Encryption at rest
Sensitive data stored in Falcon's operational network is encrypted with AES-256. This applies to all types of stored personal information such as first and last names, email addresses, activities or measures. The key management is exclusively under the control of Nordantech. All of Falcon's encrypted values are signed using a message authentication code (HMAC-SHA-256) so that the underlying value can not be modified or tampered with once encrypted.
Encryption of data traffic
Falcon uses the latest encryption technology to encrypt traffic in transit using TLS 1.3 protocols, AES-256 encryption and SHA-256 signatures. The key exchange is secured using RSA-2048 encryption. Mail transmission is also encrypted using opportunistic TLS.
With two-step confirmation (2FA) by a TOTP authenticator app or sending a HOTP via SMS or email, user accounts can be additionally secured in case unauthorized persons get hold of a password. Once activated, users must enter a confirmation code when logging in to confirm their identity. The security settings of a hub allow the mandatory setting of 2FA for all users.
Backups at different locations
All data is stored physically redundant and encrypted (AES-256) in high-security data centers. Automatic point-in-time backups at different locations prevent data loss in exceptional situations such as hardware failure or natural disasters. Falcon's systems operate physically redundant in different availability zones. In this way, we reduce the risk of downtime during unforeseen events such as accidents and disasters. In addition, we regularly perform disaster recovery tests on test systems.
ISO certified data centers
All data centers are ISO 27001 certified and offer a world-leading security standard. The data centers are protected by security guards, video surveillance, alarm systems, emergency power supply, security protocols, authentication rules, etc. 24 hours a day, 365 days a year.
Server in Germany
All Nordantech servers are located in Germany. Falcon thus complies with the requirements of the German Data Protection Act and the EU General Data Protection Regulation. In the event of higher resource consumption and heavier loads on the infrastructure, Falcon simply adds further server instances within a few minutes. This way Falcon does not break a sweat even in stressful situations. Falcon's front-end and back-end are delivered worldwide via a Content Delivery Network (CDN) with more than 300 edge locations. This not only reduces latency during transmission and SSL handshake, but also ensures a secure connection through a global and secured network.
Resistance to attacks
IDS and IPS monitor all networks and/or systems for malicious activity and scan suspicious content. Heuristics-based network flow monitoring and built-in mitigation of common and most prevalent DDoS attacks ensure that IT systems are resilient to attacks. To prevent flooding or breadth-first attacks, Falcon sets an upper limit on how many times someone can repeat an action within a given time frame - for example, attempting to log in to an account (API rate limiting and login throttling).
XSS validation and antivirus
Falcon considers all incoming input values as unsafe and validates them before further processing on the server side. In the process, the inputs are also scanned and filtered for cross-site scripting. All uploaded files are automatically scanned for malware and other threats by Falcon's antivirus service. So you can always be safe and download files from Falcon worry-free. A Web Application Firewall (WAF) further protects all systems from common Internet threats and bots that can affect availability or security, or place an excessive load on resources.
Notifications of unusual logins
The security of user accounts is enhanced by email notifications sent when a login is attempted from an unknown device or internet browser. These messages provide information about the device from which someone tried to sign in and the location of the device. This allows Falcon users to respond immediately to suspicious logins. Additionally, logins from new devices or new locations must always be confirmed with a confirmation code for security reasons.
System status always visible
To ensure timely handling of vulnerabilities and security incidents, Falcon has extensive monitoring systems for different levels (application, system, infrastructure). Vulnerabilities or security incidents can thus be quickly identified, assessed and dealt with. All customers are informed about security incidents in a timely manner. In case of a problem that leads to a restriction of the use of Falcon, but also to build the trust relationship with our customers and partners, we publish the status and availability of the software and all distributed systems for the last 12 hours, 7 days, 30 days and the whole year on our status page.
Code analysis and pentests
All deployments of Falcon's source code are fully automatically checked for errors and inconsistencies using unit and integration tests as well as static code analysis. In this way, problems are already detected during development. Regular penetration tests by external cyber security experts confirm Falcon's high level of security and provide us with important insights for all ongoing improvements. We use state-of-the-art standards in the areas of authentication and session management, access control, data validation, logging, error handling, data security and cryptography.
Nordantech divides its systems into separate networks to better protect sensitive data. Systems that support testing and development activities are hosted on a separate network, separate from application systems. Sensitive systems, such as database servers, have no public interfaces and can only be accessed internally over private networks. Network access to Falcon's production environment is only possible with 4096-bit keys via a standby bastion host and IP-restricted to Nordantech.
Nordantech and the GDPR
For Nordantech, security and privacy are of paramount importance. Our customers attach great importance to the following important questions, which we answer here.
Are my data secure in Falcon?
Nordantech uses a variety of methods to protect your information. We are committed to ensuring that our infrastructure is resilient, protected against data loss, and accessible to third parties. All data is stored encrypted using AES 256 and transmitted over secure connections. We are proud to exceed industry standards when it comes to protecting your business. Many of our security procedures are described in more detail at the top of this page.
Where are Nordantech and Falcon servers located?
For the operation of Falcon we only use our own servers in the German data center (Frankfurt) of our provider Amazon Web Services. The data is stored encrypted using AES 256 within our own private cloud (VPC) and is not accessible to third parties. Additional servers within the EU are also used for the active connection between front- and backend. A current overview of all subcontracting relationships can be found here.
Who owns the data transmitted to Falcon?
As a customer, you own and control all content transmitted to Falcon. We thus process your data on your behalf. Your data will not be used or further processed for other types of use beyond the scope of your order. All further information on the handling of your data can be found in our current data protection policy.
Does Nordantech retain my data after the end of its use?
The default setting is that all data is stored as long as a Falcon hub exists. All test hubs are automatically deactivated after 30 days and released for deletion after another 3 months. For paid hubs, the situation is different after deactivation. These are archived for a period of 12 months for security reasons and only then released for final deletion. All data released for deletion (also via Falcon's trash function) will be permanently and irretrievably deleted after 3 months. If you wish an earlier manual deletion, please contact us.
What export and security options are available to me?
All administrators can export all hub data (profiles, schedule, effects, status) at any time. Each export is accompanied by an email with a download link and the location information of the requesting user. The download is then possible for 3 days. After this period the export file will be deleted.
Does Nordantech conclude contracts for order data processing?
Of course we have a standard order data processing (so-called ADV contract). This can be concluded at any time. If required, simply contact us personally.
Can we call you back?
We will call you back at a time convenient for you and answer all your question in a brief phone call.