Communications Security
Q: Do you have Non-Disclosure Agreements (NDAs) with your vendors, suppliers, and contractors?
A: No, we do not contract out. The only third-party providers we use are server providers (e.g., Microsoft Azure), which do not have access to our data. However, we require all employees to sign NDAs, and we sign NDAs with most of our customers—primarily for their protection.
Q: Do you have a Service Level Agreement (SLA) and/or Operation Level Agreement (OLA) with security features and requirements with your applicable service providers?
A: Yes, we have a standard SLA that covers a range of items, including security features and requirements, as well as the statement of work and other relevant details. We can provide a copy via email if needed.
Q: Does your network have a perimeter security architecture (DMZ, firewalls, IDS/IPS, etc.)?
A: Yes, we have WAF (Web Application Firewall), Gateway, Firewall, and Load Balancer in place as part of our perimeter security architecture.
Q: Are the systems that are providing services to us utilizing adequate network controls to protect the confidentiality, integrity, and availability of the information moving through the network?
A: Yes, we have WAF (Web Application Firewall), Firewall software, and DoS protection in place to safeguard network traffic and ensure security.
Q: For the PoC, what mechanism will be used to upload Neptune’s proprietary data to your cloud platform? Please specify.
A: For budgets and past CapEx requests, we typically use Excel templates provided by Capexplan. Once the data is formatted according to the templates, it can be uploaded. Alternatively, we can also work with customers’ existing Excel files if needed.
For tracking costs (such as receptions, purchase orders, and invoices), data can be uploaded using our set of APIs for full automation via ERP integration and real-time data transfer/exchange. Alternatively, flat files over SFTP can be used, which can also be automated.
Q: If the service is contracted, will the uploading of the rest of the data owned by Neptune be done in the same way? If not, please specify.
A: Yes, the process remains the same. During the PoC, we may upload one or two budgets, and during full implementation, we can upload the remaining data. Once we establish what needs to be uploaded, the rest follows a standard procedure.
Q: How can Neptune users share information hosted on its platform with people outside the platform (email offered by the Vendor, downloads, etc.)?
A: This depends on what Neptune intends to share. Some companies provide consultants with a Capexplan license (paid by the customer), allowing them access with specific permissions that limit what they can see and do. Typically, each user who needs access requires a paid seat. However, in some cases, a shared seat may be possible. More details would be needed to determine the best approach for Neptune’s specific needs.
Q: Do you have any DLP solution in place to limit how platform users can download and/or transmit the information hosted on the platform and/or detect mass downloads of information? If yes, please specify the type of alerts configured.
A: No, we do not have a Data Loss Prevention (DLP) solution in place. However, each account has a detailed activity log that tracks user actions, and super users have access to review this information.
Q: Is there a process for identifying and blocking malicious email traffic or phishing attempts?
A: Yes, we use IP blocking, filters, firewalls, and antivirus tools to identify and prevent hacking attempts.
Q: Are all email communications digitally signed to verify integrity and authenticity?
A: All communications, including emails, are encrypted both in transit and at rest.