This section describes the Zenoo security procedures.
Zenoo is committed to providing its customers with a highly secure and reliable environment for our hosted and cloud-based applications. We have therefore developed a multi-tiered security model that covers all aspects of hosted and cloud-based Zenoo systems. The security model and controls are based on international protocols and standards and industry best practices, including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, ISO/IEC 22301:2012 and CSA Star Self-Assessment.
Zenoo has received several security and privacy certifications, including ISO/IEC 27001:2013, ISO/IEC 27018:2014, ISO/IEC 27017:2015, ISO/IEC 22301:2012 and CSA Star Self-Assessment. The ISO/IEC 27018:2014 standard establishes commonly accepted control objectives, including controls and guidelines for protecting Personally Identifiable Information (PII) for the public cloud computing environment in accordance with the privacy principles in ISO/IEC 29100. ISO/IEC 27017:2015 provides a code of practice for information security controls, including guidelines that expand upon the ISO/IEC 27002 standard by adding security controls specifically related to cloud computing. The ISO/IEC 22301:2012 standard focuses exclusively on business continuity management (BCM). The CSA Star Self-Assessment provides transparency and quality assurance for Zenoo cloud services.
The ISO/IEC 27001:2013 standard provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).
The ISO certification business processes scope are the Development processes, cloud services, global support services, professional services, operational services, library management services, learning & research solutions. The scope service is for all Zenoo cloud based services.
As part of the company’s focus on security issues, Zenoo created Cloud Services team with responsibility for:
Security controls at Zenoo data centers are based on standard technologies and follow the industry’s best practices. The physical security controls are constructed in such a way as to eliminate the effect of single points of failure and retain the resilience of the computing center.
The Zenoo data centers have a SSAE16 SOC1 service auditor’s report as the result of an in-depth audit of the centers’ control objectives and control activities, including controls over information technology and all other related processes.
A variety of environmental controls are implemented at the Zenoo data center facilities.
Physical access to the data center is restricted to personnel with a business need to access the infrastructure. All physical access activities are logged and monitored. All visitors need to be approved beforehand, and the approval is for a limited period of time. Visitors must be accompanied by an authorized employee throughout their visit.
Operating systems used in the cloud are hardened according to best practices in the industry. Only services and components that are necessary to support the application stack are activated; the administrator user always has a password set up, and only necessary ports in the firewall are open.
Firewalls: Applications in the hosting and cloud have firewalls installed to shield them from attack and prevent the loss of valuable customer data. The firewalls are configured to serve as perimeter firewalls to block ports and protocols.
The combination of an intrusion detection system (IDS) and intrusion prevention system (IPS) installed and tracks all illegal activities. The system sends real-time alerts and proactively blocks communication once a suspicious attack is discovered. The system performs various activities on the network: log collection and analysis from the various machines (firewalls, switches, and routers), file integrity checking, and rootkit detection.
Zenoo has strict procedures and a unique policy for handling obsolete data. These procedures are also applied if a customer decides to stop using our software. Disks and tapes are destroyed once they are no longer needed. Tapes are overwritten with the next use. CDs that are no longer needed are destroyed by a CD/DVD data crusher or shredder. All storage devices that may need to be used again are cleaned by data wipe software.
On a regular basis, Zenoo performs system backups to back up application files, database files, and storage files. All backup files are subject to the privacy controls in practice at Zenoo. The restore procedures are tested on an ongoing basis to ensure rapid restoration in case of data loss.
Zenoo implements a number of practices to keep each stage of the software development life cycle secure. These include:
The following items are relevant for access control:
Zenoo has instituted the following policies in order to protect customer data:
Customer data, including private data, is deleted based on the Data Elimination section on page 6, and backed up customer data is deleted periodically.
All access control activities produce logs with enough information to meet auditing requirements and support usage charges. In addition, access control activities generate notifications to designated users to prevent users from setting up rogue accounts or otherwise modifying access entitlements.
The following items are relevant for asset management:
Zenoo is the data controller for data described by this policy except as specified below, which means that Zenoo determines the purposes and means of the processing of personal data.
Zenoo is the data processor with respect to personal data submitted to and stored on the Zenoo Services for hosting and processing purposes as further described below under Zenoo Services-Customer Data.
Information you or your Institution may provide
Depending upon the Zenoo Sites you are accessing or other method of contact, we may collect information such as
Where we are collecting directly (and not being provided the information by your institution), you will be given advance notice of what information specific to you we are collecting. Posting information on message boards or in chat rooms is never required.
Information collected automatically
As you navigate the Zenoo Sites, Zenoo may also automatically collect information about you or your computer or device that does not directly identify you. This information may include IP address and device identifiers, information about your Internet connection and information about the equipment or software you use to access the Zenoo Sites. Such information is only collected to the extent that it is necessary for us to provide services that you use, to optimize your user experience, and/or to make improvements to the Zenoo Sites and service offerings. Zenoo does not serve third party advertising.
You have the ability to choose to opt out of inclusion of your personal information at the point of disclosure. You may choose whether your personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. You may also opt out of use of your personal information as outlined below under Access, Correction, and Erasure.
We collect information about you in three main ways:
Zenoo uses the information we collect to perform the services requested, for the purposes of authorizing and processing transactions, authenticating users, customer service, customer support, content processing, content classification, and providing you with information concerning Zenoo services. We will retain this information for as long as the customer account is active or as needed to provide the Zenoo services, comply with our legal obligations, resolve disputes, and as needed to comply with or enforce our licenses and other agreements.
To be clear, we do not access or use Customer Data (as defined below) processed through the Zenoo Services except for the purposes set forth in our agreement with the relevant customer. Please see below under Zenoo Services-Customer Data.
Please keep in mind that any information you disclose publicly – either in a public profile or through message boards or other public areas – may be collected and used by others, may be indexable by search engines, and might not be able to be erased from public view to the extent they have been copied to external sites. Please be careful when disclosing personal information in these public areas.
The following is a list of instances where we may share your information with third parties:
Zenoo takes commercially reasonable security measures to protect against unauthorized access to, or unauthorized alteration, disclosure or destruction of, data that you share and that we collect and store. These security measures may include practices such as keeping your data on a secured server behind a firewall, internal reviews of our data collection practices and platforms, industry-standard encryption technologies, and physical security measures to guard against unauthorized access to systems where we store your information.
If you have reason to believe that a third-party has gained unauthorized access to your information, please contact us immediately at email@example.com. If Zenoo becomes aware of any data breach, we will notify affected individuals or, with respect to Zenoo Services, affected institutions as soon as reasonably possible.
If you have subscribed to one or more of our email newsletters or are receiving marketing emails from us and you don’t want them anymore, you can unsubscribe. Follow the instructions contained in the email message to opt-out of receiving future messages of that type. However, you cannot unsubscribe from some service related messages so long as you maintain an account with Zenoo.
Postings from message boards or other public areas, may be deleted by using the tools provided when you are logged-in to the particular service; or you may contact Zenoo at firstname.lastname@example.org with the details and location of the content (such as a direct link to the information), and Zenoo will make commercially reasonable efforts to remove the content.
You may request to review, correct or delete the personal information that you have previously provided to us through the Zenoo Sites. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to email@example.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.
To help protect your privacy and security, we will take reasonable steps to verify your identity, such as requiring a password, user ID, or other verification before granting access to or removing your information.
Please note that where we are acting as a processor of personal data for our customer, we may first refer your request to the customer that submitted your personal data, and we will assist our customer as needed in responding to your request, as further described below under Zenoo Services-Customer Data.
Please contact firstname.lastname@example.org for more information about exercising these rights.
If you request to delete your personal information, we will endeavor to fulfill your request but some personal information may persist in backup copies for a certain period of time and may be retained as necessary for legitimate business purposes or to comply with our legal obligations.
Zenoo may retain your information for a period of time consistent with the original purpose of collection, and for a reasonable time thereafter in accordance with applicable law. We may also retain your information during the period of time needed for Zenoo to conduct audits, comply with our legal obligations, resolve disputes and enforce our agreements.
The Zenoo Sites are typically general audience websites, intended for use by users aged 13 and older.
We do not market to nor intentionally collect any personally identifiable information from children under thirteen (13) years of age. If you are under 13, please do not register for any of our services or Sites or provide us with any personally identifying information (such as your name, email address or phone number). Please contact email@example.com if you are aware of any personal information supplied to one of Zenoo Sites by a child under the age of thirteen (13).
The Zenoo Sites may contain links to information created and/or maintained on third-party websites. The third-party website will be displayed in a new browser window and the user will no longer be in the Zenoo environment. When users select a link to an outside website, they are leaving the Zenoo Site and are subject to the privacy and security policies of the owners of the third-party website. We are not responsible for, and we do not endorse or control, the policies or practices of any such website or services.
Zenoo will not use or share any such Customer Data except as provided in its agreements with such customers, or as may be required by law. In accordance with such agreements, Zenoo may access, transfer and process Customer Data only for the purpose of providing the Zenoo Services, preventing or addressing service or technical problems or other purposes as set forth in such agreements or required by law.
Zenoo acknowledges that you have the right to access, correct, amend and delete your personal information. If personal information pertaining to you as an individual has been submitted to us by an Zenoo customer and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please inquire with our customer directly. Because Zenoo is subject to our agreements with customers (as the data controller) with respect to your personal information stored on the Zenoo Services, if you wish to make your request directly to Zenoo, please provide the name of the Zenoo customer who submitted your data to the Zenoo Services. We will refer your request to that customer, and will support the customer as needed in responding to your request within a reasonable time frame.
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.