Secure, Cloud-Based FM Software to protect the world’s most demanding brand — yours
ServiceChannel’s facilities management platform has been designed to support some of the leading multi-location companies in the world like Nike, CVS Health, AutoNation, Luxottica, Dollar Financial Group, Barnes & Noble, Ruby Tuesday and The Cheesecake Factory to name a few. But importantly, both global and local brands all benefit from the same attention to performance, scalability and security. We’ve worked closely with many of our clients’ technology teams and third party auditors, and our software application has undergone extensive reviews and testing.
This process enables us to deliver a proven and enterprise ready system for you – regardless of your size. All our clients benefit from our powerful, flexible and secure technology infrastructure, whether with 50 locations or 5,000.
“It’s critical for our facilities management system, like all our systems, to incorporate and support the latest infrastructure technologies to guarantee scalability, uptime and security. Our team dug in deeply and saw that ServiceChannel delivered on all fronts.”
All ServiceChannel client data is redundantly stored and distributed in data centers across multiple physical locations. Data center electrical power systems are fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible power supplies and generators provide backup power whenever needed. Power is even fed via different electrical grids from independent utilities to reduce single points of failure.
By utilizing cloud-based deployment, we isolate our application from our clients’ internal servers, thereby eliminating any chance of unauthorized access to our clients’ internal systems. Contractors and suppliers never access your internal systems.
All ServiceChannel client data is automatically backed up on a scheduled basis and stored in multiple locations. Even our telecommunications systems (phone and fax) are hosted in multiple cloud data centers with automatic failover solutions.
Core ServiceChannel applications are deployed in an N+1 configuration, so that in the event of a data center or individual equipment failure, there is sufficient capacity to enable traffic to be load-balanced and rerouted to the remaining sites. ServiceChannel deploys its applications and data across multiple AWS Availability Zones concurrently. Each AWS Availability Zone is designed as an independent failure zone. This means that Availability Zones are physically separated and are located in lower risk flood plains.
Application Security & Encryption
ServiceChannel currently uses SSL certificates from Network Solutions, offering 256-bit encryption (“strong SSL security”) using AES_256_CBC, with SHA256 for message authentication and RSA as the key exchange mechanism. These are the best secure server software (SSL) available today for secure service transactions. This encrypts client facilities maintenance information transmitted through the ServiceChannel application website, including company and contact information, service requests and work history, reports, proposals and invoices.
The Network Solutions SSL certificate scrambles information transmitted to and from the ServiceChannel application website, which is then decoded once it reaches the user’s browser. All ServiceChannel systems are protected by industry leading firewalls and intrusion protection and detection systems.
ServiceChannel SSAE 16 Compliance
ServiceChannel’s platform has been certified as SSAE 16 (SOC 1 Type II) compliant. SSAE, or Statement on Standards for Attestation Engagements, 16 is the new standard for reporting on controls at service organizations, essentially replacing Statement on Auditing Standards no. 70, simply known as SAS 70. This highest level of such certification covers not only a system description but detailed examination of controls including their sustainability and effectiveness.
More About SSAE 16
Completion of the SSAE 16 SOC1 Type II (Statement on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization) examination indicates that selected ServiceChannel processes, procedures, systems, and controls have been formally evaluated and tested by an independent accounting and auditing firm. ServiceChannel has always taken and continues to take our customer’s security and control requirements very seriously. We are committed to performing this audit on a yearly basis, ensuring that our processes and controls are audited to rigorous standards so we can provide a high level of comfort to both our customers and to the thousands of vendors and contractors who use our systems.
The SSAE 16 standard goes above and beyond SAS 70, an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants. It comes with additional requirements for service organizations. A voluntary SSAE 16 audit is performed by an independent auditing firm that examines the controls and processes involved in storing, handling and transmitting data securely. The firm looked at ServiceChannel’s controls in key areas, including:
- Customer Contracts and Implementations
- Control activities provide reasonable assurance that contract information is entered accurately and completely into the ServiceChannel database
- Invoice Creation
- Control activities provide reasonable assurance that invoices are created accurately and for completed services.
- ACH File Processing
- Control activities provide reasonable assurance that the custodial account is funded and the ACH file is created accurately and forwarded to the NACHA platform for processing.
- Computer Operations
- Control activities provide reasonable assurance of timely system backups of critical files, off-site backup storage, and regular off-site rotation of backup files.
- Control activities provide reasonable assurance that systems are maintained in a manner that helps ensure system availability.
- Information Security
- Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintended use, modification, addition or deletion.
- Application Change Control
- Control activities provide reasonable assurance that unauthorized changes are not made to production application systems.
- Data Communications
- Control activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization.
Following the audit, ServiceChannel received a Service Auditors’ Report with an unqualified opinion, demonstrating that ServiceChannel’s policies, procedures, and infrastructure for data protection, security, and confidentiality met or exceeded the stringent SSAE 16 criteria. Certain control objectives specified in the description of the policies and procedures can be achieved only if Complementary User Entity Controls (tab below) contemplated in the design of ServiceChannel’s controls are suitably designed and operating effectively, along with related controls at the service organization.
What does this mean for our customers?
The successful completion of this audit illustrates ServiceChannel’s ongoing commitment to create and maintain the most stringent controls for the protection and security of our customers’ confidential information.
ServiceChannel’s customers can easily incorporate its Service Auditors’ Report in their Sarbanes-Oxley compliance programs as proof that appropriate controls are in place. The SSAE 16 audit can also help ServiceChannel’s customers to comply with other regulations, including HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act of 1999), and ISO 27001.
Having achieved the highest level of SSAE 16 certification (Type II) provides our clients with the peace of mind, about our processes and our data, required in today’s marketplace. It means that we continue to provide safe, secure services to our customers that relate to financial transactions (i.e. Work Orders, Electronic Invoicing, Cap-ex Projects).
Our compliance with the SSAE 16 ensures that this transactional data is held in a secure computing environment that can only be accessed by authorized users. Furthermore, our compliance is required by most public companies using our software. In addition, it confirms that the processes and controls we employ to help our clients save money, are sound and secure.
What exactly is the SSAE 16?
SSAE 16 is designated by the U.S. Securities and Exchange Commission (SEC) as an acceptable method for a user entity’s management to obtain assurance about service organization internal controls without conducting additional assessments. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SSAE 16 reports even more important to the process of reporting on effective internal controls by public companies.
A SSAE 16 examination is widely recognized, because it represents that a service organization has been through an evaluation of their control activities as they relate to an audit of the financial statements of its customers. A Type II report not only includes the service organization’s system description, but also includes detailed testing of the design and operating effectiveness of the service organization’s controls.
Complementary User Entity Controls
ServiceChannel’s services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the control objectives related to ServiceChannel’s services to be solely achieved by ServiceChannel control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of ServiceChannel.
The following complementary user entity controls should be implemented by user entities to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities’ locations, user entities’ auditors should exercise judgment in selecting and reviewing these complementary user entity controls.
- User entities are responsible for establishing and communicating their privacy and security policies to their users.
- User entities are responsible for establishing their own regulatory compliance program and ensuring that their operations, including portions of their operations outsourced to ServiceChannel, are in compliance with applicable laws and regulations.
- User entities are responsible for complying with the terms defined within their ServiceChannel licensing agreement.
- User entities are responsible for maintaining the physical security of their data center and computer equipment interfacing with the ServiceChannel application.
- User entities are responsible for ensuring access for their personnel is appropriate based upon job responsibility. User entities are responsible for periodically reviewing administrator rights within their ServiceChannel account.
- User entities are responsible for timely communication of changes to personnel who have access to the ServiceChannel application.
- User entities are responsible for restricting access to files created by the ServiceChannel application to authorized personnel.
- User entities are responsible for ensuring that password security meets company/industry requirements.
- User entities are responsible for ensuring there is appropriate anti-virus protection for their environment.
- User entities are responsible for providing and maintaining accurate email addresses and must accept emails (or other electronic communications) from ServiceChannel at the email addresses provided.
- User entities are responsible for ensuring that identified problems are reported to ServiceChannel and for tracking those problems.
- User entities are responsible for monitoring network connections maintained between ServiceChannel and the user entities’ site(s) to help ensure connections are secure and operating as expected.
- User entities are responsible for ensuring changes to internal systems that interact with ServiceChannel systems are tested and approved according to their change management procedures.
- User entities are responsible for validating the accuracy and functionality of changes requested of ServiceChannel.
- ServiceChannel deploys various application releases throughout the year as part of the SaaS services. ServiceChannel communicates availability to its user entities prior to these planned releases, but it is the user entities’ obligation to consider whether to conduct user acceptance tests. If determined to be needed, it is solely the user entities’ responsibility to ensure that such testing activities are complete, including validation of the accuracy and functionality of the upgrades.
- User entities are solely responsible for validating the accuracy and appropriateness of the customizations which apply to their Client environment.
- User organizations are responsible for developing their own disaster recovery and business continuity plans that address the inability to access or utilize ServiceChannel’s services.