Q: What is your cloud provider?
A: Our cloud provider is Microsoft Azure. We leverage Azure’s infrastructure for hosting our platform, ensuring reliability, scalability, and security for our applications and data.
Q: In which geographic space will the data owned by Neptune be stored (Asia, EU, USA, etc.)?
A: We have flexibility in data storage locations through Azure’s global infrastructure. We can host data in various regions, including the USA, Canada, Northern Europe, and Asia, depending on customer requirements. For Neptune, we would likely favor the USA as the preferred data hosting location, but we are open to discussing alternative regions based on data residency preferences.
Q: Is there a full-time internal security team assigned to protecting the cloud hosting infrastructure?
A: No, we do not have a dedicated full-time security team. Instead, our infrastructure team includes security specialists who also handle other tasks such as infrastructure deployment, system monitoring, speed performance analysis, and reporting to the development team. While security is a key responsibility, these team members split their time across multiple operational and infrastructure-related duties.
Q: Who is responsible for deploying patches in the production environment in the cloud (application, operational systems, databases, etc.)?
A: The deployment of patches in the production environment is strictly controlled and limited to our heads of development and select management personnel. These individuals oversee the process to ensure updates are tested, validated, and deployed securely with minimal disruption to operations.
Q: Who is responsible for ensuring all application server components remain hardened (web servers, mail servers, databases, virtualization servers, etc.)?
A: Our system administrator (sysadmin) team is responsible for ensuring that all application server components remain hardened. This includes implementing security best practices, applying patches, managing configurations, monitoring system vulnerabilities, and ensuring compliance with security standards.
Q: Is the Cloud Service Provider certified by an independent third party (NIST, ISO, etc.)? Please specify.
A: Yes, Microsoft Azure is certified by multiple independent third parties and holds several security and compliance certifications, including:
- ISO 27001 (Information Security Management)
- SOC 1, SOC 2, and SOC 3 (Service Organization Control reports)
- NIST 800-53 (National Institute of Standards and Technology)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPAA (Health Insurance Portability and Accountability Act)
These certifications ensure that Azure meets industry security, privacy, and compliance requirements. More details can be found in Azure’s compliance documentation if needed.
Q: Can Neptune run its own vulnerability scans against its own cloud environment?
A: Capexplan is a SaaS platform, meaning customers operate in a multi-tenant environment where each company’s data is isolated and only accessible by them. In this setup, Neptune would not have direct access to conduct vulnerability scans on the shared infrastructure.
However, for customers who opt for a dedicated environment, we provide separate cloud instances at an additional cost. In this case, Neptune could run its own vulnerability scans against its private cloud environment while ensuring security best practices are followed.
Q: What measures are in place to ensure data segregation in shared cloud environments?
A: Azure provides logical isolation to ensure each customer’s data remains separate from others. Additionally, upon request, we can provision a dedicated database for customers who require enhanced security and isolation.
Q: Are you using containerization or micro-segmentation for enhanced data security?
A: No, we do not currently use containerization or micro-segmentation.
