Security and technology

At Phocas, we are committed to providing a robust and reliable software application, supported by first class data security and privacy for our customers.

Phocas security and technology
Our goal

A secure end-to-end solution

Conscientious about security, vigilant about monitoring and quick to react

Learn more about our partners

It is critical that our customers have confidence in the security of our application.

To provide a secure end-to-end solution, we continually upgrade our systems by investing in the latest technologies. We work closely with our respected partners, Amazon Web Services (AWS) and Armor security to follow industry best practice.

While we have enlisted some of the best technology partners in the world to create a secure environment, the responsibility for data security ultimately lies with us;

  • Our multi-disciplinary internal team regularly reviews our applications, platforms, procedures, and processes to ensure any security, compliance and privacy issues are addressed, communicated, and resolved as appropriate.
  • We continually meet industry best practice with Security and Privacy compliance for SOC2 and GDPR. 
  • Our dedicated global team works to ensure customer data is secure all day, every day.

 

Compliance and certification

SOC2 Type II certified

SOC2 Type II

We are audited for SOC2 (System and Organization Controls 2) compliance annually for Security and Availability. Our current SOC2 Type II report is from calendar year 2022.

This independent examination is an extension of the Type 1 report completed in 2021.

Established by the American Institute of Certified Public Accountants (AICPA), the examination validates Phocas’ security practices and controls and ensures that Phocas meets the Trust Services principles and criteria for security and availability over an extended period of time. 

Phocas SOC2 statement
Certified B Corporation

B Corp certified

To achieve B Corp certification, a company must meet the following criteria: 

  • Demonstrate high social and environmental performance by achieving an assessment score of 80 or above and passing a risk review.  
  • Make a legal commitment where the corporate governance structure is accountable to all stakeholders. 
  • Exhibit transparency by allowing B Corp performance to be publicly available. 

Phocas earned an impressive overall score of 82.4 in the B Impact Assessment, well above the median score of 50.9. 

Phocas' B Corp performance
GDPR

Data privacy

Customer data is our responsibility, and we’re committed to protecting it from unauthorized access and supporting our customers in meeting their data privacy obligations. We provide information and governance controls to help you make the right decisions for your organization. Additionally, we’ve invested heavily in GDPR, Privacy Shield, and stringent privacy safeguards to keep your data private and under your control. 

We publish and regularly update our Privacy Policy which outlines how we collect, use and process data for our own use, and for use by our customers in the Phocas platform.  

Additionally, we comply with data privacy laws and regulations in the United Kingdom, European Union, Australia, New Zealand and the United States to ensure customer data is safe and protected.  

Phocas' GDPR compliance
Security partners

Our Partners

Through partners, we continually measure current processes, procedures and the security stance against best practice based on our partners’ recommendations. For infrastructure best practice and remediation activities, we work with our partners AWS and Armor to provide and maintain a compliance baseline. Additionally, we maintain several compliance and monitoring tools that assist in identifying gaps, ensuring we continually maintain compliance.

We also leverage against our partners’ compliance achievements, such as ISO 27001 and SOC2, amongst others. For more information on our partner compliance certifications see:

Amazon compliance Armor compliance
Infrastructure

Architecture and environment

To provide customers with the greatest degree of reliability, performance and security, we host data in several global locations, including the USA, Canada, UK, EU and Australia.  We are always looking for the next steps in hosting infrastructure, to constantly improve our offering to customers. We maintain an ongoing focus on security, performance and compliance. To achieve this, internal platform specialists actively work with our cloud hosting partners AWS and tools to continually investigate and deploy the latest technology.  
Phocas high level architecture
Infrastructure

Maintenance and monitoring

Rigorous planning and processes have been put in place to enable continuous maintenance and monitoring of our services and infrastructure.

All our servers and infrastructure components are managed through a centralised configuration management system. All changes adhere to our standard change management process and are tracked and stored via source control. 

Infrastructure

Security and privacy

We are committed to providing security for all customers, always.

Our infrastructure has been designed with security built in at every stage. Infrastructure designs are reviewed according to the security standards set by AWS, via their best practice ‘Well Architected Review’ process.

Additionally, we partner with Armor who provides constant monitoring of all our server infrastructure. They identify any irregularities on our servers, down to the file level, via their Security Operations Centre (SOC).

Our security is built on the principle of Zero Trust and this is demonstrated by the following principles and actions;

  • By default, any user on our network is assumed to be hostile
  • Every device, user and network flow is authenticated and authorized
  • A wide variety of preventative techniques that cover identity, endpoint, data, and application access are in place
  • Real time monitoring and controls prevent malicious activity

All servers and infrastructure components are updated regularly to ensure we always follow vendor security recommendations.

Our network with AWS is separated into different availability and security zones, all behind AWS firewalls, gateways and other perimeter protection services.

Phocas application

The Phocas application suite is a variety of multi-tiered-architecture applications, consisting of the following layers:

  • Presentation
  • Business/Process
  • Data
  • Cloud services

Firewalls (network and application) and load balancers support and secure this design.

All our development change processes have quality and security components built in, covering:

  • Protection of customer data
  • Performance
  • Transactional logging
  • UI/UX
  • Customer feedback and satisfaction
  • Third-party library vulnerability auditing
  • Automated and manual testing
  • Mutation testing 
  • Peer code review

Additionally, our development teams ensure ongoing quality is being met, with static code analysis, test coverage and quality metrics. The automated test suite includes UI, unit, functional, integration, e2e, m2e, and regression testing across all stack layers in the application. Manual smoke testing is conducted against all new features. All software development and testing environments are separated from customer production environments for quality assurance. 

Security

Operational practices

All Phocas practices and processes are aligned to the security and protection of customer data. This includes operational and preparedness processes throughout the organization.

All our staff and contractors are fully vetted prior to employment, bound by non-disclosure agreements, and must follow agreed procedures when dealing with customer data. This is stated and enforced through approved policies for internal use of data (personal and company).

All access to data, including customer data, is strictly controlled on a needs or minimum access basis. Access to customer data can only be approved as a result of an application support request. Access to customer data is authorized and tracked via our internal ticketing systems. All access is logged and auditable.

Technology partners

To keep at the forefront of technology and security, we employ high-quality specialists in technology and security. Our main technical partners are Amazon Web Services (AWS) for support, infrastructure and security, and Armor for security monitoring.
AWS Partner netowrk

We house all multi-tenant platform customers on multiple global Amazon Web Services (AWS) environments.

AWS’ global infrastructure is designed and built to deliver a flexible, reliable, scalable, and secure cloud computing environment with the highest quality global network performance. Every component of the AWS infrastructure is designed and built for redundancy and reliability.

As an AWS partner, we have access to the latest technology advancements and services.

Secured By Armor

Armor is an accredited cyber security operations company.

We partner with Armor to strengthen and monitor all hosted servers. Armor provides prevention and detection services via its Security Operations Center all day, every day.

It continuously scans for the latest cyberthreats, viruses, malware, phishing scams, crypto jacking and mining software, so it can provide end-toend prevention, detection, and response services to us and our customers.

Understand the past, operate better today, and plan well for the future

Whether you want to get your data organized for your team or you’re looking to combine business intelligence capabilities with financial reporting, planning and analytics… We can guide you. Let’s see if we can help.
BI dashboard
Get a demo