Security is our top priority

We serve customers all over the world. Here at Tripolis, our most important concern is the protection and reliability of customer data and information. In an age where data breaches are becoming more and more of a threat, Tripolis is taking all the necessary steps to protect its clients’ data.

On this page you can find all you need to know about our ISO certification, availability, product security, infrastructure, backup and recovery and the OSI 7 layer model. Can’t find what you’re looking for? Don’t hesitate to contact us!

Tripolis is ISO 9001:2015 and ISO 27001:2013 certified. For our customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for our services. Regular internal controlling of the processes and provisions detailed in the ISO 27001 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.

Tripolis hires external parties frequently to perform code and Security Audits (Pen Tests) like either a black- or white hat penetration test. The external party scans for exploits and tries to gain access. These tests are used to confirm that our solution is indeed able to protect itself from the latest techniques used by intruders.

• The Tripolis platform is highly available and reliable, with a guaranteed uptime of 99.7%.
• Customer data is backed up to multiple online replicas, ensuring you will never lose your information.
• Our operations teams monitor platform and application behaviour every hour of the day, whole year round.
• Your campaigns are as critical to us as they are to you. In case of scheduled maintenance, degraded performance or service disruptions, we will make you aware of it on our status website and will keep you continually updated. These kind of updates will automatically appear on your log in screen in case of an issue. You can also subscribe to updates, which will automatically be sent to your inbox.

• Your sessions on our platform are always protected with powerful encryption algorithms (TLS 1.2) to ensure no eavesdropping or man-in-the-middle attack is possible.
• Web Application Firewall (WAF) technologies identify and block attacks before they reach the front door.
• Our third party Distributed Denial of Service (DDoS) services protect your site and access to your products from attacks designed to keep you out.
• Next to regular users, some Tripolis employees have access to customer licenses and other central management functionalities necessary to support our customer. For this type of access, the Tripolis platform Software-as-a-Service (SaaS) environment uses an alternative authentication and authorisation scheme than it does for regular users.
• Each Tripolis employee that should be given additional access rights is given a personalised PKI certificate which has to be installed on their own computer. Each time the employee wants to access the system, the certificate is requested to validate the authentication of the employee trying to gain access.
• In case no certificate can be provided, for example when this employee is demonstrating the product on external equipment, a text message is sent to the registered mobile phone of this employee. The text message provides a one time-use and short time valid access code which can be used to log in.
• To which licenses, with which access level and which central management functions a Tripolis employee has got access, is managed centrally. Only the operations team can grant or revoke access rights.

• Tripolis’ European data are hosted by Dutch, third party data centers. Access to these data centers is strictly controlled and monitored by 24×7 on-site security staff, biometric scanning and video surveillance. These data centers are SSAE-16 SOC II and ISO 27001 certified.
• An Intrusion Prevention Systems acts (IPS) as a gatekeeper and checks everyone and everything that wants network access to the platform. If network traffic does not meet predefined rules, the IPS will prevent this traffic from passing. Tripolis has a redundant IPS in place with multilayer access control.
• Responsive incident management process. Proprietary systems feed anomalies to 24×7 security & operations teams, eliminating security concerns at the first sign.
• Tripolis’ software department is responsible for building and maintaining the SaaS offering and its infrastructure. Other organisational units within Tripolis do not have any other way of accessing information stored in the SaaS environment other than through the SaaS application.
• Direct access to data on the platform is restricted to members of the operations team that is responsible for day-to-day operations of the SaaS application and the needed infrastructure.
• The development teams, which are responsible for core development and custom specific solutions, do not have access to the production platform. They do have, restricted, access to (acceptance) testing environments and dedicated production logging systems.

• To keep data safe, backup and recovery policies are put in place. Within Tripolis, a combination of full- and incremental backups are made on daily, weekly and monthly bases. This allows for us to be able to recover data up to 90 days old. Data can be recovered for each of our customers individually when required.
• The backup is duplicated and stored in another physical location away from the original backup location for safety reasons. In case of a calamity affecting the physical location of the backup, the second back up remains safe in another location.
• Currently each customer is able to store all information in the Tripolis platform for an unlimited amount time. All data is retained and integrity is safeguarded over time.
• All critical components of the Tripolis (databases, servers as well as backend support services) are available redundant, have multiple failover instances to prevent outage from single points of failure. Our backup setup ensures that our customers can access their information quickly after a major incident.
• Components exist out of at least two components for fail-over reasons. In case one component fails, the remaining components have the capacity to take on the workload of the failing components.

As our SaaS takes full advantage of being integrated into the cloud and doesn’t rely on any hard- or software at the customer, it is available for everyone.

By having the right procedures in place and ensure that access to the system by authorised users is properly setup and monitored, the risk of misuse by authorised users is reduced to a minimum. Possible abuse of the system by unauthorised users, especially coming from unknown sources, has to be prevented but needs different measures. In order to minimise the risk of any part of our solutions being accessed by unauthorised people, systems or intruders, several measures have to be taken in order to strengthen security at all levels.

Looking at the well known OSI 7 layer model, several precautions are in place at each level of the model. Possible intruders are aware of this model and attack an application to look for any openings at each of the levels.

Once an intruder gains access on a certain level, this opening is often exploited to try to gain access to other levels in order to gain access and control at all levels.

Each attack starts with gathering information. The goal is to find any information which tells something about the technology used on each level in order to create an attack strategy. Therefore, it is key to reveal as little information as possible.