Sakon Security Measures

Confidentiality

Sakon maintains a comprehensive, multi-layered access control architecture that enforces the principle of least privilege across all organizational tiers. Client data accessibility is strictly governed through role-based access control (RBAC) mechanisms, ensuring that only explicitly authorized personnel can access specific datasets based on legitimate business requirements and operational necessity. While IT Administrators possess technical access to systems hosting and processing Client Data for operational continuity, their ability to view customer information is deliberately restricted and permitted only when essential for troubleshooting, incident resolution, or critical system support functions. All administrative and user access activities are comprehensively logged through automated audit policies, creating an immutable trail for monitoring, compliance verification, and forensic analysis. Sakon’s application architecture implements fine-grained, hierarchical access controls with dynamic privilege segmentation, where user access rights are contextually provisioned according to assigned roles, organizational hierarchy, and specific business justifications. This intelligent content management layer ensures each user experiences a customized data view reflecting only information relevant to their defined permissions, effectively creating logical data boundaries within the environment.

All employees and contracted personnel are contractually bound to Sakon’s comprehensive Information Security Policies through formal acknowledgment requirements, establishing clear obligations regarding the protection, confidentiality, and appropriate handling of sensitive organizational and client data, reinforced through continuous security awareness training and rigorous policy enforcement mechanisms.

Personnel Practices

Sakon implements a rigorous pre-employment screening process that includes comprehensive background verification for all prospective employees prior to engagement. Sakon’s structured security awareness program delivers mandatory privacy and information security training during the onboarding phase, supplemented by continuous education initiatives throughout the employment lifecycle to ensure sustained compliance with evolving security standards and regulatory requirements. All personnel, including employees and contractors, are contractually obligated to execute formal Non-Disclosure Agreements (NDAs) that establish legally binding commitments to maintain the security, availability, and confidentiality of Sakon services, client data, and proprietary organizational information. These agreements reinforce Sakon’s organizational security culture and provide enforceable legal safeguards against unauthorized disclosure or misuse of sensitive information.

Network Protection

Sakon maintains a defense-in-depth security infrastructure featuring perimeter firewalls configured to industry best practices with a default-deny posture, permitting traffic exclusively to application-essential ports while blocking all unauthorized communications. Sakon’s multi-layered protection includes strategically deployed Intrusion Detection and Prevention Systems (IDS/IPS) with continuously updated threat intelligence to defend against network and application-layer attacks, malware, DDoS, intrusion attempts, and blended threats. A Web Application Firewall (WAF) provides critical application-layer defense using signature-based detection and behavioral anomaly analysis to neutralize OWASP Top 10 vulnerabilities including XSS, SQL injection, and HTML injection attacks. Comprehensive Endpoint Detection and Response (EDR) solutions are deployed across all servers and workstations, integrating next-generation anti-virus, anti-malware, Host-based Intrusion Prevention (HIPS), application control, device control, tamper protection, and web filtering capabilities. Access to all systems is governed through centralized Identity and Access Management (IAM) with mandatory Multi-Factor Authentication (MFA) for privileged accounts, while 24/7 security monitoring operations provide real-time threat detection, incident response, and continuous compliance validation across Sakon’s entire technology ecosystem.

Compliance

The following security-related compliance certifications and attestations are applicable and maintained for Sakon certificates can be obtained on request to account manager:

  • Service Organization Control (SOC1) Reports: A SOC 1 (Service Organization Controls) report, issued under SSAE 18 (previously SSAE 16), provides an independent assessment of the controls at a service organization that are relevant to user entities’ internal control over financial reporting.
  • Service Organization Control (SOC2) Reports: A SOC 2 report provides an independent assessment of the design and operating effectiveness of controls at a service organization that relate to the Trust Services Criteria, namely security, availability, processing integrity, confidentiality, and privacy.
  • PCI: Sakon is not currently a PCI-certified Service Provider. Sakon is a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third-party to process customer credit card information securely.
  • ISO 27001: 2022 is the latest specification for an information security management system (ISMS). An ISMS is a comprehensive framework of policies, procedures, and controls that systematically manages information security risks through legal, physical, technical, and organizational measures to protect the confidentiality, integrity, and availability of organizational information assets.
  • ISO 27701:2019: Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management) is a specification for a privacy information management system (PIMS). A PIMS extends the ISO 27001 framework by providing additional requirements and guidance specifically for managing personal data protection, enabling organizations to demonstrate compliance with privacy regulations such as GDPR through a structured system of controls, processes, and accountability measures.
  • ISO 22301:2019: Security and resilience — Business continuity management systems) is an international specification for business continuity management systems (BCMS). A BCMS is a systematic framework that enables organizations to prepare for, respond to, and recover from disruptive incidents by establishing documented procedures, strategies, and controls to ensure the continuity of critical business operations and minimize the impact of potential disruptions.
  • GDPR (General Data Protection Regulation): GDPR is a comprehensive data protection and privacy regulation that establishes strict requirements for the processing of personal data of individuals within the European Union and European Economic Area. The regulation is a binding legal framework that mandates organizational accountability, transparency, and individual rights protection through stringent technical, operational, and governance controls governing the collection, storage, processing, and transfer of personal information across all sectors and jurisdictions.
  • CSA (Cloud Security Alliance): CAIQ/CSA compliance is widely used for cloud service providers and on security controls in IaaS, PaaS, and SaaS offerings, providing security control transparencies. Sakon use CAIQ to outline Sakon’s security capabilities to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be a best practice by the CSA.The useful aspect of CAIQ is that it is mapped to many other industry standards ISO 27001, PCI, NIST SP800-53 R3.

https://cloudsecurityalliance.org/star/registry/global-sourcing-group-inc/services/sakon-application-platform/download/rPxwXA

Availability & Disaster Recovery

Sakon maintains a robust business continuity management framework aligned with ISO 22301:2019 certification standards, specifically designed to minimize service disruptions and ensure operational resilience against adverse events. Sakon’s production environment is architected with high-availability principles, incorporating redundancy and fault-tolerance mechanisms to withstand single or cascading failures across application components, infrastructure services, or entire data center facilities. Real-time availability and performance monitoring is conducted through enterprise-grade observability platforms including Zabbix and New Relic, providing comprehensive telemetry, proactive alerting, and performance analytics across all critical services. Sakon’s Infrastructure Management team conducts regularly scheduled disaster recovery testing and tabletop exercises to validate recovery procedures, verify Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and ensure operational readiness for business continuity scenarios. A dedicated 24/7 Network Operations Center (NOC) provides continuous infrastructure surveillance, rapid incident detection, and immediate mitigation response to minimize service impact and maintain contractual service level commitments. This ISO 22301-compliant framework ensures systematic preparedness, documented recovery strategies, and continuous improvement of Sakon’s business continuity capabilities to protect service availability and organizational resilience.

Incident Management & Response

Sakon has a well-defined Incident Management procedure which sets out a framework of governance and accountability in case of security incident. In the event of a security incident, Sakon will promptly notify the customer. Sakon’s privacy breach response plan ensures that Sakon is able to swiftly identify privacy breaches and contain any privacy risk.

Incident Response and Recovery Plan Testing

Sakon conducts comprehensive annual testing of Sakon’s Business Continuity Plan (BCP), Disaster Recovery (DR) procedures, and Incident Response & Recovery frameworks to validate operational readiness and identify areas for enhancement. Sakon’s structured testing methodology encompasses multiple evaluation approaches including detailed walk-through exercises to verify procedural accuracy, collaborative tabletop exercises that simulate crisis scenarios with cross-functional stakeholder participation, systematic checklist validations to ensure completeness of recovery documentation, and parallel simulations that test failover capabilities without disrupting production services. Each testing cycle generates detailed performance metrics, identifies procedural gaps, and validates recovery time objectives against documented targets. Test findings undergo rigorous review by senior management and technical leadership, with documented corrective action plans implemented to address identified deficiencies, update recovery procedures, and continuously improve Sakon’s resilience posture. This iterative testing and refinement process ensures Sakon’s business continuity capabilities remain effective, relevant, and aligned with evolving operational requirements and emerging threat landscapes.

Data Encryption In Transit and At Rest

Sakon implements enterprise-grade cryptographic protocols aligned with industry best practices and regulatory standards to protect data confidentiality and integrity throughout its lifecycle. All customer data is secured using strong encryption mechanisms both in transit and at rest, employing TLS 1.2/1.3 protocols with robust cipher suites for data transmission and AES-256 encryption standards for data storage. Sakon’s production systems undergo continuous security hardening procedures that include the systematic identification and disablement of weak or deprecated cryptographic algorithms, ensuring compliance with evolving cryptographic standards and eliminating vulnerabilities associated with outdated cipher suites. Regular security assessments and vulnerability scanning validate the effectiveness of Sakon’s cryptographic implementations, while centralized key management practices ensure proper generation, rotation, storage, and lifecycle management of encryption keys. This comprehensive cryptographic framework protects sensitive information against unauthorized access, interception, and disclosure across all system components and communication channels.

Authentication

Sakon operates on the foundational principle of least privilege, ensuring that access rights are granularly provisioned to the minimum level necessary for users to perform their designated business functions, thereby minimizing potential attack surfaces and unauthorized data exposure.

Duties and areas of responsibility are systematically segregated through role-based access controls and separation of duties (SoD) policies, reducing opportunities for unauthorized modifications, unintentional errors, conflicts of interest, and misuse of organizational information or sensitive data assets. All users are assigned unique identifiers that establish individual accountability and traceability across all systems and applications. Sakon maintains a strict prohibition against shared credentials, ensuring that every access event can be attributed to a specific individual for audit, compliance, and forensic purposes.

User authentication credentials are cryptographically protected using AES-256 encryption algorithm when stored at rest, with additional security measures including salted hashing for password storage, secure key management practices, and protection against credential theft or unauthorized access to authentication databases.

Single Sign-On Integration: Customers can seamlessly integrate their Sakon Services instance with enterprise identity providers through SAML 2.0 protocol, enabling centralized authentication management, simplified user provisioning, enhanced security through federated identity, and improved user experience with unified access across organizational applications.

Vulnerability Assessment & Penetration Testing

Vulnerability Assessment & Penetration testing of all production systems & applications is done regularly as a process. This is done internally as well using third-party security vendor. VAPT assessment is carried out in 4 phases:

  • Conduct Assessment
  • Identify Exposures
  • Address Exposures
  • Remediation and Compliance

Endpoint Protection & Compliance

All organizational systems, including servers, workstations, and mobile devices, are mandated to maintain active endpoint protection solutions with real-time threat detection capabilities. A systematic weekly compliance assessment process identifies and flags devices that deviate from security baselines. The Network Operations Center (NOC) is designated as the responsible authority for immediate remediation actions on non-compliant devices, including enforcement of security policies, quarantine procedures for high-risk endpoints, and escalation protocols to ensure rapid restoration of compliance posture across the enterprise endpoint ecosystem.

Information Security Audit

Audit is performed by 3rd party qualified Audit team (IA team). The AI team is entrusted with the responsibility of ensuring compliance with ISMS framework in all aspects. The IA team meets on an annual basis. They have the following responsibilities:

  • Conduct internal audits to assess conformance to the standard, organization’s policies, effectiveness of implementation and maintenance.
  • Define and document procedures including responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records.
  • Evaluates organization’s compliance with ISMS framework in all aspects.
  • Detects any shortcomings in the implementation of ISMS framework within the organization.
  • To ensure deployment of robust information security framework.
  • To recommend the necessary corrective and preventive actions.
  • To ensure continuous improvement of information security controls.