Apix data security practices

This document describes Apix data security practices concerning the protection and processing of customer data and messages delivered within Apix systems. The customer data and the messages might contain personal data as described in the EU GDPR declaration. Apix processes the customer data and messages by automated means. During error situations and exceptional situations the data might by processed by other means, however during these situations the processing is limited to only ensuring the promised service towards the customer.

The customer sends and receives by the Apix services data that is processed only according the instructions provided by the customer. Data originating from the customer is processed for the recipient information and converted to messages (for example: electronic invoices). In a similar fashion messages received for the customer are processed to data and transferred to the customer. Data and messages are only stored for the duration required by the laws and the operating environment. Customer can instruct Apix to store the data and messages for a longer period of time.

Apix has two separate archives for storing the customer data. The official ‘6+1’ archive stores the data for 7 years, provided that customer has signed a contract for this service. If there are no such agreement the data is stored for the ongoing and previous month.

A separate message archive is used to store the messages and related transaction logs for maximum of 12 months.

Physical data protection and the location of data

The processing and storage of customer data and messages is done in data centres located in the EU/ETA area.

For the destruction of physical confidential documents Apix purchase a separate service from external service provider. The premises of Apix are secured with locks, alarm systems and camera surveillance. The list of key holders is maintained and the security codes are changed regularly. In the event of physical breaking to Apix premises the burglar cannot access the production systems without strong personal authentication. Customer data is not stored at the premises, workstation or on the office servers.

Technical protection

All Apix service environments (production, test and development environments) are located in separate data networks and the access between the networks is restricted. All networks are protected by firewalls and only the servers required to transfer data outside are connected to Internet. The data connections between the Internet connected servers and the message/data processing servers is restricted to only certain protocols and the connections are point-to-point. The environments are also monitored by various systems and automated attack detection and prevention systems are in use at protocol level. The test and development environments do not store customer data.

The customer data and messages are always stored separated from the Internet exposed servers. In the layered environment the data connections between systems and data centres are always encrypted and access to the internal network requires two-factor authentication. The customer can access their own data by using customer assigned user id and password through SSL-protected web pages. As preventive method against data breaches Apix actively upgrades its’ systems and keeps the data protection models updated. The production servers are duplicated and data, as well as messages are backed up to minimize the effects of interruptions.

The workstations, laptops, mobile phones and other electronic equipment of the employees are protected by using applicable updated virus scanners, encryption and access control mechanisms. The employees can telecommute only by using a VPN connection available only on Apix provided dedicated workstations and laptops.

Data connections and transfer of data

Apix does not transfer data or messages outside its’ systems except for providing the agreed data transfer in order to provide the agreed service. For example agreed data transfer is the transmission of messages to the operator of the intended recipient. Depending on the data connection the best available encryption is used.

Data centers and the servers

In order to process the data and messages Apix uses data center and equipment services. The date center environments are secure, fire protected areas with duplicated data communication, cabling and power services. These premises are monitored 24/7 and they contain automated fire detection and containment solutions that will not force the shutdown of servers. The access to the data centers is restricted and only named persons can enter them.

Data access control

The customer data and messages are processed manually only on error cases or by a specific request by the customer. All manual access is logged in the log files including the reason for accessing the data. The access to the data and messages is restricted to personnel whose work role requires such access. Apix has implanted monitored user management processes. The security manages validates all new data access requests before granting the access. The access to production, test and development environments are limited to actual need. Apix trains and educates its’ personnel regularly about data security and rights and responsibilities related to the customer data. Every employee of Apix has signed a written non-disclosure agreement.

Additional information

For more information about Apix data security contact servicedesk@apix.fi