INTRODUCTION

Food safety, quality, and compliance information is an important asset to Safefood 360° (SF360°) and along with its employees, it is committed to protecting the integrity, privacy, and security of confidential customer data as required by law, professional ethics, and accreditation requirements. The purpose of the Commitment to Security Statement is to provide SF360° clients, employees, and contract developers with an objective description of the system’s boundaries and security commitments.

PURPOSE & DESIGN

SF360° is a food safety management software platform that allows food businesses to set up, plan, schedule, record, and report on all elements of their food safety system. This includes HACCP planning, management processes, prerequisite programs, CCP and operational monitoring, and reporting. It is a pure software as a service application hosted within the Microsoft Azure network of data centers. The software is accessed using any web browser and from desktop, tablet, and mobile devices. It can be deployed across multiple sites within the same organization, across multiple geographies, and supports all common world languages.

There are more than 30 modules covering the recording and reporting requirements of the Global Food Safety Initiative (GFSI) as well as national regulations such as the Food Safety Modernization Act (FSMA). It is also aligned towards the intricate requirements of the Retailer Technical Standards. The software is used by food processing, foodservice, and food packaging operations globally. Its users include CEOs, Production Managers, Quality Managers, Food Safety Managers, Food Technologists, Line Operators, Hygiene Staff, and most other positions within a food business.

SF360°, its employees and contract developers have implemented appropriate security policies and procedures for three key areas outlined below:

ADMINISTRATIVE SAFEGUARDS

• Security Management Process
  • Safefood 360° has implemented policies and procedures including an annual Risk Analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of client data, and remediate those risks as needed.
  • Safefood 360° has a comprehensive Risk Management Policy including routine internal and external security audits, use of third-party security experts and annual review of all security policies and procedures.
• Information System Activity Review
  • Safefood 360° has implemented automated and continuous system monitoring that provides alerts and notifications to services staff. This includes procedures to follow when a system alert occurs.
• Assigned Security Responsibility
  • Safefood 360° has identified a Chief Security Officer who is responsible for the overall privacy and security at Safefood 360°.
• Workforce Security 
  • Employment at Safefood 360° is subject to the completion of a successful background check. Safefood 360° has an offboarding policy and procedure in place to ensure that access to client data is terminated when a workforce member's employment ends with the company.
• Information and Access Management
  • Access to all resources is controlled by Access Control Lists (ACL). The level of access is based on the workforce member’s job description within the organization.
• Security Awareness and Training
  • All Safefood 360° workforce members are required to have security & awareness training upon hire and at least annually thereafter.
  • Safefood 360° utilizes the current version of Symantec Endpoint Security and Anti-Virus Enterprise Edition on all user workstations. This includes real-time scanning and periodic scans of all files and folders contained on each computer. Anti-malware databases are configured to be updated every hour for new signatures that are being made available from Symantec.
  • Safefood 360° requires the use of complex passwords and two-factor authentication where available.
  • Safefood 360° monitors all log-on attempts to production systems.
• Security Incident Protection and Response
  • Safefood 360° maintains an Incident Reporting Mechanism in order to facilitate the reporting of potential security incidents and/or breaches.
  • Safefood 360° takes all suspected incidents seriously and will investigate all suspected incidents as quickly as possible.
• Contingency Plan
  • Safefood 360° maintains a data backup and recovery plan which creates and maintains retrievable copies of client data within snapshots on storage devices and storage device replication. Daily backups are maintained for 35 days and weekly backups are maintained for five years.
  • Safefood 360° maintains a disaster recovery plan for recovery in the event of failure or disaster including all critical elements of the applications, snapshot technology in the event of major data corruption, backup databases for production data, and an alternate site in the event the primary site goes down.
  • Safefood 360° periodically tests contingency plans to verify procedural steps are valid and to provide updates to the procedures.
  • All Safefood 360° applications, including its elements such as the network, servers, storage, and databases are equipped and operated at high availability.

PHYSICAL SAFEGUARDS

Safefood 360° hosts all its SaaS applications, including client data within the Microsoft Azure network of data centres. All physical security policies are set by the hosting facility. Safefood 360° has reviewed these policies and verified acceptability.  The data centres are SOC 2 compliant. They maintain 24/7 manned security. All doors have alarm contacts, the building has ballistic entrances/bulletproof glass, and no signage.  Only authorized employees have badges that will get them in any door. The physical security requires both a proximity badge and a palm print biometric authentication to be performed before anyone can gain access to the facility via man traps. The data centres have recording cameras spread throughout and outside the facility and several motion sensor lights. Aside from the aforementioned facility security implementations, Safefood 360° also has procedures and practices related to the following:

• Workstation Security
  • Safefood 360° has implemented policies and procedures that govern the use and security of workforce member workstations, including laptops, and portable devices. This includes the encryption of all workstations and laptops.
• Device and Media Controls
  • Safefood 360° has implemented policies and procedures that govern the movement of all devices and media. This includes disposal, re-use, data back-up, and data storage.

TECHNICAL SAFEGUARDS

Safefood 360° has implemented policies and procedures to technical safeguard client data accordingly wherever possible. These policies and procedures include:

• Access Control
  • Unique user IDs and secure passwords for access to systems
  • Automatic Logoff procedures
  • Emergency Access procedures
  • Data that is moving is encrypted using Secure Socket Layer and Transport Layer Security (SSL/TLS).  Data at rest is either encrypted or de-identified.
• Vulnerability Management / Scanning
  • Bi-annual application security scans.
  • Annual penetration tests by third-party firm.
• Audit Control
  • All web accesses to the applications from users are logged in a platform and/or application-specific database.
  • User authentication is handled within the application. It is equipped with configurable options to comply with commonly enforced password policies in the market.
• Transmission Security
  • Safefood 360° applications are equipped with transmission security and data integrity mechanisms to protect the exchanges of client data according to the Encryption Policy utilising SSL Encryption.
• Monitoring and Alerting
  • Safefood 360° uses several systems and tools that complement each other to provide the best protection and coverage for its hosted application environments. These include monitoring and alerting for the following:
    • System and Services Health and Availability
    • Resource Capacity and Utilization Monitors
    • Application Performance Monitors

CUSTOMER RESPONSIBILITIES

Safefood 360° provides its clients with the functionality necessary to create user roles, grant access to users, configure the parameters of the application, and export data to common formats. Customers are therefore primarily responsible for:

• Configuring and managing employee & third-party supplier user access and authentication to the system
• Adding and removing Safefood 360° employees and authorised contracted users for the purpose of providing customer support and professional services.
• Managing the security of client and end-point devices used to access the Safefood 360° platform.

MICROSOFT AZURE RESPONSIBILITIES

As the host of the Safefood 360° SaaS application, Microsoft Azure provides critical support services that include:

• Continued compliance with the following data security standards: E.U. Data Protection Directive (95/46/EC); ISO/IEC 27001:2005; SOC 2; HIPAA/HITECH; PCI Data Security Standard; and FDA 21 CFR Part 11 and EU Annex 11.  
• Host infrastructure includes the configuration, management, and securing of the compute (virtual hosts, containers, service fabric, auto-scaling), storage (object, CDN, file storage), and platform services. Azure will operate and secure the host services, such as the operating systems of the service. 
• Network control includes the configuration, management, and securing of network elements such as virtual networking, load balancing, DNS, and gateways. 
• Internal vulnerability management of the host infrastructure.
• Enterprise-level backup and redundancy.

SYSTEM BOUNDARIES

The System Boundary illustrates data flow to and from Safefood 360° applications and where responsibilities lie within the Safefood 360° system.