanisms required to:
• Prevent unauthorized users from accessing the system.
• Guarantee the confidentiality of certain information.
• Prevent unauthorized users from running operations and processes.
• Log all operations carried out by the users in the system components: information stored
and read in tables, processes run, and so on.
The Meta4 security system has for different levels of security:
• Security at the field and record level in the database table (Data Security)
• Security at the process level.
• Security at the interface level.
• Security in transport.
All logic executions in Meta4 are carried out based on the user’s roles. An “application role” is a set
of permissions that enable the application to access data (companies, groups of companies, and so
on) and run logic components. These permissions apply to all Meta4 elements (screens and menus,
processes, workflows and job scheduler tasks). The role concept in Meta4 security facilitates the
design and maintenance of the security schemas in the application.
Security in transport by means of the 256bit TLS 1.2 https protocol with certificates between the DC
and the client, both for the HR user and for the ESS/MSS user.
The platform is audit-enabled by means of activity logs on all tiers of the application: web, application
and data. It is also possible to audit application and data processes at the access, modification, insert
and delete levels. Reports are available for customers to analyze this relevant information. These
reports will be only accessible for privileged users pointed by customers.
All platform servers and security devices including IPS, firewalls and load balancers are audited for
access and at OS level for relevant events and all logs collected by a central log server where logs
are stored, retained and rotated for monitor and analysis. Access to this central server is strictly
restricted to authorized Meta4 personal in charge of audit monitoring and configuration.
The Meta4 SaaS platform provides the capability to integrate with a Single Sign-On (SSO) system
through Out-of- the-Box SAML support: Using standard SAML V2 protocol to configure SSO with
federated identity management systems. SAML is broadly adopted by many systems to integrate
heterogeneous services and identity providers. SAML is standard and flexible enabling easy
integration with corporate systems. The customer specifies which Identity Provider should be
connected to the SaaS services in a very flexible way.
The Meta4 SaaS platform also provides the capability to add a second level of security during the
access to the SaaS Services with 2FA with Google Authenticator. This feature increases the security
by requesting an additional authenticator factor sending a OTP to the user’s smartphone. This feature
can be configured for specific populations allowing to increase the security for users accessing more
sensitive applications.
The Firewalls used on the platform are capable of generating a double DMZ to isolate the platform
in three secured zones, meaning that data access is isolated by two levels of Firewall.
SourceFire IPS specific devices configured and managed periodically by the Meta4 systems
department together with the security department of the hosting provider. The IPS devices are
connected to the platform monitoring system to generate the pertinent alerts in the event of any
possible attacks that might occur.
All software and all production platform environments are scanned by an Antivirus. All administrator
environments are also scanned constantly. The antivirus scanning is connected to the alert
monitoring on the platform, and the antivirus applications are completely updated with the latest
security patches provided by the manufacturer.
The platform has a dedicated secure FTP (FTPs and sFTP) server for secure management of content
uploading and downloading as a result of process scheduling and the input/output interfaces
implemented for each client.
The backup will be done on the primary DC storage system through Snapshots based on NetApp
technology that enables a hot copy (without stopping) of all information, both at the data and file
level and in the configuration of the machines and virtual environments. In parallel, an encrypted
replica is electronically made of all information to the SAN pool at the Contingency Centre so that
the data are available at all times for restoring from both DCs.
In addition, an encrypted third copy is made on an external tape vaulted to Iron Mountain, including:
Recovery tests are run on the tape backups every 3 months to guarantee that the backup processes
are functional and enable proper data recovery. The disk backup recovery tests are run daily, since
the secondary DC runs the DB and environment data restore daily.
• This environment will provide service for the duration of the disaster to the production
environment of the Meta4 product, as well as the CSS system (client relations portal). This
environment does not have HA or balancing; that is, the platform is similar in the
characteristics of the elements of the main environment, but without element duplication.
• This environment contains the latest copies of the environments and data due to the
backup policy applied on the platform. The secondary environment, therefore, is active
with the data copies made of the main environment with the periodicity specified in
section 6 of this document.
• Access to the DR environment by dedicated line, separate from the main environment for
Meta4 operations.
The disaster plan includes teams and procedures to guarantee the continuity of the service in the
event of a severe disaster that leaves some or all of the facilities and infrastructures at the main DC
unusable:
Meta4 holds ISO27001:2013 certification that demonstrates the key controls of this security standard
are followed to manage and administrate the Meta4 SaaS platform and infrastructure.
Interoute as the subcontracted part to externally host and manage this infrastructure also holds
ISO27001 certification for Datacenters and operation teams involved. Interoute is also audited
accordingly to SOC1 and SOC2 Type 2 standards.
Meta4 complies legally and technically to the new GDPR which offers one of the most advanced and
consolidated data privacy protection security levels. As a key data processor for our cloud customers
Meta4 provides all the information that evidences compliance with the requirements established by
GDPR which helps our customers with most of the responsibilities as data controller:
• Treatment Map
• Analysis of Impact on Privacy
• Risk analysis
• Security measures according to high risk data
• Continuous improvement in your security measures (PDCA)
• Compliance audit report by a third party