Improved: Security, security, security
The security of the ZOA platform has always been very important to us. Every business faces the big challenge of cyber risks. Therefore, we had an application pentest carried out by the Swiss company infoGuard (https://www.infoguard.ch/de/) in the last few months and implemented a number of improvements in ZOA. You will not notice most of the adjustments.
Three changes you may notice:
- Stricter password requirements: The next time you change your password, you must select a password with at least 14 characters, which includes a special character.
- Restrictions on allowed file uploads: Certain file formats can no longer be uploaded (e.g. ZIP files). Each upload is checked for malware before the file is saved in ZOA.
- Web Application Firewall (WAF): We have implemented a WAF that protects ZOA from cyberattacks. This significantly reduces the risk of ddos attacks or brute force attacks.
We also highly recommend that the administrator of your ZOA account enables 2-factor authentication (2FA) via SMS for all users. 2FA in combination with a strong password is a very good protection (link to instructions).
NEW: Single Sign-On
The Single Sign-On (SSO) feature allows your internal IT to manage access to ZOA. This can be especially helpful if many employees in your organisation use ZOA. When an employee leaves, this ensures that ZOA access is removed as well. Please contact us if you are interested in this feature, as it requires company-specific integration.
NEW: Data Transfer Impact Assessment integrated
Following recent court rulings, the transfer of personal data to insecure third countries (especially the USA) often requires an assessment of the level of data protection in the third country. This assessment can be carried out with a "Data Transfer Impact Assessment (DTIA)". Therefore, we have integrated a module and template for this in ZOA. Please contact us if you would like to make adjustments to our standard template.
Adaptations for existing sub-processors
We use MessageBird's service for sending SMS for 2-factor authentication and Pusher for internal "concurrency" management - this ensures that two users do not work on a ZOA object at the same time. Both companies are on the list of approved sub-processors. Pusher has now been acquired by MessageBird; but is still a separate legal entity.
Robhost - our hosting provider in Germany - has merged with dogado and changed its name (https://www.dogado.pro). We have entered into a data processing agreement with the new company, which is of the same quality as the previous agreement.
Additional subcontractors
For the implementation of the new features (i.e. Single Sign On and additional protection measures against hacker attacks) we plan to use three new subcontractors.
- Cloudflare (https://cloudflare.com/) for the implementation of the web application firewall.
- Digital Ocean (https://www.digitalocean.com) for the implementation of the malware scanner.
- WorkOS (https://workos.com/) will be used for the implementation of Single Sign-On. Therefore, this sub-processor will only process data from you if you actively integrate this feature into your infrastructure. If you do not use Single Sign-On, this does not apply.
These providers are companies from the USA. Therefore, we had an external consulting firm conduct a data transfer impact assessment. We came to the conclusion that the increased security of ZOA in combination with the settings made justify its use.
New company address of SWISS FIN LAB GmbH
We have changed our company address. The change can also be seen in the commercial register. The new address is:
SWISS FIN LAB GmbH
Weiherweg 8
8604 Volketswil