SaaS Security

Adaptive Planning partners with Savvis, a leading IT infrastructure services provider, to deliver an advanced on-demand security infrastructure that ensures customer data is never compromised.

World-Class Hosting Partner

Adaptive Planning has partnered with Savvis, a CenturyLink Company (www.savvis.com), a global leader in cloud infrastructure and hosted IT solutions for enterprises. Adaptive Planning manages the computer hardware, backups, releases, upgrades and database management, and Savvis provides the environment, secure cages, redundant power lines and high bandwidth solution access through the internet.

Savvis, a CenturyLink Company, is a premier managed hosting and colocation provider with global leadership in meeting customer demand for outsourced IT and cloud services. The combined infrastructure of Savvis and CenturyLink includes 50 data centers in North Anmerica, Europe and Asia. Adaptive Planning leverages their experience, best practices and support services to ensure the optimum experience for our customers. A recognized industry leader in the provision of hosting services, Savvis has over 2,500 unique clients, including more than 30 of the top 100 companies in the Fortune 500. CenturyLink, an S&P 500 company included among the Fortune 500 list of America’s largest corporations, is the third largest telecommunications company in the United Sates.

SAS 70, SSAE 16, and SOC 1

Adaptive Planning has completed annual SAS 70 audits since 2009. In April, 2011 the AICPA announced that SAS 70 (Statement on Auditing Standards No., 70) was to be replaced by SSAE 16 (Statements on Standards for Attestation Engagements No. 16). SSAE 16 is the next generation of AICPA standards for reporting on controls at service organizations, including Software as a Service providers, in the United States. SSAE 16 goes beyond SAS 70 by not only verifying controls and processes, but also requiring a written assertion regarding the design and operating effectiveness of the controls being reviewed.

In addition, SSAE 16 is adopted from and closely aligned with the International Standards for Assurance Engagements (ISAE) 3402, the new international audit standard for service providers. Both entities (AICPA and ISAE) closely aligned each of their respective standards in an attempt to follow a growing move towards more international, globally accepted accounting standards. SSAE 16 and ISAE 3402 will now effectively become the dominant standards used for reporting on controls at service organizations. Therefore, SSAE 16 ensures that companies can compete on an international level, because customers worldwide can confidently entrust their business to those that are compliant.

An SSAE 16 audit results in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. A SOC 1, Type 2 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service. It also includes an audit on the effectiveness of controls over a certain time period, normally between six months and a year.

Adaptive Planning completed its SSAE 16 examination in February, 2011, with Deloitte and Touche, and received its SOC 1, Type 2 report, which is available upon request. This SOC 1, Type 2 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service. It also includes an audit on the effectiveness of controls over a twelve-month period.

Hosted Architecture

Adaptive Planning's Hosted Service is provided using our multi-tenant architecture optimized for delivery of software via the Software as a Service (“SaaS”) approach and is represented below:

Data Security

Adaptive Planning and Savvis collaborate on all aspects of security. Both companies devote significant resources to the ongoing evaluation of emerging threats, and continuously deploy new technologies to ensure the most secure, scalable and private system for our customers. There are four primary considerations for data security:

• Security of the data as it is transmitted across the web from the hosting site to the customer.
• Preventing one customer from being able to view another customer's information and preventing any other third party access.
• Ensuring every authorized user within a company's user population has access to only the information and capabilities that have been specified by the budget manager, or the application administrator of the company.
• Physical security of the server location.

Secure Transmission of Customer Data

Adaptive Planning uses the strongest encryption products to protect customer data and communications, including 128-bit encryption over HTTPS with 1024-bit public keys. The web interface to the Adaptive Planning solution incorporates the Managed Desktop Service (MDS)/Secure Socket Layer (SSL) protocols.

The purpose of the protocols is to provide security for the data by encrypting it as it is transmitted between the Adaptive Planning Application Server and the browser hosted on users' workstations. During use, the lock icon in the browser indicates that data is fully shielded from access while in transit.

SSL is the World Wide Web standard for protecting critical data and is used by banks, brokerages and others to protect their clients' data. It is almost certainly used for our customers' other communications security.

Prevention of Access of Customer Data by Another Customer or Third Party

Adaptive Planning engineers have developed the system such that it is not possible for one customer to see the data that belongs to another customer. The data that is stored within the Adaptive Planning application is highly proprietary and confidential information for each of our customers. As such, Adaptive Planning treats this information with great care and respect and provides the most secure environment possible by incorporating the following technologies and techniques.

• Perimeter Security. Adaptive Planning protects both the production and corporate network perimeter with Cisco advanced firewall technology and an intrusion detective device which are continuously monitored and managed by our in-house technical staff.
• Application Security and Database Tables. Adaptive Planning is designed to make it impossible for one customer to access another customer's data. Adaptive Planning is a true multi-tenant system with one instance of the application and one instance of the database. However, unlike many other on-demand applications we do not co-mingle customer data. Therefore, each customer's Adaptive Planning application utilizes a unique and separate set of tables within the database. It is not possible for one customer's data to be accessed by anyone other than that customer's authorized users. Even Adaptive Planning support staff cannot view your data without receiving explicit permission (via an ID login).
• Database Security. Adaptive Planning secures its production database by restricting the operating system and database connection levels, permitting a minimal number of access points (Port 443 - avoiding FTP, Telnet, external site access, etc.; Port 80 - sending help content to the browser) and by not sharing a master password database.

User Security

User ID and Password

Users access Adaptive Planning only with a valid username and password combination, which is encrypted via SSL for Internet transmission. An encrypted session ID cookie is used to uniquely identify each user and after 60 minutes of inactivity, the session will time out and a new session must be established in order to access data. At the time of implementation, each user is assigned a system wide unique User ID and password by the administrator. Upon login, each user may then change his/her password. The password is then encrypted using MD5 Hash and stored in the database. This ID is used to map each user to their specific company data.

User Access Control

Adaptive Planning gives the administrator the ability to grant permission to users to access, view and interact with templates and reports. Each template can secured further at the row level (e.g., rows can be made view-only or hidden). Sheets and reports will display only data within the user’s security rights. Only authorized administrators have access to all of the information in the system and the full range of administrative functions.

Each user is assigned one or more roles. Only those capabilities that have been granted to the specific roles are made available to the users. Users that have not been assigned specific roles are not aware that the other capabilities even exist in the system.

Adaptive Planning also provides a comprehensive audit trail for recording all interactions. The audit trail is searchable by your users based on various criteria (e.g., time period, dimension, user, account, etc.).

Physical Security

The Savvis Data Center is physically secure to avoid tampering and unauthorized access.
Security precautions in place include:

• On-site security guards 24/7. Standard security measures such as card access, wire fencing, bullet proof protection, man trap, cameras, alarms, etc.
• Mulit-step biometric identification and validation of visitors/employees access privileges.
• Unique locked cages and cabinets for servers.
• Both Savvis and Adaptive Planning have rigorous employee screening and nondisclosure/confidentiality agreements in place.
• As a policy, no customer data is permitted to leave the Hosted Service site (other than the encrypted backup).

Only five Adaptive Planning employees are authorized to have access permission to the site. Authorization is controlled by our Vice President of Development and is periodically reviewed by our Executive Committee.