Cloud Security Overview
Security is critical for any organisation. PaySpace’s cloud security offering goes far beyond what most companies have been able to achieve for themselves.
Security is a multidimensional business imperative that demands to be considered at every level, from security for applications right through to the physical facilities and network security.
PaySpace is ISO27001 certified – We have been independently assessed and certified as meeting the exacting requirements of ISO 27001 for our Information Security Management System (ISMS). The assessment, carried out by an accredited certification body, provides evidence to our customers, suppliers, employees and partners of our 100% commitment to securing the critical information assets that we hold; both our own and those of our clients.
Infrastructure
- Our services and data are hosted in Microsoft Azure facilities in South Africa – Read about Azure infrastructure security.
- PaySpace services have been built with disaster recovery in mind. We use geo-replication to replicate our data in real-time to an Azure data center in Europe. We test our disaster recovery processes annually and record evidence of this for audit purposes.
- Azure provides robust availability, based on extensive redundancy achieved with virtualization technology.
- All of our services are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
- PaySpace uses Azure SQL Server that has up to the minute backups going back 7 days and data is replicated in near real-time to our DR environment.
- We use Azure Security Center to strengthen our security posture and track compliance.
- We use Azure Defender for advanced protection of our Azure workloads.
- We use Azure Sentinel to deliver intelligent security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
- We use a Web Application Firewall (WAF) for common exploits and vulnerabilities.
Data
- All customer data is stored in South Africa and Europe (DR) and is encrypted at rest.
- PaySpace is powered by a single instance, multi-tenant architecture, in which all users and applications share a single, common infrastructure i.e. database and code base, but is logically and unique separated for each customer. Authorisation and security policies ensure that each customer’s data is kept separate from that of other customers using a TenantID, which associates each record across multiple tables with an individual tenant.
Data Transfer
- All data sent to or from PaySpace services is encrypted in transit using 256-bit encryption or greater.
- Our API and application endpoints are TLS/SSL only and score an “A+” rating on SSL Labs’ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
Authentication
- PaySpace is served 100% over https.
- We have two-factor authentication (2FA) and strong password policies on Azure to ensure access to cloud services are protected.
- We offer customers 2FA options when logging into PaySpace using Google Authenticator, Email or SMS.
- We can enable Single Sign On (SSO) for customers who use identity providers such as AzureAD, Google and Okta. PaySpace uses OpenID Connect and OAUTH to achieve SSO.
Permissions and Admin Controls
- Company administrators can define security roles and attach users to these roles. Roles can be defined to restrict or allow users access to a specific area within the system.
- Administrators can give users access to organisational units defined on a company level. This further restricts users to only access employees attached to specific units.
Application Monitoring
- On an application level, an audit trail exists on every screen for traceability purposes.
- All access to PaySpace services is logged and audited.
- We use Azure Monitor to maximise the availability and performance of our applications and services. We use proactive alerts to notify us of any issues timeously.
Security Audits
- We are independently audited for our ISO27001 certification annually.
- We use a reputable 3rd party security specialist company for penetration testing.
Compliance
- PaySpace is POPIA and GDPR compliant.