GEP TRUST - SECURITY

Information Security Management

Governance

At GEP, governance serves as the backbone of our security framework by clearly defining roles, responsibilities, and accountability for all security-related functions. A structured oversight mechanism ensures that policies are reviewed periodically, risks are escalated through established channels, and all activities align with organizational objectives. This approach fosters consistency, transparency, and informed decision-making in managing security.

Compliance

GEP is committed to aligning its operations with globally recognized standards, such as ISO 27001, SOC 2, and GDPR. Compliance is achieved through a combination of regular internal and external audits, continuous updates to policies and controls, and adherence to regulatory and contractual requirements. Certifications and attestation reports are available upon request through appropriate channels and are shared under NDA.

Risk Management

Effective risk management is an integral part of GEP’s security framework. By systematically identifying and assessing potential threats across technical, operational, and organizational layers, we proactively mitigate risks to our systems and data. Regular risk assessments help prioritize vulnerabilities based on their potential impact, and mitigation strategies are designed to adapt to the evolving threat landscape. Continuous monitoring ensures that risks remain managed effectively, providing a resilient foundation for our operations.

Incident Management

GEP maintains a structured Incident Management process designed to ensure quick, effective, and orderly response to information security events. Security incidents are detected through centralized logging and monitoring, with personnel required to report any suspected weaknesses or breaches through established channels. The Information Security team conducts rapid triage, containment, and investigation activities while minimizing impact to systems and data. Incidents involving customer data trigger mandatory notification within 24 hours of awareness, and post-incident reviews are conducted to identify root causes and strengthen controls.

Administrative Controls

Policies, Procedures and Standards

GEP has established a comprehensive set of policies, procedures, and standards to ensure a consistent and robust approach to information security across the organization. These documents are designed to provide clear guidance for employees and stakeholders, addressing critical areas such as acceptable use, access control, incident management, and data handling.

Our policies serve as the foundational principles that guide secure practices, while procedures provide detailed, step-by-step instructions for implementing these policies effectively in day-to-day operations.

Additionally, our standards define measurable criteria to ensure consistency and compliance in implementing security measures. This includes specific requirements for password management, encryption protocols, and secure data handling based on classification levels.

To keep pace with changing risks and regulatory landscapes, we regularly review and update our policies, procedures, and standards. These updates are communicated organization-wide to ensure alignment and compliance.

Security Awareness Programs

At GEP, we emphasize structured and continuous security awareness programs to ensure employees are well-informed and proactive in mitigating risks.

New hires begin their journey with a comprehensive induction program, where they are introduced to GEP's security expectations, policies, and best practices. 

Following induction, all new employees are assigned security awareness training through our Learning Management System (LMS). These modules include video-based lessons covering essential topics such as recognizing phishing attempts, securely managing passwords, and handling sensitive information responsibly. To maintain high levels of awareness across the organization, refresher training is assigned to all employees annually. These sessions ensure that employees remain aligned with evolving security standards and practices.

In addition to structured training, GEP reinforces security knowledge through regular communication initiatives, such as email campaigns, newsletters, and updates. These include targeted topics like emerging threats, changes, and new tools or processes implemented within the organization.

Through these layered and structured efforts, GEP ensures that every employee remains engaged, informed, and equipped to uphold the organization’s security posture.

Infrastructure

Hosting platform

GEP primarily utilizes Microsoft Azure and Google Cloud Platform-as-a-Service (PaaS) offerings to host GEP software solutions. Microsoft Azure and Google Cloud operate in data centers managed and maintained by Microsoft and Google respectively, ensuring a secure and reliable infrastructure.

As part of the shared responsibility model, Microsoft and Google manage physical security, infrastructure, and platform operations, while GEP takes responsibility for securing the application, data, and user access controls.

Both platforms maintain globally recognized certifications including ISO 27001, ISO 27017, SOC 1 Type II, and SOC 2 Type II attestations.

Additional information on Azure infrastructure security can be found at https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure

Disaster Recovery

For GEP Software offerings, GEP maintains a detailed Disaster Recovery (DR) Plan. This plan ensures that customers have reliable access to production and disaster recovery environments. During the implementation phase, customers can select from predefined datacenter hosting pairs, with the disaster recovery site located in a geographically distinct location from the primary production site to mitigate risks.

Annual disaster recovery tests are conducted to validate the effectiveness of the DR Plan. These tests confirm that GEP can achieve the committed RTO and RPO, providing assurance of service resilience and reliability.

Perimeter Security

Firewalls

GEP has implemented firewalls to monitor and protect network traffic at the perimeter. Firewall architecture is designed to allow only essential ports and services required for business operations, minimizing exposure to unnecessary risks. All internet-based hosting is secured using HTTPS connectivity to ensure data integrity and confidentiality during transmission.

Intrusion Detection and Prevention Systems (IDPS)

GEP employs Intrusion Detection and Prevention Systems (IDPS) to monitor network traffic for unusual or unauthorized activities. These systems provide real-time detection of potential threats, allowing for immediate mitigation of risks. By identifying and blocking suspicious behavior, the IDPS helps protect GEP's infrastructure from unauthorized access and potential security breaches. Regular updates and tuning of detection rules ensure that the system stays effective against evolving threats.

Web Application Firewall (WAF)

GEP utilizes a Web Application Firewall (WAF) to protect its applications from web-based threats. The WAF monitors and filters HTTP/HTTPS traffic to safeguard against common vulnerabilities such as SQL injection, cross-site scripting (XSS), and other application-layer attacks. By inspecting and validating requests, the WAF ensures that only legitimate traffic reaches GEP's applications. Configurations and rules are regularly reviewed and updated to address emerging risks and maintain optimal security for the hosted applications.

Distributed Denial of Service (DDoS) Protection

GEP employs robust Distributed Denial of Service (DDoS) protection mechanisms to safeguard its infrastructure and applications from volumetric attacks. These protections are designed to detect and mitigate abnormal traffic patterns, ensuring the availability and reliability of services. By leveraging scalable DDoS mitigation tools, GEP ensures that legitimate user access remains uninterrupted, even during attempts to overwhelm systems with malicious traffic. Proactive monitoring and response measures further enhance the resilience of GEP's hosted solutions against such threats.

Network Security

Network Segmentation

GEP ensures robust network segmentation to enhance security and limit unauthorized access. The network is structured into separate VLANs based on specific requirements, with access strictly controlled to only what is necessary for operations. 

Network traffic is governed by a "deny by default, allow by exception" principle, where all traffic is denied unless explicitly permitted. 

GEP Software hosting network is segregated from the corporate network, ensuring operational security and isolation of hosting environments.

Production networks and data are firewalled and segregated from non-production environments, with strict controls preventing production data from being transferred to non-production setups. These measures minimize risks and maintain the integrity of critical environments.

Remote Access

Remote access using VPN to the GEP network is restricted to authorized users and is implemented with strong security measures to maintain confidentiality, integrity, and availability of information. Access is limited to company-owned devices, ensuring that only trusted and managed laptops can connect to the corporate network.

Remote access using VPN is protected with two-factor authentication, utilizing mechanisms such as authenticators or one-time passwords (OTP) etc. These measures ensure secure and authenticated remote connectivity.

Secure Communication Protocols

GEP enforces the use of secure communication protocols to safeguard data in transit. Insecure protocols such as telnet and unencrypted FTP are prohibited. Instead, secure alternatives like SSH and Secure FTP are mandated to ensure encryption and protection of sensitive information. This policy aligns with industry standards and reduces the risk of interception or unauthorized access during communication.

Endpoint Security

Device Protection

All corporate endpoints are secured with advanced Endpoint Detection and Response (EDR) solutions that provide continuous monitoring, real-time threat detection, and automated responses to potential risks. EDR policies are centrally managed, offering tamper-proof protection and ensuring consistent enforcement across all devices. Full Disk Encryption is implemented across endpoints to safeguard data at rest, ensuring information remains secure even if devices are lost or stolen. Additionally, web content filtering tools are in place to restrict access to non-business-related websites, promoting secure and productive use of internet resources.

BYOD Policy

GEP does not permit personal devices to connect to the corporate network. This policy ensures that only company-owned, secured devices are used, thereby reducing risks associated with unmanaged or insecure devices.

Patch Management

GEP maintains a proactive patch management program to address known vulnerabilities in operating systems, applications, and other software components. Regular updates are deployed across all endpoints to minimize risks and ensure compliance with security standards. This approach reduces exposure to exploits and helps maintain system integrity.

Mobile Device Management (MDM)

GEP uses an MDM solution to manage and secure corporate mobile devices. This includes enforcing security policies, enabling remote wiping for lost devices, and managing app installations to maintain a secure mobile environment.

Removable Storage Restriction

To mitigate data exfiltration and unauthorized access risks, the use of removable external storage media is restricted by policy. Permissions are granted only for approved use cases, ensuring secure handling of such media.

Application Security

Secure SDLC

GEP follows a disciplined Agile software development life cycle process (SDLC) and Release management process. The SDLC process clearly defines the roles and responsibilities from the data gathering to delivery phase. GEP implements application security practice as part of SDLC process.

SAST

Static Application Security Testing (SAST) is integrated into our development process to ensure secure code from the start. Every time a developer attempts to check in code to development branches, it is automatically scanned for vulnerabilities. If any vulnerabilities are detected, the check-in is blocked until the issues are resolved. This approach ensures that only secure, vulnerability-free code progresses through the development pipeline, reinforcing the security of our applications.

Penetration Testing

Penetration Testing is an essential part of our application security program. To ensure the highest standards of security, we engage independent third-party experts to perform comprehensive security and vulnerability assessments on our software and infrastructure. These assessments help identify potential risks, which are addressed as part of our ongoing efforts to maintain secure and reliable applications.

Data Security

Encryption

Data protection begins with robust encryption mechanisms. GEP encrypts data at rest using AES 256-bit encryption, a widely recognized standard for strong data protection. Data in transit is encrypted using Transport Layer Security (TLS) 1.2/1.3 protocols with a 2048-bit SSL certificate to secure transmissions across networks.

These measures ensure data confidentiality and integrity, mitigating risks of unauthorized access or exposure during storage or transmission.

Field-level data masking is also available within the GEP Software interface for confidential fields and can be configured according to customer requirements.

Access Controls

GEP enforces stringent access control measures to ensure that data is accessible only to authorized individuals. Access is granted on a need-to-know basis through an approval workflow that aligns with GEP’s Access Control Policy. This policy emphasizes critical principles such as least privilege, individual accountability, and need-to-know access to minimize the risk of unauthorized data access and maintain accountability.

Data Deletion / Data Retention

GEP’s data lifecycle management ensures that data is retained and deleted in accordance with customer requirements and industry’s best practices. Upon contract termination, customer data is returned in a mutually agreed file format. Once the customer confirms receipt of the data, GEP securely deletes all data and provides a certificate of deletion for verification.

Data Backups

To ensure data availability and recovery, GEP utilizes the native backup capabilities of our Cloud Service Providers. These include Long-Term Retention (LTR) for archival needs and Point-in-Time Recovery (PITR) for operational continuity. These backup strategies enable quick and efficient data recovery when needed.

Data Loss Prevention (DLP)

GEP employs a robust Data Loss Prevention (DLP) program to safeguard sensitive data from unauthorized access or accidental exposure. End-user activities are tightly controlled, with restrictions on external storage devices and implementation of web content filtering tools. These measures limit access to only business-related resources, reducing potential avenues for data leakage.

Product Security

Data Isolation

Customer data is logically isolated at both the application and database layers within GEP Software. GEP Software implements logical separation of customer data through the implementation of domain-based architecture. Each customer is provided with a dedicated domain and database, which serves as a logical boundary isolating data from other customers.

SSO Support

GEP Software supports Single Sign-On (SSO) using industry-standard protocols such as SAML 2.0 and OpenID Connect (OIDC). SSO integration enables customers to authenticate users through their own Identity Provider (IdP), streamlining access management and enforcing consistent authentication policies across their organization.

Role-Based Access Control

GEP Software enforces role-based access control (RBAC) to ensure users can access only the data and functionalities required for their job responsibilities. Access can be assigned through predefined personas (roles) as well as custom personas (roles) defined based on business requirements for customers. This minimizes the risk of unauthorized access and supports the principle of least privilege.

Multi-Factor Authentication

GEP Software supports multi-factor authentication (MFA) to provide an additional layer of identity verification. Supported MFA methods include email, SMS and authenticator apps based one-time password (OTP) which can be configured by administrator as per customer requirements.

Audit Logging

GEP Software captures user activity logs to ensure traceability and accountability. These logs include but are not limited to browsing events, user account changes, role changes, document changes etc. Each log entry records the identity of the actor, the action taken (including before-and-after values where applicable), and the timestamp.

Integrations

GEP Software provides secure REST and Bulk APIs to support system integrations and large-volume data exchanges. API communications are protected using JWT-based authentication and authorization mechanisms. All API endpoints enforce TLS 1.2 encryption to safeguard data in transit. Interface APIs support certificate-based authentication or certificate-based signing. Additional security controls such as IP address restrictions are available to protect API access.