Security is everything
Sentro is a cloud-first platform hosted on Microsoft Azure and built specifically to enable modern insurance administration. Administrators and insured Members can access Sentro through modern web and mobile browsers with an internet connection. Sentro can be accessed from anywhere in the world 24/7, or restricted to certain networks where required.
Sentro supports 0Auth2.0 single sign-on for Microsoft and Google, so insurers, brokers, employers and members can use their company or personal logins.
Our security philosophy
There are three core themes with our approach to security:
As a cloud-based service, we always aim to use the latest software and infrastructure and implement the most up to date security controls on your behalf. This means that you don’t need to worry about updating or patching systems
We want to conform to industry standards and lead all our competitors in cloud and product security
We promise to be open and transparent about our programs, processes and security metrics.
Our infrastructure landscape
We’re entirely based on Microsoft Azure, and as a Microsoft Partner we rely on Azure to help us achieve global infrastructure uptime, resilience, and scalability to meet our customer’s needs. We utilize Azure’s monitoring services to detail and dynamically scale required compute and storage resources.
We have leveraged Microsoft’s services to fully protect our platform and the data contained within it. Our entire infrastructure stack is deployed and run on PaaS/serverless products within Azure, which dramatically minimises the attack footprint that we are responsible for. This means that our code is deployed securely to Azure environments that are managed and constantly monitored for vulnerabilities and intrusions by Microsoft Azure.
Azure provides 24/7 security monitoring of all our infrastructure, including servers, storage resources, and databases.
Our data protection processes
All of our customer platform data is securely stored within Azure SQL databases (in SOC 2 compliant data centres). We make use of Azure’s own automated backup tools to create backups of databases every few minutes that are retained for periods of up to a year. Data in platform databases is encrypted at rest using Azure’s standard tools and is generally replicated to a different geographic region.
All Sentro data is encrypted in transit over public networks using TLS 1.2 using our own SHA-256 RSA TLS certificates. Each environment has its own internal network protected using a dedicated virtual network within Azure and a single entry point via a network gateway. We filter all traffic to allow only ports required for operation of the Sentro platform and log all network traffic and configuration changes to ensure adequate security posture. All our production web applications are protected using Azure WAF on Azure Front Door, which includes DDoS protection and automatically blocks known attack traffic.
Our API security
Sentro is an API first platform. As of current count we have over 150 RESTful API endpoints that allow interactions to all functions within Sentro.
Customers can use these published APIs to create, read, update, and delete data inside Sentro depending on the roles they have. These APIs make it easy to create custom interfaces into Sentro, or to integrate existing platforms or systems of records with Sentro. You can also subscribe to different webhooks that Sentro will trigger on certain events to carry out external behaviour in an integration via custom workflows.
All APIs, except those prefixed used for authentication, require short-lived JWT token-based authentication.
External penetration testing
We conduct internal and external penetration tests on our platform and network environments on a regular basis. All issues discovered during the last test (available on request) were resolved with high priority. We also take advantage of constant vulnerability scans against our databases from Azure.
Sentro implements role-based access schemes for each individual customer. We can lock down access for a given administrator to specific users or organisations. Our role model is flexible, meaning that Sentro can easily alter the default permissions in each role for each customer’s needs.
We support single sign-on (SSO) authentication schemes like OAuth 2.0 for both administrative users and insured members to further protect our users’ data. We can integrate and enforce login via your Google Workspace (G Suite) or Azure Active Directory to further ensure that only approved and authorised users can access the right data and can leverage the multi-factor authentication provided by each partner.
We inventory and document our external IT systems, and their approach to security, using a confidentiality, availability, and data integrity matrix. All high-risk systems require MFA.
The resilience of our service is vitally important to us. That’s why we’ve designed our processes and systems to allow us to remotely carry out disaster recovery and business continuity processes. There are no dependencies on physical assets or locations that we maintain for the operation of our organisation.
We operate under “paperless” practices wherever possible, and include clean desk policies at work, including securing laptop computers. Our mobile assets are protected using MDM implementations.
We consider a security incident to be any event that negatively affects the confidentiality, integrity or availability of customers’ data, Sentro’s data, or Sentro’s services.
Our incident management plans establish the recommended organisation, actions, playbooks, and procedures needed to:
- recognise and respond to an incident,
- assess the situation quickly and effectively,
- notify the appropriate individuals, customers, external vendors, and/or organisations about the incident,
- organise our response activities, including activating a virtual command centre,
- escalate our response efforts based on the severity of the incident, and
- recover from the incident.
Any security vulnerabilities that are identified in production are raised to Sentro’s executive team. We can expedite fixes for most types of vulnerabilities and deploy updates within an hour.