Appendix 2-Security Assurance Plan and Shared Responsibility Model
Service Eunoia Security Hub
SaaS Essential and Enterprise Offers
1. INTRODUCTION
The purpose of this document is to specify the responsibilities of EUNOIA and the Licensee when subscribing to the Eunoia - SaaS service offered in the EUNOIA catalog of services for Licensees. This document also serves as the Security Assurance Plan (SAP).
Its purposes are to:
-
Provide visibility and remove ambiguities by clarifying the responsibilities of each party in the implementation of security controls on the service, to control risks, strengthen security, and ensure compliance with the regulations in force
-
Make it easier for Licensees to carry out operational checks.
Information security is a major issue for EUNOIA and its Licensees and is therefore one of its absolute priorities.
To achieve this, EUNOIA is implementing a continuous improvement approach to security, in line with the ISO 27001:2022 standard, by setting up an ISMS (Information Security Management System) for its design, development, integration, change, maintenance in operational condition, and support activities.
In a nutshell, this ISMS makes it possible to put in place an organisation, policies, processes, and security controls that allow security to be properly integrated, as well as the regulatory aspects, including GDPR.
This model of shared responsibility is appended to the Terms of Use document concerning the Eunoia SaaS offer.
2. DOCUMENT UPDATES
EUNOIA reserves the right to update and modify this document. The most recent version shall always be available on the EUNOIA website. Material changes will be communicated to Licensees by email.
Email notifications will be sent to the accounts referenced by the person who subscribed to the EUNOIA license. These will cover EUNOIA events, documentation, training, product developments, and contractual documents (General Terms of Service and its appendixes).
3. SECURITY MEASURES AND RESPONSIBILITIES
3.1 Summary
3.2 Security organisation
Eunoia
Eunoia has established a structured security organisation. The roles of DPO (Data Protection Officer) and CISO (Chief Information Security Officer), CTO (Chief Technical Officer) are clearly defined, each with specific responsibilities in data protection and information security. An organisational chart complements these roles to ensure clarity in the organisation.
Segregation of duties and incompatibilities are considered to minimize risks of conflicts of interest and abuse of power. For instance, development functions and quality control are managed by separate teams.
Role sheets, outlining the responsibilities of each position, are reviewed annually to ensure they remain aligned with security and regulatory developments.
Committees are established to manage different aspects of operational security, including change management, incident response, capacity management, and supplier oversight. These committees play a vital role in steering the Information Security Management System (ISMS). A regular security management review is also conducted to assess and improve the effectiveness of security strategies.
Customer
The customer should establish a security organisation that effectively defines and manages security within the scope of the Eunoia SaaS service. This includes setting up governance policies and operational security practices, such as access management and adherence to established security policies and standards.
3.3 Security documentation
Eunoia
Eunoia has established a comprehensive set of security documents. This includes a general Information Security Management System (ISMS) policy and an operational security policy.
User and administrator charters are also in place.
Security directives, in the form of processes and procedures covering various security themes, have been defined. They serve as operational guidelines to facilitate the implementation of policies and standards.
Customer
The customer is responsible for developing and maintaining their own set of security documentation, aligned with the Eunoia SaaS service's requirements. These documents enable the Customer to manage security effectively within Eunoia. This documentation should include:
-
Custom Security Policies : Tailored to your specific organisational needs and which will serve as a framework for setting up and using the Eunoia SaaS service environment.
-
Implementation Procedures: the Customer can detail procedures for implementing these security policies and process within the Eunoia SaaS customer environment provisionned (this includes any risk analysis methodologies, security controls, assets management, RACI, etc.).
-
Architecture and configuration procedures : the customer can establish procedures for the architecture and configuration of its environment so that it can interface with its information system (e.g. possible integration with the customer's authentication and authorisation systems, etc.).
-
Clear guidelines for users : the customer can develop comprehensive user guidelines to make it easier to onboard users and provide them with user guidelines in line with the configuration of the Eunoia environment achieved.
-
Compliance Documentation: the customer can involves defining the management of records demonstrating adherence to the relevant security standards and regulations, and alignment with Eunoia's safety protocols.
It's essential for the customer to regularly review and update this documentation to ensure ongoing compliance and effective security management in line with Eunoia’s updates and evolving security landscape.
3.4 Human resource and security awareness
Eunoia
Individuals working for EUNOIA are bound by confidentiality clauses.
Interviews are conducted with candidates to ensure their alignment with the job requirements, in terms of skills, experience, and behavior.
An onboarding process is in place to welcome new employees. This includes providing appropriate access and workstations tailored to their needs.
Formal security awareness training is conducted at least once a year. When necessary, reminders of best security practices are given.
A competency management system is also established to reduce reliance on key personnel.
Upon an employee's departure, a formal reminder of the confidentiality clause is provided.
Customer
Customer should adopt robust human resource and security awareness practices to ensure the secure operation of the EUNOIA SaaS service. This includes ensuring all team members interacting with the service are bound by confidentiality agreements, mirroring the security commitment of EUNOIA. Incorporate thorough hiring procedures to evaluate candidates' security awareness and compatibility with your security policies. Develop a specialized onboarding process that equips new hires with the knowledge needed to use the EUNOIA SaaS service. Conduct regular security training to keep your team updated on the latest security threats and best practices. Implement a competency management strategy, especially for security-critical roles, to minimize dependency on key individuals. Finally, establish clear exit procedures to revoke access to the service and reinforce confidentiality obligations when employees leave.
3.5 Physical security
Eunoia
Eunoia's information system is hosted in data centers that are well-suited for hosting sensitive data and services. These data centers, adhering to ISO 27001 certification, are equipped to manage various risks, including physical intrusion, fire, floods, and power outages. This ensures a high level of physical security for the hosted services. The physical security of these sites is rigorously managed by the data center owners. EUNOIA staff do not have physical access to these data centers, providing an additional layer of security and safeguarding against unauthorised access.
Furthermore, Eunoia has implemented comprehensive teleworking security procedures that currently form the norm within the company. These measures include the use of appropriate authentication methods, securing workstations, ensuring safe work environments (even when remote), and encrypting communications. These practices are designed to maintain the highest level of data security and integrity, irrespective of the physical location of Eunoia's personnel.
Customer
It is essential that the customer ensures that the environment in which the Eunoia service is used is properly secured, taking into account the sensitivity of the operations and data concerned. This responsibility includes implementing security procedures for the secure areas used to use or administer the Eunoia SaaS client environment. In addition, customers must regularly train and sensitise their staff to the threats associated with working in insecure environments. This is essential to mitigate the risks that could arise from physical access to workstations and more generally from remote access from locations considered to be insecure.
3.6 Access control
Eunoia
An access management procedure and authorisation matrices are formalized at EUNOIA. Individuals involved in the development and support of Eunoia activities have personal accounts, and access rights are strictly controlled. Depending on the requirements, the authentication methods used may include complex passwords or Multi-Factor Authentication (MFA). An Identity Provider (IDP) is used to centralize accounts as much as possible.
Access rights on development tools are also strictly regulated.
Periodic access reviews are conducted.
Customer
It is the customer's responsibility to define its access control policy, including the implementation of its authentication mechanisms and authorisation matrices,on the Eunoia SaaS environment, depending on access requirements. The use of a centralised access system is strongly recommended.
An access management workflow should be defined.
Access reviews should also be carried out periodically.
It is strongly recommended that MFA mechanisms are put in place to limit account usurpation, particularly for administration interfaces.
3.7 Security on build activities
Eunoia
EUNOIA integrates security at every level of our SaaS service, from development to operation. This includes integrating security into project and change management, as well as a secure development policy.
A risk mapping is established, addressing information leaks, client segregation, data loss, service unavailability, and personal data protection. We use SAST and DAST tools in our CI/CD pipeline, reflecting our 'security by design and privacy by default' approach.
EUNOIA’s teams manage the security of the entire Eunoia application and its hosting platform, including the provision of secure, up-to-date packaged services. Our documentation covers all aspects of Eunoia's engineering and operation, and change management committees ensure process tracking and continuous improvement.
Customer
The customer using the Eunoia SaaS service is required to manage security both at the interface with their information system and in terms of business management related to Eunoia. This involves a focused effort on securing processes and data exchanges between Eunoia and the customer's internal systems. The customer is responsible for implementing and managing robust access control policies, following the security guidelines set by Eunoia.
Conducting regular risk assessments is crucial for the customer to identify potential vulnerabilities within their infrastructure, especially those related to the use of Eunoia. These assessments should be adaptable, accommodating continuous changes in both their environment and the Eunoia SaaS service. The customer must ensure that documentation and change management processes are in accordance with Eunoia's specifications and are followed meticulously.
The customer is advised to establish separate testing and production environments to maintain system integrity and validate any changes. Setting up a change management committee can be beneficial in overseeing these processes and ensuring adherence to Eunoia's security protocols. By diligently following these guidelines, the customer can achieve a high level of security in their management of the Eunoia SaaS service, aligning with the rigorous standards established by Eunoia.
The responsibility for managing changes, securing the platform, and configuring the Eunoia environment within the Customer’s infrastructure lies entirely with the Customer.
3.8 Security on operations activities
Eunoia
In Eunoia's SaaS model, Eunoia assumes full responsibility for the operational management of the service, which is hosted by Eunoia. This includes maintaining the development tools, hosting and operating the Eunoia application and associated platform, as well as providing support under strict operating procedures to ensure reliability, maintainability and security.
The services provided by Eunoia are continuously monitored and backed up, with event logging, patch management and obsolescence management processes also in place.
EUNOIA regularly releases updates and patches to address bugs and vulnerabilities, ensuring the integrity and security of the service.
Customer
In the SaaS model, the customer's operational responsibilities focus on the components of the customer's information system that communicate with the Eunoia environment and the configuration of the Eunoia customer SaaS environment.
In particular, the customer is responsible for managing the configuration of its Eunoia environment and ensuring that the resources subscribed to Eunoia are always sufficient and adapted to its needs. This includes implementing capacity planning to anticipate and manage scalability and performance requirements.
In addition, customers should establish operating procedures for their part of the system While Eunoia manages updates to the main service, customers must remain vigilant over the components of their information system that are integrated with Eunoia, as well as the business configuration of the Eunoia SaaS client environment, to ensure an adequate level of operation and security.
3.9 Incident management
Eunoia
Eunoia has established an alert and incident management process that encompasses the company's internal operations, the hosting, and the operation of the Eunoia service in SaaS mode, as well as customer support. This process aligns with the ITIL framework.
A ticketing system is in place for managing these incidents, prioritizing and classifying them based on their severity and impact. When necessary, key stakeholders such as the DPO (Data Protection Officer) and the CISO (Chief Information Security Officer) may be involved in incident response.
A crisis response team is activated through this alert and incident management process. These incidents also contribute to updating risk mapping.
Eunoia regularly conducts alert and incident management meetings, maintains post-mortem analyses, and a knowledge base to learn from past incidents and improve future responses.
Eunoia support, which is exclusively remote, deals with requests relating to the Eunoia application (bugs, vulnerabilities, errors in user documentation, unavailability, restoration of backups, etc.).
Support does not cover incidents arising from the Customer’s own infrastructure, third-party software, or integrations outside EUNOIA’s control.
Customer
In SaaS mode, Customers are responsible for managing incidents related to their information systems that interface with EUNOIA. This includes establishing a process for incident management, defining procedures, and designating authorised Administrators to contact EUNOIA support through the ticketing system.
Customers shall prioritise incidents based on their severity, especially those affecting the EUNOIA service. Customers shall also be accountable for managing requests made to EUNOIA’s support team, ensuring effective communication, and adhering to the incident management process for prompt resolution.
Customers shall initially assess and qualify incidents before escalating them to EUNOIA support.
3.10 Business continuity plan
Eunoia
Eunoia has established a comprehensive Business Impact Analysis (BIA) specifically tailored to its SaaS service. This analysis encompasses all critical aspects, including development, design, hosting, operation, and support activities performed by EUNOIA. The services supporting these activities are designed with an appropriate level of resilience in accordance with the SLA defined in the General Terms of Service for the Eunoia SaaS service. Eunoia's business processes are aligned with the BIA framework to safeguard critical functions across these activities.
Regular testing of the Disaster Recovery Plan (DRP) is conducted annually to validate its effectiveness and ensure preparedness for any unforeseen events.
Customer
Customers are fully responsible for establishing and managing their Business Continuity Plan (BCP) in relation to their specific continuity objectives. This includes conducting a thorough Business Impact Analysis (BIA) to identify critical functions and services.
Customers should ensure that their BCP aligns with their operational requirements and resilience goals, and it is advisable to regularly test and update the plan to adapt to changing business needs and environments.
3.11 Security in outsourcing
Eunoia
Subcontractors involved in development, hosting, operations and support activities are mandatorily required to have security clauses in their contracts. Service providers deemed sensitive (e.g., cloud providers) possess security certifications such as ISO 27001 and/or SOC2. Eunoia actively monitors security within the supply chain to ensure compliance and maintain high standards of data protection and information security.
Customer
If applicable, for subcontractors engaged in activities related to Eunoia, it is strongly advised to establish a vendor management process and to contractually require suppliers to include confidentiality and GDPR compliance clauses. Setting up a Supplier Assurance Program (SAP) is also recommended. Additionally, periodic security assessments should be conducted on suppliers to verify that services are being delivered in accordance with contracts and that security provisions are being upheld.
3.12 Security control
Eunoia
Eunoia has established a system of both organisational and technical internal security controls, on conception, operations and support activities, which includes:
-
Conducting organisational security audits.
-
Implementing security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), which will be integrated into the CI/CD pipeline.
-
Implementing security tools such vulnerability detection tool for Eunoia service components (i.e. vulnerability scan on operating system or images) and also updating components (management of operating system and software patches, rebuilds, etc.).
-
Applying security controls in operations (supervision, backup, traceability, vulnerability, obsolescence, change management, capacity, etc.).
-
Performing annual penetration tests (to be conducted before the launch of the MVP) and organisational security audits.
The aim is to ensure that security is correctly integrated into the solutions implemented by EUNOIA, in alignment with the policies of the Information Security Management System (ISMS) and risk analyses.
Customer
Customers play a key role in ensuring security within Eunoia's SaaS ecosystem by aligning their practices with Eunoia's established protocols.
The customer may perform an annual pentest, which may be performed by the customer (or a third party) on the Eunoia customer's environment, following Eunoia's SaaS Terms and Conditions, to proactively identify vulnerabilities and mitigate them.
Customers are also advised to carry out detailed reviews of their configurations within Eunoia, including regular assessments (access controls, security communication, etc.). The aim is for customers to integrate and maintain effective security measures in their systems, in line with their information security policies and risk management strategies.
The objective for customers is to ensure that the security measures they have applied to the configuration of their Eunoia SaaS environment and to all services under the customer's responsibility interfaced with Eunoia are effectively integrated in accordance with their information security policies and risk management strategies.
3.13 Contract
Eunoia
A contract and its annexes concerning the Eunoia SaaS service are established. Security clauses are included, notably establishing a shared responsibility model. The contracts and their annexes are reviewed regularly to ensure they remain up-to-date and relevant to the evolving needs and security requirements of both Eunoia and its clients.
Customer
Customers engaging with the Eunoia SaaS service are required to enter into a contract. This contract also encompasses specific security clauses, outlining a model of shared responsibility between Eunoia and the client. It is the responsibility of the customer to regularly review these contracts and their annexes to ensure ongoing compliance and alignment with both their security policies and the evolving security landscape.
3.14 Regulation
Eunoia
unoia maintains a legal monitoring system and has implemented a GDPR compliance process. A Data Protection Officer (DPO) is responsible for applying this process. Key responsibilities of the DPO include maintaining data processing records and managing requests for the exercise of data subjects' rights.
Customer
Customers using the Eunoia service are considered data controllers under GDPR and are therefore fully responsible for their own GDPR compliance. This includes managing how Eunoia’s service processes personal data within its operational scope. Customers must ensure that their use of the Eunoia service adheres to GDPR, which involves implementing appropriate data protection measures, maintaining records of data processing activities, and handling requests from data subjects regarding their rights. The customer must establish and maintain compliance mechanisms and ensure that their use of Eunoia’s services aligns with all applicable data protection laws and regulations. Customers are also responsible for notifying the competent data protection authorities (such as the CNIL in France) of personal data breaches occurring within their scope.