Security Statement

When you access our site using industry standard Secure Socket Layer (SSL) technology, your information is protected using both server authentication and data encryption, ensuring that your data is safe, secure, and available only to registered Users in your organization. Your data will be completely inaccessible to your competitors. Sunrise provides each User in your organization with a unique user name and password that must be entered each time a User logs on. Sunrise issues a session "cookie" only to record encrypted authentication information for the duration of a specific session. The session "cookie" does not include either the username or password of the user. Sunrise does not use "cookies" to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. In addition, Sunrise is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders. Security researchers seeking information on how to report security issues to Sunrise should review our Vulnerability Reporting Policy.

Confidentiality

Sunrise understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.

Internal and Third-party testing and assessments

Sunrise tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments (Mcaffe secure) are also conducted regularly: Application vulnerability threat assessments Network vulnerability threat assessments Selected penetration testing and code review Security control framework review and testing

Security monitoring

Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Secure data centers

Our service is collocated in dedicated spaces at top-tier data centers in Europe. With private Cloud environments where your data location is always known and protected. These facilities provide carrier-level support, including: Access control and physical security 24-hour manned security, including foot patrols and perimeter inspections Biometric scanning for access Dedicated concrete-walled Data Center rooms Computing equipment in access-controlled steel cages Video surveillance throughout facility and perimeter Building engineered for local seismic, storm, and flood risks Tracking of asset removal

Enviromental controls

Humidity and temperature control Redundant (N+1) cooling system

Power

Underground utility power feed Redundant (N+1) CPS/UPS systems Redundant power distribution units (PDUs) Redundant (N+1) diesel generators with on-site diesel fuel storage

Network

Concrete vaults for fiber entry Redundant internal networks Network neutral; connects to all major carriers and located near major Internet hubs High bandwidth capacity

Fire detection and suppression

VESDA (very early smoke detection apparatus) Dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based fire suppression

Secure transmission and sessions

Connection to the Sunrise environment is via SSL 3.0/TLS 1.0, using global step-up certificates ensuring that our users have a secure connection from their browsers to our service. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login

Network protection

Perimeter firewalls and edge routers block unused protocols Internal firewalls segregate traffic between the application and database tiers Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports A third-party service provider continuously scans the network externally and alerts changes in baseline configuration

Disaster recovery

The Sunrise service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center Data are transmitted across encrypted links. Disaster recovery tests verify our projected recovery times and the integrity of the customer data

Backups

All data are backed up to tape at each data center, on a rotating schedule of incremental and full backups The backups are cloned over secure links to a secure tape archive Tapes are not transported offsite and are securely destroyed when retired

Privacy Overview

At Sunrise there is no higher priority than the privacy and security of our customers' data. We believe that protecting the privacy of our customers' data is integral to our mission of earning and maintaining the trust of each of our customers. We seek to lead the industry as a trusted repository for customer data through a world-class privacy program and provide a secure infrastructure and flexible tools that help enable our customers to comply with global privacy and data protection regulations.

Vulnerability Reporting Policy

The Sunrise security team acknowledges the valuable role that independent security researchers play in Internet security. Keeping our customers’ data secure is our number-one priority, and we encourage responsible reporting of any vulnerabilities that may be found in our site or application. Sunrise is committed to working with the security community to verify and respond to any potential vulnerabilities that are reported to us. Additionally, Sunrise pledges not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.

Testing for security vulnerabilities:

Conduct all vulnerability testing against Trial or Developer Edition organizations (instances) of our online services to minimize the risk to our customers’ data.

Reporting a potential security vulnerability:

Privately share details of the suspected vulnerability with Sunrise by sending an email to security@mysunrise.eu Provide full details of the suspected vulnerability so the Sunrise security team may validate and reproduce the issue

Sunrise does not permit the following types of security research:

Causing, or attempting to cause, a Denial of Service (DoS) condition Accessing, or attempting to access, data or information that does not belong to you Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

The Sunrise security team commitment:

To all security researchers who follow this Sunrise Vulnerability Reporting Policy, the Sunrise security team commits to the following: To respond in a timely manner, acknowledging receipt of your report To provide an estimated time frame for addressing the vulnerability To notify the reporting individual when the vulnerability has been fixed

No compensation:

Sunrise does not compensate people for reporting a security vulnerability, and any requests for such compensation will be considered a violation of the conditions above. In such an event, Sunrise reserves all of its legal rights.

Legal Notice Contact Information General Legal: legal@mysunrise.eu Compliance: legal@mysunrise.eu Copyright: copyright@mysunrise.eu

Innovation

We are always busy to identify and use the latest technologies and design techniques to make Sunrise everything you want it to be. If you have suggestions, feedback, or ideas, please don't hesitate to contact us at info@mysunrise.eu.