Graphisoft Security Statement – Technical and Organizational Measures
Published 2nd November 2023
To protect the confidentiality, integrity, and availability of Graphisoft internal data and a customer data alike, we have implemented an information security program, consisting of the technical, administrative, organizational, and physical controls described below. Existing customers may contact their account representative or technical support for more details on Graphisoft's Security Program. Prospects may contact technical support.
Governance and Organizational Controls
Graphisoft utilizes a risk-focused framework to evaluate security maturity and prioritize security initiatives. A Security Steering Committee composed of executive leaders in technical and business functions meets at least quarterly to assess risk and to develop remediation plans.
Graphisoft has established a risk assessment framework to continuously evaluate risks throughout the company. The risk management process incorporates management's risk tolerance and evaluations of new or evolving threats.
Data Center and Physical Security
A receptionist and a security guard monitor the entrance to Graphisoft's Budapest office during business hours. Doors are locked after business hours, with a security guard remaining present.
Physical keys and card access to areas where critical equipment is located are restricted to authorized individuals. Graphisoft facility and security management review the usage of keys and access cards annually.
Graphisoft utilizes Microsoft Azure, Amazon Web Services, and Google Cloud as cloud providers to host Graphisoft cloud products. All three cloud providers provide high availability and secure data centers. The providers' websites provide further details on their respective data center security controls.
Personnel Security
One of Graphisoft's strengths is the reliability of its workforce. All Graphisoft employees are required to undergo background checks as part of the hiring process. Immediately after hiring, employees participate in mandatory IT Security training about data security concepts, responsibilities, and privacy regulations. This training is updated regularly, and all employees must complete it annually.
In addition to annual security training for all employees, Graphisoft's developers must complete training on secure development practices.
Network Security
Graphisoft's security team continuously monitors potential threats and security incidents across all networks and infrastructure.
At least annually, third-party penetration testing is performed on Graphisoft's applications and infrastructure. Vulnerabilities identified through these scans are evaluated for impact on the confidentiality, integrity, and availability of Graphisoft's systems and customer data, and then prioritized for remediation based on these factors.
Additional, regular vulnerability assessments and penetration testing are conducted to identify and address potential security weaknesses in the product. This helps uncover vulnerabilities before they can be exploited by malicious actors.
Access Control
Graphisoft leverages role-based access control to protect customer data.
Access rights are granted or modified on a business-need basis at the system level, depending on the user's role. Wherever technically feasible, two-factor authentication is used to access Graphisoft's system and applications, including on VPNs and other remote access. Graphisoft personnel are assigned unique usernames and must use strong passwords to access Graphisoft's systems. Shared accounts are not permitted. Graphisoft performs quarterly reviews of privileged and regular user access to production systems to ensure that such access is appropriate.
We implement strict access control mechanisms to ensure that only authorized individuals can access sensitive data. This includes role-based access control, strong authentication methods, and regular review of user access privileges.
We recognize the critical nature of the SaaS environments where our customers store their business data. To ensure the utmost security, our customer support employees are granted access to these environments only on a need-to-know basis. Access rights are strictly controlled and managed to prevent any unauthorized data access or manipulation.
Encryption
Graphisoft customer data ("Your Data") is stored on secure cloud services and is protected and encrypted when in transit and at rest. This includes encrypting data stored in databases, using secure communication protocols, and implementing encryption algorithms for data transmission. Modern encryption protocols, HTTPS, SSH, SFTP, or other technologies protect data in transit. AES-256 or other appropriate industry standards are used to protect data at rest..
Change Management
Graphisoft's change procedures require review and authorization by appropriate business and technical management before system changes are implemented in the production environment. System changes include documentation of authorization, design, implementation, configuration, testing, modification, and approval commensurate with the risk level. Changes are tested in a separate test environment before moving them to the production environment.
The change management process includes identifying changes that require communication with internal or external users. Third-Party Management
Graphisoft evaluates vendors' and other third parties' security as part of its vendor selection process and annually thereafter. Third parties storing or processing Graphisoft's confidential information must hold an audited security attestation (e.g. SOC 2 Type II, ISO 27001) or demonstrate their ability to meet equivalent security controls.
Confidential information is disclosed only to third parties who have agreements with Graphisoft to protect personal information in a manner consistent with the relevant aspects of Graphisoft's privacy policies or other specific instructions or requirements.
Security Incident Response
We have a defined incident response plan in place to handle security breaches or incidents effectively. This includes procedures for containment, investigation, and recovery, as well as communication protocols to keep stakeholders informed.
Handling Personal Data Responsibly
Our customer support team collects, stores, and manages personal data to effectively address customer inquiries and provide tailored support. We have selected tools that provide maximum data security and established strict guidelines for handling personal data, ensuring that all relevant regulations and compliance requirements are met. This includes obtaining necessary consent for data collection, ensuring data accuracy, and deleting data upon request.
Secure Processing of Project Files
Throughout the customer support process, we often receive project files and sensitive information from our customers. Our team is well-trained to process and manage these files securely. We use secure channels for file transfers and storage to minimize the risk of unauthorized access.
Security of Product Development
Secure Coding Practices
We follow industry best practices for secure coding, such as input validation, output encoding, and proper error handling. This helps prevent common vulnerabilities like SQL injection and cross-site scripting.
Environment security
Industry-standard tools are used during product development, for ssource control (Perforce) and development tools (Microsoft Visual Studio, ...).
Third party source policy
We use third-party code on a limited basis, store third-party source code separately in our code, supervise the update of third-party code, and place special emphasis on third-party source code during review processes
Planning
Design aspects include safety. Solutions deemed problematic will not be implemented. We discuss plans in several rounds before implementation begins.
Implementation
Implementation is erformed by qualified programmers, based on modern programming principles (which we continuously update) and using safe and up-to-date tools.
Product
For tampering detection, we employ an external solution (Revenera) in addition to the built-in security measures provided by the operating system.
Review
Any modification to the product code must be shown to at least one other person before it can go to the central code base. More typically, such modifications are thoroughly vetted by several people, including experts in the relevant fields.
Testing
Products are continuously tested during the development period. Testing is expanded as the release approaches. Products are subject to extensive automated testing (which admittedly is not specifically focused on security) . We also carry out manual testing.
Error tracking
Discovered errors are recorded in a central database. They are reviewed in several rounds by those in charge of the areas.Based on the risk assessment, a decision is made about the fate of the error, which can range from immediately rectifiable to not rectified at all.
Responsible Disclosure Statement
At Graphisoft, we consider the security of our systems a top priority, but no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability in any of our products or web applications, we would like to know about it so we can address it as quickly as possible.
By implementing these activities, technologies, and best practices, we prioritize data security throughout the product development lifecycle, ensuring that customer data remains protected and confidential.
Please do the following:
- Email your findings to responsibledisclosure@graphisoft.com
- Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the affected system's IP address or URL and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Do not take advantage of the vulnerability or problem you have discovered (for example, by downloading more data than necessary to demonstrate the vulnerability, or by deleting or modifying other people's data).
- Please do not reveal the problem to others until it has been resolved
- Do not use attacks on physical security, social engineering, denial of service, spam, or applications of third parties to discover vulnerabilities
- Do not violate any laws or breach any agreements to discover vulnerabilities
Graphisoft Security Team's Promise:
- We aim to respond to and evaluate your report within a reasonable time
- If you have followed the instructions above, we will not take any legal action against you with respect to the report
- We will handle your report with strict confidentiality and will not provide your details to any third party without your permission
Issues Not to Report:
The issues below are not considered as falling within the scope of vulnerability disclosure, and we ask that you not report them unless you have identified an unusual risk associated with the matter:
- CSRF on forms that are available to anonymous users
- Disclosure of known public files or directories
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTP Only flags on non-sensitive cookies
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- Sender Policy Framework (SPF) or DMARC configuration suggestions
- Clickjacking reports without impact are not considered a vulnerability by Graphisoft. For example, "Clickjacking to change a user's password" or "Clickjacking to post comment" would be valid reports, but identifying the possibility of clickjacking alone is not.