Introduction

This document provides answers to the questions we're most often asked. We hope you'll find the answer to your question here, but if not, or if you require any further information, please contact us at support@equinox-ipms.com. We'll be more than happy to provide you with further details.

TABLE OF CONTENTS

Legal and compliance
Vulnerabilities and patching
Operational security
Equinox
Other questions
- Is Equinox protected against data centre outages?

Legal and compliance

Does Equinox hold the ISO 27001 certification?

Questel has been fully compliant with ISO/IEC 27001:2013 for Information Security Management since 2022. We began the process for Equinox Corporate, Law Firm and Law Firm+ to become certified for ISO/IEC 27001 and SOC2 Type II in 2023 (after Questel acquired Equinox) and are currently working towards certification.

Is Equinox PCI DSS compliant?

No. We don't process transactions or store credit card information.

Yes. Equinox is fully GDPR compliant. Users are entitled to the right:

To be informed
Of access
To rectification
To erasure
To data portability
To object

Where is Equinox data stored?

Europe: For EU clients, data (including backups) is stored in a French Microsoft Azure data centre. For UK clients, we use a multi-tenant Microsoft Azure data centre in Cardiff, Wales. Both data centres are fully compliant with the EU General Data Protection Regulation (GDPR).

For clients across the rest of the world, Equinox data is typically stored as geographically close to you as possible.

For Asia-Pacific clients, we host data in Victoria, Australia
For South-East Asia clients, we host data in Singapore
For Canadian clients, we host data in Toronto, Canada
For clients in the United States, we host data in Iowa, USA.

Any client that requires a single tenant, i.e., a dedicated server (at additional cost), can select their preferred server location.

Is Equinox Cyber Essentials Plus certified?

We’re currently working towards ISO 27001 certification and are aiming to undertake the Stage 2 audit with the British Assessment Bureau.

Are backups of the system taken?

Yes. Regular backups are taken of both Equinox and any documents that you might upload. Multiple backups are taken and held in different geographic locations. Backups are encrypted both in transit and at rest.

What is Equinox's data retention policy?

Your database (i.e., all details that you enter into the system, except documents that you upload) is backed up hourly for 5 days, then daily for 30 days. Documents that you upload to Equinox are backed up every 4 hours for 5 days, then daily for 30 days.

Does Equinox have a disaster recovery procedure?

Yes. We test this at least every 12 months. We undertake periodic backups with a maximum data loss of one hour for data held in the Equinox database; these can be used to restore an entire system, including all subscriber data and documents. Our servers are typically virtual. In addition to data backups, we take snapshots daily. This enables us to have multiple recovery options, ensuring maximum data integrity and availability for our clients. All production servers run on environments that are periodically mirrored to a secondary redundant environment to ensure high availability. These backups and mirror environments ensure we can quickly restore an entire system, including all subscriber data/documents, as part of our disaster recovery protocols. Users can also create their own backups directly from our system. Our business continuity and disaster recovery plans respect subscriber requirements and legal obligations, such as GDPR. More details can be provided upon request.

Do you have a dedicated security team or person in your organisation?

Security is a collaborative effort between our Operations and Development teams, with direct sponsorship from our Product Lead.

Does Equinox have a data protection officer?

Yes. Our named data protection officer is Sabine Landivier. Contact can be made via dpo@questel.com

Who can I contact about information security concerns?

Please get in touch via support@equinox-ipms.com. Our Operations team will be happy to assist with any specific questions.

Vulnerabilities and patching

Does Equinox undertake penetration tests?

Yes. We employ a third party (OutPost 24) to conduct daily penetration tests on both our systems and software. Our Development and Operations teams respond to any findings promptly, and any vulnerabilities found are then retested to ensure they are resolved.

How quickly are security vulnerabilities resolved?

We aim to resolve all critical vulnerabilities within 7 days and all other vulnerabilities as soon as possible, but within 30 days.

What is Equinox's approach to patching?

Our systems are regularly patched with recommended vendor updates. With a similar approach to penetration test findings, we aim to patch all critical/zero-day vulnerabilities within 7 days, and aim to release all other security update as soon as possible, but within 30 days. Our developers continually build in protections against SQL injections and cross-site scripting and actively monitor and test against the top 10 Web Application Security Risks compiled by the OWASP Foundation.

What is Equinox's approach to security?

The security of our systems and service is of paramount importance to us. From the early stages of development, through to deployment and production, our focus on security guides us at every stage. We follow a Secure Software Development Lifecycle (SDLC) process, integrating security at every stage of application development to ensure secure deployment. A combination of continual penetration testing, training, and staying abreast of the latest industry security recommendations allows us to maintain confidence in the security and robustness of our systems. Questel has several administrative, physical, and technical safeguards to protect personal information in Equinox. We also conduct regular risk assessments to assess threats and update our security measures.

Administrative safeguards - Clear and comprehensive data privacy and security policies and procedures; regular employee training and awareness programs on data privacy and security; regular risk assessments and audits; the appointment of a Data Protection Officer (DPO); and an incident response plan
Physical safeguards - Secure data centres with restricted access; fire detection and suppression systems; and regular backups and disaster recovery plans. Offices implement badge access, with visitors signed in and accompanied throughout any visit. Sensitive areas are locked with separate badge access. The premises have dedicated security personnel and 24/7 video monitoring and alarm systems.
Technical safeguards - Encryption of data in transit and at rest; access controls and multi-factor authentication; continuous integration and continuous delivery/deployment (CI/CD) pipeline for software development, integrating security tools within the pipeline to ensure continuous security monitoring and testing during development and deployment; regular intrusion detection and prevention systems, and regular vulnerability assessments and penetration testing.

Operational security

Does Equinox use encryption?

Yes. All data residing within our SaaS platform utilise Encryption At Rest and Encryption In Transit, with the industry standard algorithms. These include:

At-rest encryption - Equinox uses AES-256 encryption to safeguard data at rest, meaning that data is encrypted when stored on a disk or other device. This ensures that even if an unauthorised person gains access to the storage device, they will not be able to read the data without the encryption key.
In-transit (in-motion) encryption - Equinox uses encryption to protect data in transit, meaning that data is encrypted when transmitted over a network. This ensures that even if an unauthorised person intercepts the data during transmission, they will not be able to read it without the encryption key.
Encryption key management - Equinox utilises industry-standard encryption key management practices to ensure the security and confidentiality of encryption keys. We employ asymmetric encryption capabilities through Azure Key Vault and Azure Key Vault Managed HSM to ensure secure storage of encryption keys, regular rotation of encryption keys and secure transfer of encryption keys.
Secure communication - The connections to Equinox through an internet browser and Microsoft Office plugin employ secure communication protocols, such as TLS v1.2 over HTTPS and the secure file transfer protocol (SFTP), to ensure that data is transmitted securely over network.

How is access to systems by Equinox staff managed?

Only Equinox staff whose role requires direct access to Equinox systems and data are granted access. The level of access is also restricted based on the type of activity the role requires. Access is logged and auditable and we have additional processes in place to audit the activity of staff accessing production systems.

Do you provide data- and cybersecurity training to staff?

All our employees undergo mandatory data- and cybersecurity training as soon as they join Equinox. Our staff undertake a monthly training program, so they have up-to-date knowledge of a range of data- and cybersecurity topics.

Are systems monitored for unusual activity?

Yes. We monitor a range of metrics from both our underlying systems and the Equinox application itself. Equinox employs advanced network inspection tools to analyse incoming and outgoing traffic for potential security threats, such as malware, viruses and unauthorised access attempts, and to alert on suspicious or anomalous network activity. These tools use machine learning algorithms to establish a baseline of normal behaviour and identify deviations from that baseline. Logs and alerts on these metrics are sent directly to our Operations and Development teams. This means they're aware of any issues in real-time and can take action promptly should the need arise. Equinox sends real-time alerts to system administrators when suspicious or anomalous network activity is detected. These alerts allow administrators to take immediate action to investigate and mitigate potential security threats.

Equinox

What technology does Equinox run on?

Equinox is primarily a PHP application and runs on a LAMP stack (Linux, Apache, MySQL and PHP). We use Linux to host Equinox, enabling us to offer you a secure and reliable service.

How is access to Equinox managed?

Equinox uses role-based access control (RBAC) to manage user access. This means that access rights are assigned according to users' roles within the organisation. For example, administrators have more access rights than regular users. User actions can be audited, providing a record of who did what and when. Accounts will lock by default after 8 failed attempts. Equinox conducts regular audits of user access to ensure that access rights are up-to-date and in line with users' roles. This helps to prevent unauthorised access and ensures that access is always granted on a need-to-have basis. Our authentication and authorisation processes are thoroughly tested by our penetration testing programme.

What level of logging and monitoring is implemented for privileged users?

Questel implements robust logging and monitoring for users with privileged access accounts to ensure the security and integrity of client data and services.

Logging - Equinox logs all activities performed by privileged users, including login/logout events, access to client data, and changes to system settings. These logs are stored in a secure location and can be reviewed by authorised personnel for auditing and compliance purposes.
Regular audits - Equinox conducts regular audits of privileged user activity to ensure compliance with internal policies and external regulations. These audits help identify potential security risks and areas for improvement in the privileged user management process.

Do you have intrusion detection and prevention systems?

Yes, Equinox has intrusion detection and prevention systems (IDPS) to monitor for and respond to suspicious activity. Equinox also implements Segregation of Duties (SoD) for privileged users. This means that no single user has complete control over the system, and that changes to the system require the approval of multiple users. This helps to prevent unauthorised changes and ensures that all changes are auditable.

Is it possible to set a password policy for users?

Subscribers with the correct roles can set a password policy specifically for their staff. Length and complexity can be customised.

Does Equinox support two-factor (2FA) or multi-factor authentication (MFA)?

Yes. Equinox natively supports both email and SMS two-factor authentication. As a subscriber, you're free to choose whichever you prefer. Additional options are available for subscribers with a single-tenant solution (your own dedicated environment), who choose to enable single-sign-on (SSO).

Does Equinox support Single-Sign-On (SSO)

Yes. Single tenant subscribers can choose between Microsoft Active Directory Federated Services SSO or Azure SSO. This lets you set more advanced access policies, such as conditional access and/or MFA options.

Does Equinox keep log files?

Yes. Log files are kept of system activity, for the sole purpose of assisting with troubleshooting. These are typically kept for less than 1 month. Additional log files are kept by the application itself, again for the sole purpose of assisting with troubleshooting. Equinox stores logs in a secure location accessible only to authorised personnel. The logs are stored in an industry-standard format, enabling easy analysis and reporting.

How is client data segregated?

Questel uses database-level, file storage and code-level restrictions and mechanisms to ensure that all client data remains separated and isn't viewed by incorrect parties. Data is logically separated using tenant identifiers, and strict access controls are enforced (see page X). We don’t fully disclose the technical details of our data segregation protocols for security reasons, but you can find further information about our security measures by requesting our Equinox security specification. This non-exhaustive list provides a snapshot of some of our dedicated security specifications to ensure data segregation and secure access for clients (’subscribers’):

Data storage for any multi-tenant environment is always identified by one of two keys: a subscriber ID or a subscriber reference. This is implemented at a database row and file structure level.
We employ multiple methods to ensure the continuity and integrity of a subscriber's data, including cloud storage with built-in redundancy, multiple backups and redundant array of independent disks (RAID) for physical servers.
All disks (virtual or physical) and cloud storage servers are dedicated to Equinox and not shared with other providers.
Access to servers for maintenance is restricted and only performed using the Secure Shell Protocol (SSH). It is also further restricted by IP address, with authentication requiring strong passwords and/or keys.
Multiple backup methods are employed, including independent database and document backups and entire disk-level snapshots. Backups are spread across providers and geographic regions (respecting subscriber requirements and legal obligations, such as GDPR).

Data Security FAQs