Many companies require a security audit of new vendors prior to implementing their services.

This article is intended to help address potential questions that are likely to occur within your security audit of Setyl. If the answer to a specific IT audit question is not listed below, please reach out to us for further help.

System description

Setyl is a commercial off the shelf (COTS) SaaS based IT asset management platform.

ISO 27001 Information Security Management certification

Setyl is certified to ISO 27001 Information Security Management standards. New and existing enterprise customers can request a copy of our certificate and corresponding documentation.

SOC 2 certification

Setyl has elected not to currently complete SOC 2 certification, however has the similar ISO 27001 Information Security Management certification.

Where is data stored on Setyl geographically located?

Data hosted on Setyl is geographically located in the UK and European Union. Data sharing between the UK and EU is legally covered under the EU GDPR adequacy decision.

What infrastructure type is Setyl?

Setyl is a cloud based SaaS platform, accessible from the browser.

Does Setyl store and process personally identifiable information (PII)?

Based on the definition of PII by the UK's Information Commissioner's Office, Setyl does store and process PII. Examples of PII that are stored and processed by Setyl include name, email address, assigned assets, assigned software application licences, company joining date, company leaving date, password (encrypted), address, avatar photo.

Is Setyl registered for the processing of PII?

Yes. Setyl is registered with the UK's ICO, under registration number ZA798244.

Which cloud providers does Setyl use?

Setyl's cloud providers are Amazon AWS (EU and UK regions) and Salesforce Heroku (EU region).

Is the Setyl platform penetration tested?

Yes. Penetration tests are carried out annually by an independent third party organisation. New and existing enterprise customers can request a copy of our penetration test report.

What authentication methods are employed by Setyl?

By default Setyl provides both traditional email/password authentication and SSO SAML authentication via Google & Microsoft. Clients using our enterprise package are able to further enforce access via specific SAML formats.

Password policy

Setyl includes a standard password length requirement of 12 characters with a requirement to include lower case, upper case and numbers. Password rotation can optionally be enforced as part of our enterprise plans. Brute force attacks are prevented by rate limiting all password input forms. Passwords are stored in an encrypted format.

Encryption at rest method

In transit: HTTPS (forced) with SHA-256 RSA encryption. Usage: Digital Signature, Key Encipherment.

How does Setyl prevent involuntary disclosure of data?

Setyl is a commercial off the shelf (COTS) SaaS solution. On the client-side, Setyl requires authentication in order to access the application. All browser-server traffic is encrypted using 256 bit RSA encryption, and non TLS connections to Setyl are prevented. Setyl has stringent internal policies designed for safeguarding data, such as heavily restricting access to data for Setyl employees and multi factor authentication access requirements for all internal systems.

Data backup policy

Setyl's underlying database infrastructure is automatically backed up hourly using Salesforce Heroku. This hourly backup is then stored in two geographic regions via Amazon AWS and retained for 30 days. The Setyl development team run a mock test of restoring a data backup every 4 months to ensure that the process works correctly.

Patch management and updates

Updates, including patches, are released as part of our normal release cycle every 1-2 weeks. Setyl typically has no downtime during release cycles. For example for the whole of 2021, Setyl had less than 1 hour of downtime. Setyl ensures that all third party packages that the system relies on are updated to the latest version where possible, and always to a version with full security support from the publisher.

Error handling and updates

Errors are actively recorded using a service called Airbrake. These errors are automatically shared with the Setyl development team so that Setyl can proactively address any system bugs.

Prevention of DDoS attacks

DDoS protection is provided by Cloudflare. Setyl is load balanced via Salesforce Heroku's inbuilt load balancing solution. IP blacklisting is provided by Cloudflare.