Nakisa Security: Your data in the best hands

Our solutions are built on the Nakisa cloud platform, a super secure environment that protects your information with data encryption, role-based access control, advanced authentication and authorization features, and extensive audit capabilities. We got your back.

What is Nakisa

Nakisa is a cloud-native enterprise application provider that empowers Lease Accounting, Lease Administration, Real Estate, and HR teams. Our business-critical solutions provide teams with insights, workflows, and automation so they can perform tasks efficiently and focus on more value-added activities.
To build our applications, we leverage state-of-the-art tech stacks and industry-proven methods such as Kubernetes, Kafka, CI/CD frameworks, and more. The foundation of what we create is the Nakisa Cloud Platform, a secure, flexible, API-driven cloud architecture that enables our customers to connect their finance solutions and ERPs like SAP S/4HANA to our products.

Our solutions include: 

Nakisa Lease Administration: a solution for lessees and lessors to have full control over growing portfolios of leased assets and ensure compliance with IFRS 16, ASC 842, and GASB 87.

Nakisa Real Estate: a solution for commercial real estate teams for day-to-day operations, real estate  portfolio management and optimization, and accounting compliance.

Nakisa HR Suite: a solution for HR professionals to manage workforce planning, organizational design, visualization, and analytics, as well enabling them to predict the effect of a future event on human capital.

We’re proud to serve more than 1,100 clients and 6.6 million users in 135 countries. Companies like Walmart, Pfizer, Puma, Nestlé, ExxonMobil, and Airbus rely on us every day, benefitting from the unparalleled flexibility, scalability, and speed of innovation we provide them.

Your Security is Our Priority

Building trust means peace of mind. That’s why we promise our clients we’ll be their most trusted software partners—and we deliver on that. Nakisa uses the most established, industry-proven cybersecurity and risk management practices and resort to the leading technology services providers.

Also, our experts rigorously follow the latest industry standards to protect your data and systems at every stage of their lifecycles. This way, you can perform your daily operations and design your business strategy with all tranquility.

Welcome to our Security Cockpit

At Nakisa, we empower our clients to manage and control the security aspects of their solutions as they see fit. Leveraging the Security Cockpit, clients can:
  • Manage identities and access with out-of-the-box role-based access controls
  • Run authentication mechanisms, including single sign-on (SSO) and multi-factor authentication.
  • Monitor the state of their solutions and environments, ensuring everything runs smoothly for users.

Certifications & audits

As the security and privacy of your data is our priority, we take every step necessary to assure our clients of this commitment. This includes voluntarily undergoing the lengthy process of independent third-party certification based on industry standards.

As part of Nakisa SOC 1 Type II & SOC 2 Type II audit report, which is released on an annual basis by a global 3rd party auditing firm, Nakisa has implemented and adheres to strict information protocols, including the security, availability, processing integrity, confidentiality, and privacy of our partners’ data. 

The above SOC reports, penetration test reports, and other certifications are available in December of each year to our partners and prospects upon request. To request any of our certifications or reports, click here. 

GDPR requirements

As a SaaS provider, Nakisa has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure our cloud solutions are meeting those requirements.
These practices include:
    • Search for records within the app, with support to remove specific information if needed.
    • Providing our clients with configurable privacy and compliance settings such as using their own SSO, controlling who can access the application and what kind of information, and more.
    • Providing sufficient data transfer methods to our clients.
    • Maintaining records of processing activities.
    • Training employees on security and privacy practices.

Our third-party security measures

Nakisa’s data center providers employ a variety of security mechanisms, covering both physical and virtual access. Our data center providers are all certified by independent auditors and third-party organizations so that we can deliver the best security measures available to our global clients.

Nakisa’s service providers comply with the following standards:

C5 [Germany]

Cyber Essentials Plus [UK]

DoD SRG, FedRAMP, FIPS IRAP [Australia]

ISO 9001, ISO 27001, ISO 27017, ISO 27018

MLPS Level 3 [China]

MTCS [Singapore]

PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1/2/3.

Encryption of data at rest and in transit

Users accessing Nakisa solutions via the internet are protected by Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS). All data, including backups, are fully encrypted using AES 256 for data at rest (See “Encryption key management”) and TLS 1.3 for Data in transit.

Encryption key management

Encryption of data at rest is possible by leveraging a solution from our global cloud service provider and is managed by software, avoiding exposure to any human. To ensure maximum security, the keys are not managed by anyone. They are only visible to the client instance and can be used to decrypt data within the instance only. Also, note that the key management complies with FIPS 140-2, which provides independent assurances about the confidentiality and integrity of our key management. As part of our application architecture, we ensure your databases are logically separated from other clients, thus increasing the security of your data.

User authentications and profiles

Nakisa’s authentication and authorization setup uses industry best practices and standards and allows clients to either leverage their own single sign-on or use Nakisa Identity & Access Management. Nakisa offers role-based access, meaning the clients can decide how to grant access to each user.

Single sign-on support

This single sign-on (SSO) login standard has significant advantages over logging in using application-specific usernames and passwords: no need to remember and renew passwords for each application, no weak passwords among others, and one credential for all applications to unify your personal password management, supporting your company’s password policy. The SSO is supported by configuring SSO via SAML2, which will authenticate and fetch roles and user population credentials. The fetched list of groups will be assigned to the logged-in user from LDAP. The users will be validated through a SAML token, securely exchanged between the Identity Provider (IdP) server and the Nakisa application server. SAML allows for a seamless SSO experience between the client’s internal identity and access management solution and Nakisa solutions.

Nakisa Identity and Access Management (NIAM)

The Nakisa Identity and Access Management solution (NIAM) is available to clients who use Nakisa’s authentication system rather than SSO. It is a simple solution that allows organizations to easily manage their user’s provisioning and authentication to Nakisa’s SaaS solutions through a single platform. NIAM enables you to access your users through an enterprise-grade identity and access management solution while ensuring the right roles and profiles are assigned. Each role has different access privileges that can be individually assigned and limited by scope and duration. Whether you provide access to partners or employees from multiple subsidiaries worldwide, you’ll offer the same seamless experience your users expect while effectively managing the sensitive aspect of data access. Please get in touch with your Nakisa Account manager for more details about this solution.

How do Nakisa engineers access the systems to provide support?

  Under Nakisa’s Access Management policy, when an issue is raised via our support ticketing system, our support team will request client approval for temporary access to investigate and resolve the issue for the specific environment/s. This access is granted for a limited time, enough to resolve the ticket with auto closure enabled by the system when access is approved. In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly:
  • High privileged and user accounts review is performed at least twice a year. 
  • Logs are reviewed monthly. 
  • Monitoring tools are in place with notification to appropriate individuals for abnormal events/activities. 
  • Access authorizations and requests are reviewed periodically. 

Cloud infrastructure access and authorization

For greater security while accessing our cloud infrastructure, Nakisa has an Access Control List (ACL) that ensures only pre-approved cloud engineers can perform specific tasks defined by their roles. To access the cloud infrastructure, we utilize multi-factor authentication (MFA), which requires approval from different managers and heads of departments, with the final required approval from our Chief Security Officer. 

In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly to review such accesses and corresponding logs.

Application logs & auditing

Application logs enable you and your auditors to review all the activities performed by the users and the system to ensure data integrity. We allow our clients and their auditors to leverage our ITGC capabilities and log all types of activities and data transfers in the system. 

You can easily review and download all the logs, which demonstrate all types of activities by the users, such as system access, data, and configuration modifications, as well as system activities, such as automatic jobs and other data communications between Nakisa solutions and any other solutions integrated, directly from the Nakisa applications. You can also revert actions when needed.

Dedicated, encrypted site-to-site integration through Nakisa Cloud Connector (NCC)

Nakisa uses industry best practices and standards to integrate our SaaS solutions with your internal ERP systems or any other data source so that you can leverage your data with our solutions. 

The Nakisa Cloud Connector (NCC) enables integration between your ERP of choice and Nakisa SaaS applications with security and data integrity at its core. To ensure secure data transfers, NCC uses a two-way encrypted channel for all communication between ERP servers and Nakisa Cloud (using TLS over TCP), removing the need for back-channel VPN tunnels. The connector uses an ERP gateway to access the backend servers, enabling IT professionals to configure and leverage existing ERP infrastructure and security frameworks. Dedicated endpoints are provided for each client, completely isolating their communications with their on-premises ERP infrastructure. 

We also provide you with the information needed to enable your IT team to allowlist Nakisa solutions to ensure the security of communication and data transfer. 

Read more about  NCC for Finance Suite  and  NCC for HR Suite  users. 

Secure Software Development Life Cycle (SSDLC)

Security is at the core of our software design. We’ve adopted numerous best practices and leverage the OWASP framework for our software development to ensure security by design right from the start.

Code Review

All changes to our code are tested by our Quality Assurance (QA) team, and criteria are established for performing code reviews, web vulnerability assessments, and advanced security tests. We conduct manual and automated code reviews before checking in code. After code checks, the QA teams perform regression and functionality tests. In addition, we also use in-house and third-party solutions such as Veracode to conduct vulnerability assessments and security tests on our application. Vulnerability tests are carried out before each release, and as often as needed, where we test the solution from A to Z. Upon development, we deploy in a lower environment to enable stakeholders to test the solution before deployment in the production system. All such activities are recorded as part of our change management policy (please note that our auditors validate our enforcement of changes as part of SOC 2 audits).

Quality assurance

Each product release is put through a stringent functionality test, performance tests, stability tests, and UX tests before they are released. We validate the releases in internal builds followed by lower environments before pushing them to the production system following our change management policy.

Vulnerability assessment & penetration testing

We use various tools for analyzing the code and checking for security vulnerabilities, such as Veracode and OWASP, before any release. Our strategy is to prevent security vulnerabilities first, then use industry-standard validation tools and techniques to validate that prevention worked. Issues identified through vulnerability assessments, penetration tests, and network vulnerability scanning are prioritized based on criticality and risk.  

Vulnerability scans, including SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Container and Dependency Scanning, and Penetration Testing, are carried out in every release and as often as needed. Following the best practices of OWASP, we aim to identify and remove standard and advanced web application security vulnerabilities, including, but not limited to, the following:   

  • Cross-site request forgery (CSRF)   
  • Cross-site scripting (XSS)  
  • Improper input handling (SQL injection, XML injection…) 
  • HTTP response splitting   
  • Authentication and authorizations  

  

We leverage a global 3rd party auditing firm to perform penetration testing on our solution, and the report on such tests can be provided to you upon request. We also offer all our SaaS clients the ability to conduct penetration testing on the lower environment of the solution, enabling you to evaluate Nakisa’s cloud security and measures yourselves. In order to perform a penetration test, please discuss your penetration testing needs with your Nakisa Client Success Manager.

Malware protection

Nakisa Cloud only uses non-Windows operating systems, and all systems follow a hardening baseline policy for security management. Note that our deployment architecture is based on DMZ, and no end-user access is available to server resources at the OS level. User-uploaded documents are not stored in the server file system and are not accessed at the server level. Also, Intrusion Detection Systems and Intrusion Protection Systems (IDS/IPS) and firewall layers secure inbound and outbound access on system ports, monitoring and reporting login attempts, account creations, and periods of system non-availability. All Nakisa employees use systems that have antimalware, supporting real-time scanning and security, and automatic updates are enabled on devices.

Security Monitoring

We have various security measures and systems that continuously monitor for malicious activity, attacks, and unauthorized behavior from multiple perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and test results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.

Business continuity, disaster recovery, and backups

Nakisa’s disaster recovery plan provides that in the event of a disaster defined as a natural or human-made condition that could render your subscription services inaccessible for more than one day (“Disaster”), Nakisa can resume services following this Subscription Services Agreement within one day from the event. RTO (Recovery Time Objective) for Nakisa cloud solutions is within one day, and RPO (Recovery Point Objective) is the last daily backup.

As part of Nakisa’s compliance process and SOC auditing, disaster recovery capabilities and plans are tested continuously. Disaster recovery simulation events are conducted by creating an event that results in losing an imaginary client’s data and access to their system. This test requires Nakisa to declare a disaster and trigger our DR action plan, as our Support & Cloud Services teams cannot bring the system back up. A data restore is triggered on a newly built infrastructure and restores the latest backup within our contractual timeframe.

Disaster recovery on the cloud is done by leveraging our cloud service provider’s resource availability on-demand. Using our cloud service provider’s specific APIs, a failed resource is restarted automatically in the case of a crash, and a backup is used to restore the system. Restoration and disaster recovery are achieved using the most recent or desired backup file and restoring all backed-up data. 

Concerning our client’s production environment, Nakisa shall provide the following data back recovery points. 

  • Client data backups are stored in the same region as the client instance but in different data center locations to ensure recoverability in the event of a natural disaster. 
  • The backups will be periodically tested as part of the BCP (Business Continuity Planning) testing. 
  • The backup logs will be reviewed for errors and abnormal durations, and we look for opportunities to improve backup performance.  
  • Corrective actions will be taken when backup problems are identified to reduce risks associated with failed backups. 

Note that a calendar week starts on Sunday at 12:00 AM until the following Saturday at 11:59 AM ET. 

Backup Types

Daily

Weekly

Monthly

Available Recovery Points

Any of the last 7 daily backups

Any of the last 4 weekly backups

Any of the last 3 monthly backups

Data sovereignty & transparency

We provide transparency into the geographical regions where our clients’ data is stored, and our clients can select the desired location from a list of possible regions.

Incident management

Nakisa has an incident management policy that follows the industry standard depending on the priority of the incident and its effect on our clients, which is reviewed at least annually by an independent global auditing firm. Also, per the SOC 2 compliance and Nakisa’s Incident Management policy, a support case is triggered after each security incident, which details the incident and flags the appropriate level of urgency to address and resolve it. Resources are assigned as needed to each incident based on support triage to identify the root cause and proceed to resolution. In the event of a security incident, the entire environment will be disconnected, thus removing the ability of anyone to access the system.

Nakisa Service Level Agreement (SLA) for security incidents and mitigations

In case of any potential or active security incident of which Nakisa is made aware, we address the security ticket following a priority level assessment – low, medium, high, or critical – based on the security incident’s impact on our clients. We provide different mitigation timelines in addition to daily updates and root cause analysis documentation that captures the required details and indicates the preventative actions that will be taken in the future.

Physical perimeter security

Datacenter physical security begins at the Perimeter Layer. This layer includes several security features, including, but not limited to, 24/7 security guards, fencing, surveillance cameras, and intrusion detection technology. This includes scrutiny of the access, controlling the entry, monitoring for unauthorized entry, etc. All physical access to the inside perimeter layers is highly restricted and stringently regulated, and logs are available for periodic review.

Capacity management & load balancing

We leverage a global third-party provider’s services to offer on-demand and automatic capacity expansion and distribute traffic from our clients across multiple zones to support high availability. While ensuring no one server is overworked, which could result in degraded performance or unavailability (See “Availability” section for more details), you can instantly expand or reduce the capacity needed without technical support or additional investment in the infrastructure.

Cloud availability

We provide up-time of at least 99.5% for our Cloud (SaaS) clients with high availability. Using the latest cloud technologies enables us to increase resources on the run and ensure continuous system operations if systems face issues. This means our clients do not have to deal with poor system performance or major downtime.

Monitoring

We have various security measures and systems that continuously monitor for malicious activity, attacks, and unauthorized behavior from multiple perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and test results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.

System and performance monitoring

We have various security measures and systems that continuously monitor for malicious activity, attacks, and unauthorized behavior from multiple perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and test results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.

Maintenance

All scheduled and planned updates to Nakisa applications during which Subscription Services may not be available to our clients take place during our standard maintenance window over the weekend to minimize user disruption. The client will be notified of any other planned downtime seventy-two hours in advance. Nakisa will diligently mitigate the risk of undue disruption to normal business operations. In case of emergency maintenance where Nakisa needs to make the Subscription Services unavailable to perform a maintenance operation outside of any Scheduled Downtime period, the clients will be notified of an Emergency Maintenance as soon as possible.

Nakisa SLA for support

While our configuration management process and proactive monitoring prevent most issues from affecting you, we’re prepared to respond when an event causes downtime of your system. We’re pleased to solve any issues based on our industry-standard response times. However, we understand that some issues require immediate attention. Thanks to our escalation policy, you can rest assured that the necessary resources will be allocated for a timely resolution when needed. We also perform regular tests of our disaster recovery capabilities to ensure we’re ready to respond efficiently and promptly when unplanned downtime happens.

Frequently asked questions

Robust information security policies are set in place and are enforced company-wide, as well as with contractors, and are available to our SOC 1 and SOC 2 auditors through Nakisa portals. We review these internal policies annually and communicate changes to ouremployees/contractors via internal communication portals. More details on the above policies are provided in our SOC reports.  

Here are a few of our internal policies that ensure our team handles our clients’ data with the utmost security:  

  • Change Management Policy;  
  • Risk Management Methodology;  
  • Access Management Policy; 
  • Information Security Policy;  
  • Risk Management policy;  
  • Information Asset Management Policy;  
  • Incident Management Policy;  
  • Data Retention and Disposal Policy;  
  • Data Protection Policy;  
  • Data Retention and Disposal;  
  • Information Security Awareness Policy.  
Nakisa’s approach to security is built on the shared responsibility model with leading and trusted cloud service providers. While we regularly review the third-party audit reports of our cloud service providers, internally, we share the responsibility of security controls throughout the organization, including HR, IT, CloudOPS, Products, and R&D. We leverage frameworks such as NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and CSA CCM (Cloud Security Alliance Cloud Controls Matrix) and attest to our system’s description and controls through our SOC Type 1 and SOC Type 2 reports.
Nakisa has been working on FIPS compliance for more than a decade to keep its network secure and protect its precious customer data by phasing out any non-compliant components with the ones that comply with the latest FIPS 140 standards. As such, recently, Nakisa has a dedicated release to update its Cloud Connector to stay compliant with FIPS 140-2 standards for cryptography modules. Nakisa also offers free dedicated support to help its customers update their infrastructure to remain secure and compliant with the latest FIPS cryptography standards. Read more about our FIPS compliance here

All client data is isolated, segregated, and encrypted using unique key encryption for each client. 

Nakisa’s environments are not publicly accessible and can only be accessed via a Virtual Private Cloud (VPC). Additional protection is provided by ACL (access control list) firewall rules that only allow traffic from specified ports to and/or from specific destinations. Access is exclusively via HTTPS and uses a reverse proxy to protect the environment from the outside world. 

Data is encrypted in transit using standard secure web protocols and at rest using cloud service providers’ volume encryptions. Our cloud service providers administer the encryption method and key management infrastructure.

Nakisa works with trusted cloud service providers to constantly monitor the environment’s security, and we’ll take necessary corrective action to mitigate the risk of intrusions. We leverage monitoring and detection tools to identify potential threats and follow our incident management processes to triage alerts and take the necessary actions. 

We follow a diligent change management policy with procedures for the segregation of duties. Security is a significant component that could drive a change in our solutions to ensure that risks are treated following their evaluation. Security also evaluates changes and is a stakeholder in the change management process. 

The high-availability, scalable, elastic environment enabled by our cloud service providers offers automated, online, encrypted backup functionality to ensure that all data is redundantly stored and secured.

As per the Nakisa Incident Management policy, a support case is triggered after each security incident, whether identified through our monitoring and detection tools or by a user. This support case details the incident and flags the appropriate level of urgency. Resources are assigned as needed to each incident based on support triage. 
To request any of our certifications or reports,  click here  Are you considering Nakisa solutions? Reach out to our team today to get all your security questions answered!   If you’re an existing client, please contact your  Account Manager  for more details. 

Considering Nakisa solutions? Reach out to our team today to get all your security questions answered!  If you are an existing client, please contact your Account Manager for more details. 

HR-Suite-Main

Nakisa
HR suite

Nakisa
Finance Suite

📃 Download our 2023 Voice of Client Report and explore the improvements we've made based on your feedback! ✔

HR-Suite-Main

Nakisa HR suite

Nakisa Lease Administration