We understand that our clients, partners, and their consumers, depend on the security, performance, and the transparency of our systems and services.  Our approach integrates security and privacy features and concepts into everything we do, from our software development lifecycle and data management, through to our reporting and training.  We strive to protect the integrity, confidentiality, and availability of our clients’ and partners’ data while helping them stay flexible so they can adapt to the changing competitive, sustainability, and transparency landscape.

To this end, EON employs a security-first methodology with all of our teams, following industry recognized secure coding standards and data management.  All EON Product Cloud and EON Exchange infrastructure is hosted by Microsoft Azure, in an ISO 27001 compliant data center.

‍

Values That Guide Us

Trust, Innovation, and Client Success guide how we work with clients, prospects, partners, and consumers.

‍

Trust

Our clients and partners rely on the high security, performance, and transparency standards that are part of our systems and services.  EON helps create trust by providing thought leadership and technological innovation in a rapidly maturing compliance and competitive marketplace that reduces risk to our clients and partners.  We cultivate this trust through transparent communications with our clients and partners about the performance, security, and compliance of our solutions, services, infrastructure, and 3^rd party relationships.

‍

Innovation

As a leader in a new and rapidly evolving technology industry, we are uniquely positioned to help our clients and partners develop innovative solutions to longstanding business challenges in a sustainable and scalable way.  We integrate security requirements into all stages of the software development lifecycle to enable regular security-enabled releases throughout the year.  This gives clients the confidence to innovate and capitalize on new opportunities and adapt to changing business requirements.

‍

Client Success

Success means something different to each of our clients and partners.  From helping them meet their traceability, transparency, and sustainability obligations to creating new business models and building stronger consumer experiences, helping clients achieve their goals is at the core of our business.  Our organization, people, process, policies, and approaches to solving client needs are designed to help our clients be successful.

EON’s security focus and approach to creating innovative solutions and services enables us to build trust and success for those we work with.

‍

Security is the Foundation for Everything We Do 

We employ both zero-trust and defense-in-depth approaches to the security of our technology, processes, policies, and data management.  These approaches to security reduce single points of failure by layering defense mechanisms and creating redundancies.  This approach is based on four key elements:

• Zero-Trust Culture:  To deliver the trusted technology services, we endeavor to build a zero-trust culture that encourages consistent security behaviors from all EON employees and contractors to safeguard our clients’ data.  We nurture a security-first minded work environment, from awareness education on phishing emails to embedding security requirements throughout our software development lifecycle process.
• Master the Fundamentals:  Many security breaches can be traced to inconsistent application of security fundamentals which is why implementing information security best practices to secure client data always comes first.  Despite being a product focused business, we have a disproportionate number of programs, measures, and controls focused on fundamental security practices, such as patching and the adoption of multi-factor authentication (MFA), throughout our ecosystem of employees, contractors, clients, partners, and consumers.
• Empower Secure Innovation:  We enable our clients to innovate, implement new business models, and improve their ability to respond to the ever changing competitive and legal landscape.  For example, we integrate security requirements into all stages of the software development lifecycle (SDLC) which allows us to release new security-focused features rapidly, allowing our clients to innovate and scale to meet their changing market requirements.
• Setting the Security Standard:  We employ innovative technology and processes to define the security standards needed in our relatively new and rapidly innovating industry.  Working hand-in-hand with data privacy concepts such as data minimization and erasure by design, our security approach helps protect client and partner data within a constantly evolving threat landscape.  Within this Trust Center we provide a view into some of our core security programs, controls, and measures that help protect the integrity, availability, and confidentiality of our clients’ and partners’ data.

‍

Security Education and Awareness

We consider our staff to be the first and most critical line of defense in protecting and securing the data of the company, our clients, our partners, and their consumers.  We have a team of experienced information security experts that drives awareness, engagement, and education of our staff around security best practices and security feature adoption across our services.  Our programs include new employee onboarding, annual security training, and role-based awareness education.  We train staff to identify often-used attacks such as phishing emails and how to report them.  This applies to every employee, contractor, and intern in the company.  Dedicated training is required for developers to ensure proper knowledge of OWASP top security risks, common attack vectors, and Azure security controls.

In addition to our awareness programs, we review and update security policies and standards annually at a minimum, and more frequently as needed.  Ethics and security contacts, and escalation processes, are in place to facilitate notification of any inappropriate or suspicious behavior.  A formal sanctions process is enforced for staff who fail to comply with established information security policies and standards.

‍

Data Center Security

Our core technology and data storage is hosted on Microsoft® (Microsoft Azure®), a cloud-based service.  EON has agreements with all providers to ensure a baseline for physical security and environmental protection to run our services.  As cloud-based providers, certain elements such as access, monitoring, and environmental controls are directly managed by the provider and not EON.

• Click here for more on Microsoft Azure security
• Click here for more on Microsoft Azure physical security
• Click here for more information on the types of threats we are monitoring

‍

Certifications

Microsoft Azure certifications, including ISO-27001 and SOC2, can be found here.

‍

Security Risk Management

Our comprehensive risk management programs enable us to make better decisions in support of our security commitments.  We perform risk assessments to evaluate the likelihood and impact of potential events that could adversely affect our strategic assets and capabilities.  These assessments help us to gain deeper visibility into security risks associated with critical assets across our organization, drive prioritization of investment decisions, and ensure integration of internal and external security and compliance obligations.

Our risk management programs map our security initiatives to the risks that they are meant to address, such as risks posed by third-party products, product infrastructure, and the data supply chain.  We also engage with third-party assessors to perform independent and unbiased annual, at a minimum, assessments of our security practice.

To understand and manage risks effectively, EON employs a widely accepted end-to-end lifecycle process that encompasses five steps:

1. Identification:  We identify risks that could prevent us from achieving our business objectives based on the current environment, anticipated legislation, expected new services, relevant threats, potential weaknesses, data-driven inputs, and inquiry based methods.
2. Analysis & Evaluation:  We analyze the sources and causes of the identified risks.  We assess the likelihood and expected consequences in the context of the existing controls and identify the level of residual risk.  The results are then compared with our risk criteria to determine whether or not the identified residual risk is tolerable.
3. Communications & Reporting:  We communicate the current state of cybersecurity risks to key stakeholders, senior leadership, key clients and partners, governance bodies, and the board of directors.
4. Treatment:  We select and implement measures to address identified risks.  Risk treatment measures can include avoiding, mitigating, transferring, or accepting risk.
5. Monitoring & Management:  We regularly monitor for changes to the risk landscape including emerging and evolving risks, and risk treatment progress.  Monitoring provides key risk inputs to our strategic planning processes.

Our security risk management practices, processes, and policies are aligned with proven industry guidelines such as ISO 27001 and the Information Security Forum’s Standard of Good Practice for Information Security.

‍

EON’s Secure Development Lifecycle

We integrate security requirements into every stage of the software development cycle—from conceptualization to release—using the EON Secure Development Lifecycle (SDLC) process.  Using this process, our engineers address security issues and concerns prior to the general availability release and consistently across our services.  This allows us to release new features and applications rapidly and in turn enable our clients to innovate and meet their ever changing market requirements.

As part of our SLDC, EON utilizes:

• OWASP:  EON follows the Open Web Application Security Project (OWASP).
• Peer Review:  All code changes are peer reviewed, including a dedicated security review prior to being allowed to move to production.
• Automated Testing:  Our code undergoes automated vulnerability testing, software composition analysis (SCA), and automated dependency scans.
• Separate Environments:  Development, Testing, Sandbox, and QA environments are logically separated from Production environments.

‍

EON’s secure development lifecycle has seven stages, designed to align to the agile methodology.  At each stage our development and security teams work to:

1. Learn:  The fundamentals of secure design, the SDLC process, and the tools that are available to help them incorporate security into all stages of the development cycle.
2. Design:  With security and risk minimization techniques such as privacy by design in mind from the beginning and to the end of each project.
3. Build:  Security features into our services, adding testing to ensure that core security principles are implemented and to reduce vulnerabilities found during testing.
4. Test:  The security expectations the development and the security team agreed on during the design stage.
5. Release:  When the QA and security teams have completed their testing and implemented agreed upon risk mitigation. 
6. Own:  Their services in production by mapping to the teams which includes responsibilities for patching, vulnerability management, and responding to security incidents. 
7. Evolve:  Documentation and discuss lessons learned during the development process for future work.

‍

Changes to our platforms, network devices, other system components, and environment changes are monitored and controlled through a formal change control process.  Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.

‍

Data Processing & Controls

EON employs processing controls that support EON’s commitment to data quality, privacy, and usefulness as part of our vision to power the digital foundation for the connected and circular business.  These controls also help EON adhere to our Privacy Policy, Standard Contractual Clauses, and Data Processing Agreements (DPA, necessary for adherence to GDPR and other data privacy legislation).

• All platform hosted data, including non-Personal Data, is encrypted SSL / TLS 1.2+ connection with AES encryption for all traffic on the application.  SSL/TLS certificates are signed by a publicly known Certificate Authority using the SHA256 with a 2048 bit key.  AES256 encryption is used by default via Azure’s encryption services for data at-rest.  All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables.  All object metadata is also encrypted.
• All access is based on RBAC (role-based access), ABAC (attribute-based access), and need-to-know access concepts.
• EON’s platforms are safeguarded by  Microsoft Azure’s Web Application Firewall (WAF).  This WAF safeguards web applications and APIs from common threats, web exploits and bots that compromise availability, jeopardize security, and consume excessive resources.
• EON strongly encourages use of multi-factor authentication by client and partner users, and  is mandatory for all EON Staff.
• All environment data is logically separated in systems and databases.  Automated and manual tests are conducted upon every change to the system to ensure segregation of data.
• EON follows the principles of least privileged access and segregation of duties with strict change management protocols.
• To improve product features, functionality, and investigations, we track platform usage and requests.  We log the minimum amount of data needed to support our clients.
• EON protects data from accidental or intentional destruction due to user errors, system failures, or malicious attacks.  Backups for application and analytics data are regularly created leveraging Microsoft Azure services.  Annually a complete end-to-end test of our DRP (recovery plan) is performed.
• Robust activity logs of user access are maintained for audit purposes.
• Data Subject Rights are supported wherever legally possible.
• Privacy by Design, Data Minimization, and Erasure by Design concepts for Personal Data have been implemented into our SDLC, data management policies, and processes.
• Our data classification system addresses multiple aspects of each data attribute to address risk level, applications, access restrictions, type, source, identification level, owner, export permissions, legislation subjectivity, public information status, etc.
• EON does not accept any Special Categories of Personal Data (as defined in GDPR or CCPA), Credit / Debit Card information, Social Security Numbers, Passport Numbers, Personal Health Information (PHI), etc. from clients, partners, or consumers under any circumstances.  EON only accepts business bank account information (i.e. non-personal accounts) as part of contractual agreement that include payments to, or from, EON and its client and partners.

‍

Threat Monitoring and Incident Response

Through Microsoft Azure services our system continuously monitors for unauthorized activity, use of compromised credentials, unusual data access, API calls from malicious IP addresses and much more.  When an incident is identified, EON’s Incident Response Plan and Policy provides guidance to staff who are responsible for responding to an Information Security incident.  Incident events include, but are not limited to: security/data breach, loss of service, systems malfunction or overload, human error, non-compliance with policy or guidelines, malfunction of software or hardware, access violation, and new releases or patches.

EON’s response plan includes escalation paths, severity levels and definitions, severity based response times, communications requirements, mitigation guidelines, and post-incident reporting and analysis.

The key steps at a high level are as follows:

1. Prepare:  This step is on-going as it includes annual training, security notice subscriptions, updates to the response team and escalation process, and expansion of scenario planning.

2. Identification:  Identifying the type of incident helps determine what actions are needed.  All employees and contractors are trained to identify an attack through annual data security training.  This training includes how to escalate an incident internally and/or externally to set the plan in motion.  While Identification and Containment steps are part of all incident responses, the type of incident and other key factors will determine to what degree additional steps are necessary.

3. Containment:  Depending on the nature of the incident, actions may be taken ranging from removing access and changing passwords/encryption keys, to wiping hard drives and removing malicious code from systems. In the case of an incident involving data, as soon as a theft, data breach, or data exposure is identified, immediate action, including notification, is required to protect EON, client, and partner data, especially if sensitive or Personal Data is at risk.

4. Investigation:  After an incident has been contained, EON will investigate its cause and impact.  All investigation and mitigation efforts are carefully documented.

5. Recovery:  The actions necessary to support recovery are dependent on the outcome of the Investigation step.  This step may include any, or all, of the following: notification decisions and timeframe, point person designation, data subject notification, affected audience definition, legal authority notification, public notification, etc.

6. Update:  This step includes fixing any identified vulnerabilities, reviewing and updating policies and implementation, changes to the secure development lifecycle, enhancing training, and evaluating response team performance.