Information security is a fundamental part of the Atriis’ business. Atriis understands that the confidentiality, integrity and availability of its customer’s data are paramount to their business success which is why Atriis’ Global Travel Platform (GTP), through a combination of audited processes and controls, delivers a level of security that is second to none.
The following is a high-level description of Atriis' architecture and key security measures.
- Atriis GTP is a distributed, multi-tenant, multi-devices, and multi-technologies-based system.
- Atriis uses Microsoft Azure (located in West Europe) for its ATRIIS GTP application and Databases.
- Atriis uses Microsoft Azure ‘Platform as a Service’ (PaaS), applying VM and APP (Standard) Scale Set architecture.
- High-level architecture:
- Windows Azure infrastructure includes hardware, software, administrative and operations staff, and physical data centers.
- Windows Azure addresses security risks across its infrastructure with continuous intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools that help identify and mitigate threats.
- Microsoft data centers are physically constructed, managed, and monitored 24 hours a day to shelter data and services from unauthorized access as well as environmental threats.
- ATRIIS platform is protected by Cloudflare web application firewall against SQL injection, cross-site scripting (XSS), and zero-day attacks, including OWASP-identified vulnerabilities and threats targeting the application layer and DDoS protection.
- Azure SQL Database uses Transparent Data Encryption (TDE) to encrypt data at rest. TDE encrypts the database files, including the data and log files, using a symmetric key.
- All data transfer in secured channels (HTTPS and TLS 1.2 or higher).
- PII fields are encrypted.
- The decryption key is stored on the Azure Key vault.
- ATRIIS uses Azure services to protect from potentially harmful vulnerabilities.
- Vulnerability scanning by external auditors on a quarterly basis.
- Penetration test on a yearly basis.
- Centralized monitoring, correlation, and analysis systems manage the large amount of information generated by devices within the Windows Azure environment, providing continuous visibility and timely alerts to the teams that manage the service.
- Access control is highly configurable, enabling sys admin to set up and manage a precise level of access control based on company policy.
- Authentication and Authorization in ATRIIS are based on OAuth2 with 2FA.
- Atriis strives to comply with applicable laws and regulations related to Personal Data protection in the countries where it operates.
- Atriis’ security policy sets forth the basic principles by which Atriis processes the personal data of its customers and suppliers.
The attached document is a technical security summary description of ATRIIS product.