PlanNEL Privacy Policy (Draft)
PlanNEL
Security
PlanNEL is built upon Amazon Web Services, leveraging the elastic capability and economic benefits of cloud computing. We make use of a number of Amazon products:
- Amazon Elastic Compute Cloud (EC2) - We use the EC2 platform to host our web-servers on powerful virtual machines.
- Relational Database Service (RDS) - We use Amazon’s managed PostgreSQL database product. This allows us to benefit from Amazon’s backup mechanisms and high availability.
- Amazon CloudFront - We integrate with Amazon’s CloudFront Content Distribution Network to deliver images to you at lightning speeds.
PlanNEL has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Workday applications.
This program includes an in-depth security risk assessment and review of PlanNEL features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing on the application.
Software Security
Accessing your PlanNEL system requires an account ID, username and password. Access to the back-office PlanNEL administration area is over an TLS encrypted connection. You can read more about Amazon EC2 security here.
Information and User Security
You can configure your account so that each user has a restricted access to the areas that they need to work in – so for example sales staff can only use the Demand Planning sections, whilst you and your inventory planner have full access to Inventory Management modules, products and stock control. Your data will be stored in a data-center determined by your business location when registering:
- Japan
- Korea
Backups
We understand that the data you enter into PlanNEL is vital to the operation of your business, so our technology is designed to keep your data safe. Your data is backed up in its entirety nightly and stored for 30 days. Within this window we can restore your data from one of these backups. We can also do a point in time restore down to the nearest minute.
Inquiries
You can send security related questions or concerns to security@plannel.com
Architectural Security
Encryption
Transmission of user credentials, as well as all data exchanges, are encrypted with an industry-standard protocol and cipher suite. PlanNEL uses token-based application authentication and multi-factor end-user authentication (MFA)
Role-Level Access
End users can be assigned roles with specific permissions and restrictions to see only the data, and use only the features, required for their jobs – right down to the field level. PlanNEL provides a complete audit trail, tracking transactions by user login details and applying a timestamp to each change.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is another layer of securing user access to your PlanNEL account. In addition to a username and password, a role can be configured with an additional layer of protection where users provide a verification code. The verification code can be obtained from an authentication app, or for example, by a message sent to a mobile phone.
Password Policies
Customers have granular password configuration options, ranging from the length of the passwords to the password expiration policy. They can set up strict rules to ensure that new passwords vary from prior passwords and that passwords are complex enough to include a combination of numbers, letters and special characters. In addition, accounts are locked out after several unsuccessful attempts.
Operational Security
Continuous Monitoring
PlanNEL employs both network- and server-based intrusion Detection Systems (IDSs) to identify malicious traffic attempting to access its systems. Security alerts and logs are sent to a security information and event management (SIEM) system for monitoring, and response actions, when required, are executed by an experienced, in-house security team.
Separation of Duties
In addition to managing employee background checks at all levels of the organization, PlanNEL follows the Principle of Least Authority (POLA) – employees are given only those privileges necessary to do their jobs.
Dedicated Security Team
PlanNEL employs a global security team dedicated to enforcing security policies, monitoring alerts and investigating any anomalous system behavior, including unauthorized connection attempts and malicious software. Near-real-time monitoring is in place with a 24x7 worldwide incident response capability. All access to production systems is approved and regularly reviewed by the security team.
Privacy
As data protection issues and global laws continue to evolve and become increasingly complex, PlanNEL understands the importance of maintaining a comprehensive privacy program that is embedded into our company’s culture and services.
Privacy Principles
We’re committed to following three principles that reflect our core values:
- We put privacy first.
- We innovate responsibly.
- We safeguard fairness and trust.
Our philosophy of “privacy by design” is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data. These privacy principles drive how we train our employees, how we design and build products, and ultimately, how we process personal data.
Privacy and data protection require year-round vigilance, and we’re strongly committed to protecting the personal data of our customers and employees.
Review our privacy policy to learn more about how we manage and protect our customers' information.
Certifications, Standards and Regulations
Security Certifications
PlanNEL issues reports upon the completion of periodic SOC 1 Type II and SOC 2 Type II audits and is certified for PCI DSS and ISO 27001:2013.
- PlanNEL has defined its information security management system in accordance with NIST 800-53 and ISO 27000 series standards.
- PlanNEL’s SOC 1 Type II and SOC 2 Type II audits are prepared and audited by independent third-party auditors. A SOC 1 Type II audit is essential to meeting the reporting requirements of Section 404 of Sarbanes-Oxley relating to the effectiveness of internal controls for financial reporting. A SOC 2 Type II audit report on controls that directly relate to the security, availability and confidentiality of services organizations.
- The PCI DSS security standard is designed to ensure that companies process, store and transmit payment card information in a secure environment. PlanNEL’s Attestation of Compliance (AOC) is prepared and issued by a PCI Qualified Security Assessor (QSA).
Privacy Certifications
PlanNEL performs reviews and annual audits, conducts privacy risk management and oversees remediations, overseas privacy by design in technology processes has a third-party vendor management program to ensure that the suppliers adhere to the privacy regulations, and is committed to maintaining and improving its privacy information management and data protection programs. PlanNEL also provides Product Feature Guidance documents that describe how the service functionality is designed to assist customers with their privacy requirements.
- PlanNEL has extended the ISO 27001 Information Security Management System to include the ISO 27018 control set, demonstrating protection and adequacy for processing Personal Information as a Public Cloud Hosting Provider.
- PlanNEL’s adherence to the EU Cloud Code of Conduct (CoC) has been verified and published on the monitoring body’s public registry. The CoC has been designed to define general requirements for cloud service providers as processors, demonstrating sufficient guarantees under Art. 28.1-4 of EU General Data Protection Regulation (GDPR).
- PlanNEL has obtained EU/EEA-wide authorization from the European data protection authorities for its Binding Corporate Rules for Processors (“BCR-p”). This helps our customers address their privacy and security requirements under GDPR and other European data protection laws and regulations in the EU/EEA, the UK and Switzerland (“European Data Protection Law”). See the Privacy Code for Processing Personal Information of Customer Individuals (PlanNEL Processor Code).