"At eBox we understand that data security is of paramount importance to our customers. Data encryption and SOX compliance along with stringent adherence to ITIL security best practices are employed to ensure your data is safe and secure at all times." John Lakin, CEO eBox Systems.


Introduction

At eBox systems we take our customers’ security and privacy concerns seriously. We take every precaution to ensure that user data is kept secure, and that we collect only as much personal data as is required to make our customers’ experience as efficient and satisfying as possible. This page is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is sufficiently protected.


Authentication to the service

Our e-invoicing service requires authentication from all users for access permission. The authentication mechanism employs a username and password combination. All passwords are subject to complexity and aging rules, each password must be a minimum of eight characters from three of four category subsets and employs a 90 day change rule. Pagero Online employ best practice control of password complexity to ensure your details are safe and secure.

Your Password is NEVER stored or distributed in a clear text format. On initial account set up a unique activation link is transmitted to you at which point you take control of password selection and allocation to the user account.

Should three consecutive failed login attempts be made to your account the system will react by disabling and locking down login to guard your account from password tapping attempts.

There is functionality within the Pagero Online system which enables you to reset your password to a new selection at any time. The system prevents reuse of previous passwords and blocks the current password being reselected.

Sign in using digital certificates
For customers with even stronger authentication needs, we offer authentication using digital certificates.

Data Encryption

The data and information transmitted via the Pagero Online service is encrypted both while in transit over the Internet, and when stored in the central service data store.

Access to the data stored within the Pagero Online is subject to role based access control only.

For eBox and Pagero staff data is accessible on a strict need to know basis and only to the extent necessary to provide the service as offered to the customer. All staff work under strict non- disclosure terms.


Physical security

The physical environment for the services Pagero offers is subject to SOX regulation. The premises is audited for SOX compliance by an information security audit firm bi-annually. The types of controls relevant for SOX compliance in this respect include but are not limited to the following:

  • Change management: Processes and routines are in place to handle changes of the physical environment including server installations, maintenance work, test activities, etc. Information procedures exist as well as routines for evaluation and approval.
  • System documentation: All systems are documented, including all changes made to systems and/or system environment. Changes are approved by a change management board, and carried out by authorized personnel only.
  • Incident management: Processes exist for handling planned as well as unplanned changes.
  • Service levels: An SLA is defined that is relevant for the physical environment. The service level of the operational environment is mirrored in the end user SLA.
  • Security: Policies and procedures exist for security. Examples include two factor authentication for access to operational premises, double command for execution of work orders (no person alone may visit and work where servers are physically located). These procedures are tested regularly.

SOX Compliance

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission, which sets deadlines for compliance and publishes rules on requirements.
The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.