Intapp cloud security

Control

• Data control means customers retain ownership of their data even when stored and processed by a third-party provider
• Intapp provides assurance that the customer data is not used for purposes outside the scope of the services contracted
• Intapp delivers unambiguous terms in the service agreements which details how data is stored, controlled and used
• While Intapp uses a multi-tenant model for its applications, no co-mingling of data occurs thanks to per-customer data stores, whenever possible

---

Visibility

• Intapp does not access customer data. Only for infrequent escalated support issues, Intapp will access customer data with their permission
• Intapp provides customers with activity logs of any logins

---

Locations

• Customers can select the region that offers equivalent data protection laws to those in the country of origin. This flexibility allows for those organizations to place their applications in the area that matches their business requirements
• By leveraging Amazon’s global footprint of data centers, Intapp addresses customer’s data sovereignty concerns by offering a choice from a set of regions
• Intapp offers services in US, Europe, and APAC

SSO

• Intapp offers Single Sign-On (SSO) capability throughout Intapp Secure Cloud
• Intapp SSO supports SAML2.0 providers such as OKTA and Microsoft AD FS 2.0

---

Pen testing

• Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on by established incident response procedures
• Controls are implemented to prevent or detect and act upon the introduction of unauthorized or malicious software
• Intapp identifies potential threats that could impair system security, availability, and confidentiality commitments and system requirements, analyzes the significance of risks associated with the identified threats, determines mitigation strategies for those risks, identifies and assesses changes
• Vulnerabilities of system components to security, availability, and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet Intapp’s commitments
• Intapp uses a CREST approved vendor to perform penetration tests at least annually
• Intapp analyses the monthly network vulnerability scans against its digital assets performed by an external vendor
• Amazon complements Intapp’s penetration tests with its own. Amazon rigorously pen tests its systems against known and conceivable threats

---

Encryption

• The data in all data stores is encrypted at rest, using Advanced Encryption Standard (AES) 256-bit symmetric keys managed by AWS Key Management Service
• All communication between the Intapp Cloud Service and the users’ devices is encrypted
• The SSL encryption certificates are generated by a validated third party

---

Access Controls

• Physical access to facilities housing the system is restricted to authorized personnel
• Logical access security software, infrastructure, and architectures have been implemented to support identification and authentication of authorized internal and external users
• Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes
• The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, move, or removal, enabling Intapp to meet its commitments and system requirements as they relate to security

High availability

• Intapp partnered with Amazon Web Services (AWS), ranked consistently as the Leader in the Public Cloud Infrastructure as a Service Gartner Magic Quadrant report
• By leveraging Amazon’s extensive set of data centers and services, Intapp provides the ability to fail-over if a data center outage occurs and in the rare instance of a regional outage
• Intapp implements a recovery plan that is tested at least once a year
• Intapp keeps the customers on the most current version of the applications

---

Disaster recovery

• Intapp Secure Cloud support cross-region fail-overs, whenever possible
• Intapp executes regular, automatic data store back-ups

External certifications

• Intapp developed policies, controls, and processes that are ISO 27001 certified with added compliance to the cloud-specific ISO 27017 and ISO 27018 extensions
• Intapp implemented security controls as validated by SOC 2 examination

---

Process best practice

• Intapp designed, developed, implemented, and operated controls, including policies and procedures, to achieve its risk mitigation strategy
• Intapp defined organizational structures, reporting lines, authorities, and responsibilities and accountabilities for the design, development, implementation, operation, maintenance, and monitoring of its cloud system
• The design and operating effectiveness of controls are periodically evaluated against Intapp’s commitments, and system requirements as they relate to security and corrections and other necessary actions relating to identified deficiencies are taken promptly
• Internal and external users are provided with information on how to report security, availability, and confidentiality failures, incidents and concerns to appropriate personnel
• Infrastructure, data, software, policies and procedures are updated as necessary to remain consistent with the Intapp’s security commitments