Acumatica Information Security

a detailed breakdown of acumatica's information security and how the system protects personal information and confidential business data

We all have an interest in protecting private personal data along with confidential business information. That is why we have dedicated substantial resources to establishing and maintaining a comprehensive information security program. Our program is designed not only for basic compliance with legal and regulatory requirements, like the POPI Act but for consistency with internationally accepted standards of best practices like SSAE and ISO IEC 27001:2013, as well as other authoritative sources of information security and data privacy best practices guidance.

Information security is a risk management imperative that software as a service (SaaS) providers share with customers.

Acumatica takes a layered, defense-in-depth approach to protect the confidentiality, integrity, and availability of systems and data, by deploying administrative, technical and physical controls.

From design through development and on to implementation, our ERP solutions are created through secure processes in secure environments.

By hosting our SaaS in Amazon Web Services (“AWS”), we provide our customers with the significant security benefits that come with the most advanced cloud computing infrastructure on the planet. Aside from the formidable infrastructure and platform security elements inherent to AWS, Acumatica has architected its services to segregate and isolate different Acumatica customer environments. Administrative access to Acumatica’s AWS management console is strictly limited to a handful of Acumatica key personnel on the basis of“need to know” and “least privilege” principles and even so requires the use of Multi-Factor Authentication to gain entry.

Acumatica employees with these privileges, as well as those who support customers and may need to access customer databases for support purposes, can only do so through encrypted channels via an Acumatica IP address.

This means that Acumatica’s access to a customer database for support purposes requires a connection through either an Acumatica physical facility or office or the Acumatica VPN, which uses secure protocols TLS 1.2 or IPSEC. The data associated with any activity in these channels are logged and monitored by our information security team. Customers control access rights and management within their dedicated Acumatica SaaS environment by assigning access credentials and can further delineate access by IP address.

The Acumatica Information Security Framework

The standards in the framework are reviewed by the information security team the sooner of either annually or whenever there is a significant change to Acumatica operations or legal or regulatory requirements warranting review.
New policies or modifications to existing policies are communicated to applicable employees. In addition, procedures are created and implemented to carry out the information security policies.

Acumatica’s information security management framework consists of security policies, standards and procedures.

Specific information security roles and responsibilities are assigned for the management of the information security program.

These information assets include, but are not limited to: Personal information about employees and customers; Nonpublic business information about, for example:
–strategies, financial and contractual performance;
–product plans and
–strategies; and,
–consultants, business partners, stakeholders, and third-party suppliers.

The Acumatica information security management system addresses, without limitation and solely for purposes of illustrating its comprehensive scope:
infographic of a comprehensive scope of acumaticas information security

Leave a Reply