Trust Center

We set strict, industry qualified information security policies across all business procedures and strategies.

IFS information security policies form part of our global Information Security Management System (ISMS) which is maintained in accordance with numerous internationally recognized security frameworks including ISO 27001. 

How we use detailed, trusted security practices to manage and secure your information. 

At IFS we follow industry best practice, taking a risk-based approach, and putting particular emphasis on a range of trusted practices.

Security Operations Center (SOC) 
We invest continually in our platform and network security, co-ordinated by our Security Operations Center (SOC). By using a combination of world-class conventional and Artificial Intelligence based tools and regular penetration testing, we ensure that our business operations are monitored and protected around the clock.

Access control 
Our approach to access control ensures that our users, partners and suppliers have just the necessary level of access required to perform their roles efficiently and effectively.

Single sign-on (SSO) and multi-factor authentication (MFA) are also active across our entire estate. Cryptography is used in transit and at rest to ensure the highest levels of data security whenever information is shared.

Business continuity 
Through thorough business continuity planning, we have established a strong backup and recovery policy which sits at the heart of our disaster recovery plan. We have implemented resilient systems and processes capable of supporting us in the event of a business continuity event at one or more of our operating locations.

Our employees 
We carry out extensive pre-employment checks and rigorous induction training, followed up with an ongoing annual security training program, to help maintain a safe physical and digital working environment. We follow formal employee on- and off-boarding processes to ensure that access to our IT domains are strictly controlled at all times and that information confidentiality is maintained through to post-employment.

We ensure that all third-party suppliers who support the delivery of our services apply the same high standards we set ourselves.

At times it may be necessary for third-parties to access sensitive and confidential information. Whether its information that belongs to IFS or IFS Customers, all third-parties with access are required to follow our information security policies, standards and practices. Our Supplier Management and Partner Management processes ensure that the services and deliverables provided by our third-party eco-system meet the same high standards that we set for ourselves.

IFS Lifecycle Experience (LE) is our set of processes covering the entire implementation and production lifecycle. Spanning from initial discovery and exploration of solutions through to continued solution optimization years after go-live, security is an integral part of our processes and includes environment segregation, formal change management, strictly controlled software release and distribution overlayed with strict access control and data protection.

IFS Lifecycle Experience provides the above security controls regardless of whether the customer has chosen to host the solution themselves or taken advantage of our IFS Cloud service.

Using secure coding practices and globally recognized guidelines, such as OWASP Top 10, we ensure the risk of product vulnerabilities are minimized.

To further validate product security throughout the development lifecycle, we employ external specialist penetration testers. Any potential vulnerabilities are remediated prior to product release.

Security is not a “one-shot” activity and we continue to test our products after they’ve been released to protect against evolving security threats and any associated vulnerabilities. This includes checking for potential vulnerabilities not just in IFS developed products, but also within third-party products upon which the IFS product is based.

We provide security patches for any identified vulnerabilities discovered in our products and provide guidance on necessary patches of third-party products not supplied by IFS. IFS Cloud service customers benefit from such patches being applied by IFS as part of the service.

By choosing our IFS Cloud service, customers have the advantage of knowing that Cloud security best practices are being implemented for them, including:

• Secure, fully segregated single-tenant architecture to ensure separation between customer environments
• Data encryption both at rest and in transit
• Virus and malware protection
• 24x7x365 Monitoring, Detection and Remediation services using advanced, enterprise grade toolsets operated by experienced practitioners
• Platform-level DDoS detection and protection
• Multi-level backups with geographically separated backup storage and multi-level restoration capability
• Disaster recovery capability to a geographically separate location

We engage an independent 3rd party specialist organization to run regular security penetration tests against our Cloud Service in addition to security testing performed earlier in the product lifecycle. These tests cover all software versions current at the time of testing and include all IFS core product modules.

Testing takes place from the internet towards a dedicated, production-grade environment, which is built and maintained using the same architecture, design standards, tooling and processes as all customer environments run by IFS in our cloud.

A formal report is compiled as an output of this testing process, detailing any issues found and assigning an associated risk rating, based on the industry standard CVSSv2 scoring system. Any issues identified are fully analyzed and mitigation and remediation plans produced and implemented. The summary of findings and remediations is available to all IFS Cloud customers upon request.

Customers with data residency requirements can select from a number of supported geographies. This determines the physical location from which the service will be hosted, and by implication the physical location within which their data will be stored and processed.

To ensure we maintain a robust set of policies, practices and procedures, we complement the data privacy expertise of our internal team with the outside perspective of external data protection specialists. This also separates the first and second lines of defense effectively, in accordance with best practice.

We build security into every product, no matter how it’s hosted. This all begins with our secure product development processes, which ensure our products are designed with security in mind and configured to provide security by default.

At IFS, we monitor supplier performance diligently, ensuring all contractual, quality, and information security requirements are complied with. This includes agreements we have in place to audit supplier security processes and practices. Through our global privacy program, we ensure compliant data transfers from the EEA to sub-processors (including IFS Affiliates) in other countries. We have implemented a range of standard contractual clauses and other lawful transfer mechanisms with each sub-processor and ensure that suitable technical and organizational measures are in place to safeguard our customers’ data.

We supply a pre-signed Data Processing Addendum that covers IFS processing of customer-controlled data in accordance with data privacy regulations. This includes a description of all processing performed by IFS while executing the services defined in our customer agreements. Data privacy regulations covered include the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). We also supply a Standard Contractual Clauses only addendum.