IT'S OFFICIAL

1E is now a TeamViewer company.

LEARN MORE
Icon
1E is now a TeamViewer company. This page applies only to Trust, Security, and Compliance of the DEX products of TeamViewer. For more information about security and data protection for the entire product portfolio, please visit TeamViewer’s Trust Center.

Trust, Security, and Compliance

Audits, Certifications and Standards, Regulations

Mission

To enhance the cybersecurity of 1E by identifying and reducing risk, protecting against potential cyber-attacks, detecting when they do occur, responding rapidly, and recovering quickly.

Statement

1E helps IT teams improve end user experience, tighten security, reduce costs, and evolve operations from cost center to strategic enabler. Customers receive digital experience analytics, IT automation, asset intelligence, and endpoint management in a single platform.

1E is dedicated to protecting data confidentially, integrity, availability, privacy, and service continuity. We take many steps to ensure secure coding practices, a secure platform, organization compliance.

Compliance Programs

System and Organization Controls (SOC 2) Type 2

Report on controls placed in operation at 1E Ltd relevant to Security, Availability and Confidentiality and the suitability of the design and operating effectiveness of its controls.

The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) for Service Organizations (SOC2) is the gold standard of security certifications for services delivered from the cloud.

1E has a SOC2 Type 2 report which provides a description of the 1E Platform and the suitability of the design and operating effectiveness of controls covering the trust services criteria of security, confidentiality, and availability.

The report ensures:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

This report is available upon request under a Non-Disclosure Agreement (NDA)

ISO 27001

Original Approval: 27/05/2021
Current Certificate: 17/07/2024
Certificate Expiry: 26/05/2025
Certificate number: 368632021

1E Ltd has determined the scope of the management system and this is recorded on the ISO 27001:2022 Certificate as follows:

  • Development, Sales, Operation and Support of IT Software Solutions.
  • Locations: UK and India

Scope of the Management System This Information Security Management System (ISMS) is the means by which 1E Ltd (the ‘Organisation’) satisfies the requirements of BS ISO/IEC 27001:2022 with regard to the Organisation’s overall business risks. It specifies the requirements for the implementation of security controls, customised to the needs of the Organisation or to specific parts thereof.

The Organisation has adopted the process approach for developing, implementing and improving the effectiveness of its ISMS.

The Organisation, in adopting the process approach is committed to:

  • Understanding business information security requirements and the need to establish policy and objectives for information security
  • Implementing and operating controls in the context of managing the Organisation’s overall business risk
View Certificate

VPAT 508

A Voluntary Product Accessibility Template (VPAT™) is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility.

1E regularly gets a 3rd party to run assessment of 1E Platform to provide a report that can be shared upon request.

FIPS 140-2

1E has been assessed for compliance with the Federal Information Processing Standard 140-2 (FIPS 140-2). These are United States Government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system.
1E’s choice and use of algorithms were found to be in compliance with the standard. No instances were identified where algorithms not specified as acceptable by the standard for encryption were used, and no instances were found where key material was handled or interactions with the operating system occurred in a way not accepted by the standard.
Gartner

Vendor Cyber-Risk Profile

The Gartner Vendor Cyber-Risk Profile applies our best-practice research to provide CIOs, chief information security officers (CISOs) and their teams with a seamless way to identify and reduce risks related to the use of third-party vendors. Aligned to ISO, NIST 800-53 and NIST CSF, this standardized profile covers critical controls a vendor should employ to protect its customers’ data and assets.
Request Report

Responsible Disclosure Policy

At 1E, security is a core focus and we’re always working to make sure our platform is secure. However, if you believe you have found a security issue on our platform or website, please contact us.

If you believe you found a vulnerability in our platform, we encourage you to reach out to us. Contact us via our Customer Support Support@1e.com or send an e-mail to Security@1e.com

Please include the following information:

  • The platform component or website page affected.
  • The class of the vulnerability identified.
  • A non-destructive proof-of-concept of the vulnerability, or instructions on how to reproduce it.

Please note* that we do not offer a paid bug bounty program.

  • Do not exploit or take advantage of the vulnerability more than strictly necessary for us to be able to reproduce it.
  • Do not disrupt the service or intentionally perform any change to a production system.
  • Do not communicate to any third-party information about the vulnerability without our explicit consent. Similarly, do not share with anyone potential data that you might have accessed to demonstrate the impact of the vulnerability.
  • Do securely delete all data retrieved as part of your vulnerability report as soon as it is no longer required.
  • We will get back to you within 72 hours. If you need a faster response, please contact our Customer Support.
  • We will keep you up to date about the investigation we perform regarding the reported vulnerability.
  • We will not pursue any legal action against you for reporting and demonstrating the vulnerability if you follow the guidelines above.
  • We will handle your report as confidential and will not share it outside 1E unless we are legally required to do so.

Mon – Fri 9am – 5pm
India +91 120 402 4001
UK +44 20 8326 3351
US +1 917 339 2364

Calls received out of hours may be forwarded to our 1E Support Group

Security Bulletins

A zero-day security vulnerability, “Improper Link Resolution Before File Access,” was identified in the Nomad module of the 1E Client versions prior to 25.3. This vulnerability allows an attacker with local, unprivileged access on a Windows system to delete arbitrary files by exploiting symbolic links.

Nomad module of 1E Client v25.3 is not affected, and hotfixes for the impacted versions are available on the 1E Support portal.

  • 1E Client v25.1 – hotfix Q23589 or later
  • 1E Client v24.5 – hotfix Q23583 or later
  • 1E Content Distribution Tools v25.1 – hotfix Q23591 or later

All Customers are advised to upgrade 1E Client to LTSB or latest 25.1

For more information, refer to CVE-2025-1683.

At 1E, we prioritize security and continuously monitor potential threats as part of our standard procedures. We will keep you updated on any developments that may affect you. Thank you for your continued trust and confidence in 1E.

Many of you are aware of the recent security issue involving an open redirect vulnerability in Duende IdentityServer, which allows attackers to control end-user redirections, often to conduct more effective phishing attacks. We’ve received inquiries from customers and partners regarding whether 1E is impacted by this vulnerability and the measures we are implementing to maintain our security.

The 1E Platform’s component utilizes the third-party Duende Identity Server. Our security team has confirmed that this component has been updated with the latest patch within our Azure architecture and service offerings. We adhere to the highest standards and best practices for cloud security and compliance.

At 1E, we prioritize security and continuously monitor potential threats as part of our standard security procedures. We will keep you informed of any developments that could impact you. Thank you for your continued trust and confidence in 1E.

Many of you may have heard about the recent security incident involving MOVEit, a file transfer software that was compromised by a ransomware attack. Some of our customers and partners have asked us if 1E is affected by this breach and what steps we are taking to ensure our security.

We want to assure you that 1E is not impacted by the MOVEit breach. We do not use MOVEit as a part of our products and services. None of our software contains any MOVEit components or dependencies.

Furthermore, our production cloud environment is also safe and secure. Our security team has verified that we do not have any exposure to MOVEit within our Azure architecture and service offering. We follow the best practices and standards for cloud security and compliance.

We take security very seriously at 1E and we are constantly monitoring the situation and other vulnerabilities as a part of our normal security operations. We will keep you updated if there are any changes or developments that may affect you. Thank you for your trust and confidence in 1E.

CVE-2022-3602
CVE-2022-3786

OpenSSL is an open-source software library used to secure communications using SSL and TLS protocols.

Two vulnerabilities have been recently identified in certain versions of this component when a malformed certificate can cause a buffer overrun in the certificate verification process. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

OpenSSL is used within the 1E Client and Tachyon Platform as part of the Tachyon Switch.

OpenSSL is not used in any other 1E product.

1E Client

The risk here is very low due to the servers it connects to.

The 1E Client will use OpenSSL for TLS connections to:

  • 1E Tachyon Switch – very low risk, because the server cert presented by the Tachyon Switch is under the control of 1E (for SaaS deployments) or our customers (for on-premises deployments)
  • 1E Platform infrastructure (e.g. 1E Platform Background Channel) – no risk, because this does not use OpenSSL (it uses IIS)
  • Internet/intranet-based HTTPS endpoints to download content via SCALE – this is low risk. The 1E Client is vulnerable to parsing a malicious certificate if a web server presents it (and a trust chain can be built for that certificate). However, we and our customers have control of the content of the instruction payloads, and therefore the URLs of websites therein from which the 1E Client will download content.

Due to the above, 1E will update the OpenSSL component in the next release of the 1E Client

1E Tachyon Platform

Our engineering team are currently investigating the impact to the 1E Tachyon Switch if a client tried to connect with a maliciously malformed certificate. Initial information suggests the impact is limited to causing the Switch to crash.

A hotfix will be issued where required, for each release of 1E Tachyon to update the OpenSSL component to a new patched release.

Table last updated 13th November 2023

Product Component Status Fix Details
Tachyon 5.2 Tachyon Switch Not Vulnerable
Tachyon 8.0 Tachyon Switch Not Vulnerable
Tachyon 8.1 Tachyon Switch Fix Required Q22645
Tachyon 8.2 (SaaS) Tachyon Switch Fix Required Patched
Tachyon 1E Client Fix Required Fixed in 8.4

Please ensure you are signed up for Tachyon updates under Knowledge Article Subscriptions within your profile page on the Support Portal to get the latest updates when hotfixes are available.

Further reading
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
https://nvd.nist.gov/vuln/detail/CVE-2022-3786
https://www.openssl.org/news/secadv/20221101.txt

The Log4NET open source component, provided by the Apache Software Foundation, is used by multiple 1E software components for logging and is affected by a vulnerability in a early version of this component.

The Log4NET component is configured using an XML file.

The vulnerability can be exploited by configuring the XML file with URL’s using the ‘file://’ string to point at files locally on the server. The contents of any file could then be returned by the Log4NET component which might return it to an external user in the form of an error message output.

An attacker would have to already have file system access to change the contents of the XML configuration file of Log4Net, so the attack has a low probability as other mechanisms would need to be exploited to gain access to the XML file in the first place. However, the Log4NET component may be running in a process that has different permissions and therefore access to more privileged parts of the file system , and thus the impact of the vulnerability being exploited could be high.

We therefore recommend customers to apply these hotfixes as soon as possible to remediate this vulnerability.

The vulnerability has the CVE code of CVE-2018-1285 and the type of attack has the CWE code of 611CVE-2018-1285CWE 611

This page will continue to be updated with the latest status for each product.

*The links take to you the hotfix section so you can download the latest accumulated hotfix as they will include the specific hotfix listed here in addition to any later fixes.

Last Updated – 13th November 2023

Tachyon Platform 8.0

Product Component Status Fix Details
1E Client All Modules Not Affected
Tachyon Tachyon Server Completed Q22064
Tachyon SLA Completed Q22112
Tachyon Catalog Completed Q22088
Tachyon Toolkit Completed Q22066
Tachyon TIMS Not Affected
PXE Central Completed Q22058
Nomad Tools Not Affected

Tachyon Platform 5.2

Product Component Status Fix Details
1E Client All Modules Completed Q22076
Tachyon Tachyon Server Upgrade Required Upgrade Required
Tachyon SLA Upgrade Required Upgrade Required
Tachyon Catalog Upgrade Required Upgrade Required
Tachyon Toolkit Upgrade Required Upgrade Required
Tachyon TIMS Completed Rerelease
PXE 4.0.100 Central Completed Q22072
Nomad Tools Not Affected

Tachyon Platform 5.1

Product Component Status Fix Details
1E Client All Modules Completed Q22074
Tachyon Tachyon Server Upgrade Required Upgrade Required
Tachyon SLA Upgrade Required Upgrade Required
Tachyon Catalog Upgrade Required Upgrade Required
Tachyon Toolkit Upgrade Required Upgrade Required
Tachyon TIMS Completed Rerelease
PXE 4.0.0 Central Completed Q22082
Nomad Tools Not Affected

Other Software

Product Component Status Fix Details
ActiveEfficiency All Components Completed Q22094
NightWatchman 7.3 Management Center Upgrade Required Upgrade to 7.4
NightWatchman 7.3 WebWakeUp Upgrade Required Upgrade to 7.4
Shopping 6.1 All Components Completed Q22235
Shopping 6.0 All Components Upgrade Required Upgrade to 6.1

On 9 December 2021 a security vulnerability was found in Apache’s Log4J component which is commonly used in Java products for logging.  The vulnerability utilises the JNDI feature to  cause malicious code to be downloaded and executed on a remote server. This has also been called Log4Shell

Further details can be found under CVE-2021-44228

1E have determined that none of our software products or associated subsystems utilise the affected components highlighted by these security advisories.

Consequently this issue does not affect our software products and we do not believe that customers need take any further action with regard to our products.

The following refers to ServiceNow and MID servers which is used when connecting ServiceNow to Tachyon 

After a thorough investigation, ServiceNow has confirmed that instances of the Now Platform are running a version of Java that, by default, implements settings to prevent this vulnerability.

More clearly, these settings are set as follows:

com.sun.jndi.ldap.object.trustURLCodebase=false
com.sun.jndi.rmi.object.trustURLCodebase=false

Additionally, MID Servers have log4j turned off for third-party libraries. Moreover, the Java versions that are shipped with the MID Servers are not vulnerable, and have the same settings as listed above.

Further details from ServiceNow can be found here

Read more on this and how Tachyon can be utilised to fight vulnerabilities in our latest blog

Further Reading which maybe of interest

https://logging.apache.org/log4j/2.x/

Frequently Asked Questions​

Your privacy and trust are important to us, full details can be found in our privacy policy.

As part of its service offering, 1E processes personal data contained in customer data, as defined in our End User Licensing Agreement (EULA) and privacy policy. During a customer’s tenancy on the 1E Platform, 1E acts as the ‘processor’ – acting on controller instructions – while the customer is the ‘controller’ who determines the purposes of the processing.

General use of personally identifiable information

1E uses customer Personally Identifiable Information (PII) to respond to requests and to provide, enhance and secure the platform. Generally, PII includes first name, last name, phone numbers, email addresses, and data provided by customers to use the platform.

PII collected by the 1E Platform

PII collected by the platform for use by customers within the platform is as follows:

  • Process executions: Whenever a process starts on the device, the name of the process.
    • Username: The name of the user in whose session the process was launched (or blank if it is a system-launched process)
  • DNS queries: Whenever a DNS address is resolved.
    • FQDN: The Fully Qualified Domain Name (FQDN) that is being resolved.
  • Process stabilization: The time taken for a process to be considered stable. This is captured when a process starts on a device, but only if that process is in a list of processes selected for monitoring.
    • Username: The name of the user in whose session the process was launched (or blank if it is a system-launched process)
  • ARP cache entries: Translations between IP addresses and MAC (physical) addresses, known as ARP (Address Resolution Protocol).
    • IP address: The IP (v4) address
    • MAC Address: Hardware Media Access Control(MAC) address
  • User usage: Details about user sessions from login to logout.
    • Username: Domain-unique readable username. Note this value may be unique to an individual device.
    • SID: Windows Security Identifier (SID) of the user. Note this value may be unique to an individual device.
    • Email: Soon to be implemented. The email address that is cached in the system for this user. This may not necessarily be the email address to use to contact the user via corporate email.
    • First name: Forename that the system has cached for the user.
    • Last name: Surname that the system has cached for the user.
  • Device inventory: Inventory data for each device.
    • SMBOID GUID: Allows system administrators to remotely identify and manage these systems.
    • 1E client GUID: Unique key used by 1E Platform to identify the device.
    • Time zone: Can be used to identify the location of the device.
    • OS-locale: Can be used to identify the location of the device.
    • IP addresses: IP addresses appear in log files that may be sent back to our SaaS support team for diagnostics.
  • Log files capture device names and IP Addresses for troubleshooting purposes. These files are stored in an encrypted disk volume and can only be accessed by 1E support engineers.
  • Except for log files used by 1E support, no other customer data stored within the platform can be accessed by 1E employees.

The following Azure regions are supported in SaaS. If you need support in another region, please reach out to your CSM team so they can a investigate if we can support that region.

  • UKSouth
  • EastUS
  • WestEurope
  • CanadaCentral

Customers should be aware that data is never stored outside of the region that they select when signing up for the platform.

  • For customers in the UK, this means all data is stored in London.
  • For customers in the EU, this means all data is stored in Amsterdam.
  • For customers in the US, this means all data is stored in Virginia.
  • For customers in Canada, this means all data is stored in Toronto.

Where new regions are added in the future, the location of the corresponding data center will be announced to allow customers to make appropriate decisions when reviewing concerns such as the Data Protection Directive.

1E’s approach to Enterprise Risk Management has multiple layers, designed to focus on how we address risk as part of ongoing business operations throughout the year, not just as a point-in-time exercise on an annual basis. 1E maintains enterprise and cyber-security risk assessment procedures, including annual risk assessments.

Background screening

All 1E employees and contractors must undergo background screening prior to employment where local legislation allows.

Employee handbook

All 1E employees must read and agree to the 1E employee handbook covering company policies, code of business conduct and ethics, and acceptable use policies. Our acceptable use policy outlines requirements around,

  • Hardware, software, mobile device, e-mail, and network use
  • Social media
  • Data classification, handling and ownership

Non-Disclosure Agreements

All employees and contractors must sign a Non-Disclosure Agreement (NDA) prior to employment. Third-party services must sign an NDA before use.

Security training

All 1E employees and contractors attend mandatory information security training during the on-boarding process, as well as annual training thereafter. Training is tracked and monitored to ensure compliance.

1E’s Secure Software Development Lifecycle (SDLC) standard defines the process by which we create secure products and the activities that must be performed at each stage of development.

Change and release management

All changes to 1E production software follow 1E’s change management process. 1E performs code reviews for internally developed software and services. Code changes must be approved via pull requests before they are merged into master branches, automated unit testing, automated functional testing, automated integration testing, and automated security testing.

Developer training

All developers are trained on software vulnerabilities, including the Open Web Application Security Project (OWASP) Top 10. These are taken into consideration during the development of features. All code is housed in source control where engineers are granted access based upon least-privilege. Training in handling sensitive data is included in the required annual security training.

1E’s monitoring processes and procedures provide continuous proactive and detective capabilities. 1E uses several sources and tools for identifying, tracking, responding to, and remediating vulnerabilities. We subscribe to security mailing lists for our OS, Datastores, Web Frameworks, Languages as well as to industry and government mailing lists.

Vulnerability management and penetration testing

1E performs regular and continuous scans of our systems to identify vulnerabilities. When a vulnerability is discovered, corresponding tickets are filed in our internal ticketing system and prioritized according to 1E’s support SLA. In addition, 1E performs annual penetration testing of our networks and services, as well as regular application penetration testing. All penetration testing is performed by independent third parties.

Patch management

Patches and upgrades are applied based upon the severity level of vulnerability according to our patch management policy. Critical severity patches are applied within 7 days of patch release, High severity patches within 2 weeks.

Platform infrastructure

1E Platform operates on resources hosted within Microsoft Azure. These resources exist and span several different Azure Regions to provide increased performance for customers around the globe.

The 1E Platform functionality is separated into several customer-facing services as follows:

  • Web portal: For customer users of the platform.
  • Switch: A permanent connection established with all connected devices to facilitate low latency event and command communication.
  • Background channel: Used for downloading large data out-of-band of normal switch communication.
  • API: A REST API for programmatic interaction with the platform.

Server instances

1E Platform uses Windows Server 2022 Core Long Term Servicing branch and Ubuntu for the base operating systems of the server instances, hosted within Azure IaaS. These operating system images have been specially prepared and hardened for use in Azure by 1E. Server instances are launched from prebuilt and tested machine images to ensure 100% consistency. These virtual machines are backed up by Azure recovery services vaults.

Database

All data sent to the 1E Platform is uploaded to SQL databases. The SQL instance is separate from the rest of the 1E Platform components and is held entirely separate from any other customer data.

Firewalls

The 1E Platform is only accessible through an Azure firewall instance that provides network Intrusion Detection and Prevention Services (IDPS).

All Azure resources for each customer are also secured by a dedicated Azure Network Security Group.

All access to the 1E Platform is via encrypted TLS over port 443.

Information classification

1E has a formal information classification policy. Each information classification has specific requirements regarding the handling (i.e., access, storage, use, identification) of that data.

Data deletion and destruction 1E customer data resides in the Microsoft Azure cloud. Ninety days after service termination (or earlier upon request) 1E deletes all customer data using the API’s provided by Microsoft.

Data encryption

Encryption in transit
All data transmitted to and from 1E over public networks is secured via HTTPS Transport Layer Security using TLS 1.2 or above.

Encryption at rest
All data at rest is encrypted using AES-256

Platform monitoring

In addition to the instance monitoring services provided by Azure Data Explorer, the 1E Platform uses several services to provide effective monitoring of platform health and metrics. For example, core platform services are monitored for health and throughput using custom metrics that are then pushed to Azure Data Explorer and DataDog. Custom metric and log gathering code is deployed to each server.

Azure Data Explorer and DataDog provide near real-time feedback on platform load and other potential issues that may occur, alerting regarding problems or service outages. 24/7 response is ensured through PagerDuty and a robust and well-practiced escalation procedure within 1E support.

By monitoring the platforms in this fashion, 1E can identify, pinpoint, and resolve potential customer issues before they become apparent to the end user.

1E Platform architecture

Web portal security

All access to the 1E Platform web portal occurs over TLS v1.2 encrypted HTTPS using standard RSA 2048-bit certificates.

Access control is provided by the customer’s own OAuth based Identity provider (IdP) via Single Sign-On (SSO). 1E currently supports Azure Active Directory and Okta directly, but other IdP’s may be accommodated providing they follow OAuth 2.0 standards.

1E recommends that customers configure their IdP to enforce multi-factor authentication.

API security

The platform is entirely API driven, and the web portal is simply an extension of the API, the API is therefore secured in the same way as the Web Portal. Non-interactive API access can be configured through the customer’s own IdP by using certificates as outlined in the online documentation.

1E client and switch security

The 1EClient.exe executable code is digitally signed with a certificate from 1E.

All communication from the 1E client to the switch is encrypted using mutual TLS 1.2 RSA encryption over WebSockets on TCP port 443. Customers must provide a valid PKI root certificate upon service creation, and only clients with a valid client certificate from that PKI instance will be allowed to communicate with the customer’s switch instance.

This ensures that there can be no accidental data contamination between customers of the platform and ensures no data leakage can occur through an unauthenticated client gaining access to a customer’s switch.

There is also communication between the client and the ‘background channel’ which is encrypted using mutual TLS over HTTPS on TCP port 443.

Internet protocol

The 1E Platform uses the IPv4 protocol. IPv6 is not currently supported.

Stateful packet inspection

Communications between clients and the switch and clients and the background channel cannot use stateful packet inspection as this would break mutual TLS and platform components would deny connectivity.

Supported TLS cipher suites

The 1E Platform only supports one of the following TLS Cipher Suites

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Infrastructure

The 1E Platform runs on hardened Windows Server and Ubuntu Linux operating systems, with all instances launched from a patched and maintained Microsoft provided image. This image is then further hardened by using Packer and PowerShell scripts. This ensures consistency across all servers in the 1E Platform and provides a base level of security. All server instances are then patched on a regular basis. All critical and security patches are applied weekly. All other patches are applied monthly. This includes all operating system and SQL patches.

Identity and access management

Each 1E Platform instance is hosted within a separate Azure resource group and virtual network, with no shared access. Administration of the service is performed using both the Azure console and Azure API services for programmatic access.

Only essential staff within 1E have access to these services, with access configured using Azure Identity and Access Management (IAM). All logins to the console are required to have a secure pass phrase of at least twenty characters in addition to the use of multi factor authentication using Azure Active Directory and Microsoft Authenticator. Programmatic access to the Azure API is controlled through security principles stored within the 1E Azure Active Directory.

Each user has no direct access to any customer servers or data, and any such access must be requested through Microsoft Privileged Identity Management (PIM), is time limited, and must reference an open support ticket or authorized change control. All requests must be approved before being granted, and all approvals and subsequent elevation of privileges are audited. Privileges are automatically removed once the time limit is reached.

Passwords

1E requires National Institute of Standards and Technology (NIST) best practices for passwords and mandates the use of Single Sign-On (SSO) with multi-factor authentication.

Instance access

All access to server instances is performed using Microsoft Azure Bastion, which can only be used through the Azure portal, following a log on via Azure AD and MFA. User login credentials must be retrieved from Azure Key Vault storage for a particular instance. Access to the key vault can only be provided by Privileged Identity Management approval and is audited.

Security testing

The 1E Platform undergoes periodic penetration testing, both application and infrastructure, via external approved companies at least annually.

The platform is continually tested for vulnerabilities via the use of automated tooling in the Microsoft Defender suite.

The web interface and APIs are also tested daily using Microsoft Azure External Attack Surface Monitoring (EASM).

Instance monitoring

1E’s cloud engineering team constantly monitors the availability and performance of each customer instance through Azure data explorer and DataDog, and any alerts are raised through PagerDuty.

All security events and metric data across all 1E resources are streamed in real time to 1E’s Security Information and Event Monitoring (SIEM) system which is an instance of Microsoft Sentinel. This is monitored 24/7/365 by 1E’s Security Operations Center (SOC), and incidents are raised directly with 1E’s security engineers.

Incident management

1E maintains multiple monitoring systems to detect and alert incidents. Incident severity is classified based upon customer impact and duration of incidents. 1E will notify affected customers of any security incident in line with our incident management plan.

1E performs regular testing of our business continuity plans, and disaster recovery tests at least annually.

Recovery Time Objective (RTO) / Recovery Point Objective (RPO)

RTO = In the event of the VM being lost we will restore service by recovering the VM from backup within 4 hours.

RPO = The service is backed up every 24 hours at midnight local time.

Data backups

All backup data is encrypted in transit and at rest and written to geographically replicated data stores.

1E has a formal third-party security review process for assessing third-party vendors at the point of engagement and annually thereafter. During this process we compare the classification of data stored and accessed by the third party with the data handling procedures outlined in our Information Classification policy. 1E’s security team performs a technical assessment to determine if the vendor meets these requirements.

All third-party libraries used by our platform are scanned for vulnerabilities daily and updated appropriately.

Office security

All 1E employees are required to use key cards to access our physical offices. Physical access is logged. Key cards are centrally managed by our business support team. All Business Technology infrastructure is secured in a separate climate-controlled room with fire suppression systems and limited access rights.

Clean desk policy

Employees are required to ensure that all restricted / confidential information (customer, vendor, employee, or intellectual property) is secure and stored in locked areas and out of sight when they are not in use or when the workspace is vacant. All such printed documentation must be stored and locked within secured containers. All computers must be (logically) locked when the workspace is unoccupied.

Data center security

Data center physical security for our hosting provider (Microsoft Azure) can be found here: https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security

Ready to Work Wonders™?