Security Policy

Storing your financial transactions is what we do – and we take protecting your valuable information very seriously. We continuously invest significant resources in state-of-the-art technologies to keep our security infrastructure updated. The following security measures have been taken to ensure your information is safe at all times:

Physical Security

Our application servers are located in a purpose-built facility with 24-hour video surveillance, physical security, backup electrical generators, and other back-up equipment required to keep servers continually up and running.

Perimeter Access/Defense

Our major network backbone includes three connections to separate network service providers. Network perimeters are protected by custom-configured firewalls provided by leading security vendors. PurchaseControl routinely tests all aspects of the network infrastructure to protect against threats.

User Authentication

Users access PurchaseControl’s cloud-based e-procurement software only with a valid username and password. These are encrypted using a Secure Sockets Layer (SSL) protocol which provides a secure online channel for access. User credentials are verified before access to the PurchaseControl database and application interface is granted.

Application Security

The application security model has been designed so that it is not possible for one PurchaseControl customer to access another customer’s data. This security model is applied to every data request and enforced for the entire duration of a user session.

Operating System Security

We enforce tight operating system security by using a minimal number of access points to all production servers. All operating system accounts are password-protected. All operating systems are maintained at each vendor’s recommended patch levels for security. All operating systems are further secured by disabling and/or removing any unnecessary users, protocols, and processes.

Database Security

Whenever possible, database access is controlled at the operating system and database connection-level for additional security. Access approval to production databases is limited to a number of points.

Server Management Security

All data entered into the PurchaseControl application by a customer is owned by that customer. PurchaseControl employees and representatives do not have direct access to the PurchaseControl production equipment, except where necessary for system management, maintenance, monitoring, and backups. PurchaseControl employees and representatives who have access to the production equipment must pass a rigorous background check.

Data Backup

PurchaseControl applications reside on clustered servers. All customer data is backed up every sixteen minutes. Backup files are also transferred electronically to a disaster recovery location every 24 hours.

Disaster Recovery Plan

Our hosting facility has been designed to withstand many foreseeable catastrophic failures, such as power outages, contractor mishaps, fire, flood, and theft. Power is supplied by separate feeds entering from different sides of the building. It also has full UPS (uninterrupted power supply) and generator capabilities in case of a power outage.

In the unlikely event of a catastrophic site failure, PurchaseControl has a comprehensive recovery plan in place. Additional host equipment at a separate location is capable of performing all hosting functions in the case of such an emergency, with sufficient capacity for customers until such time as PurchaseControl’s applications can be restored at their original location or at a replacement hosting facility.

Summary

As a service provider, our aim is to deliver a best-of-class security infrastructure consisting of proven, cutting-edge technologies. PurchaseControl delivers the most comprehensive security solution available. This solution includes firewalls and encryption devices sourced from leading security vendors, configured by expert professionals, and rigorously tested.