Trust & Security

Smoothlink Cloud Security Guide

HOW DOES SMOOTHLINK HELP OWNERS, BUILDERS AND SUBCONTRACTORS.

Procore has over 10,000 Owners, Builders and Subcontractors leveraging their software around the globe. They provide construction management software that connects the entire project team, from the office to the field and across companies, providing one place to work together to do what they do best––build.

In order to expand Procore platform, they offer open APIs that allow other applications to integrate, giving users the option to choose the tools that work best for them and their business. This is exactly what Smoothlink has done. We have provided purpose built integrations to the Procore platform to cater for unique business needs and processes to assist in supporting the entire project lifecycle with an integrated set of applications.

We help facilitate Procore vision of providing a single source of data, reducing miscommunication, errors and rework; eliminating delays; and maintaining history or future projects and dispute resolution, with a real-time, consolidated view of the entire project – so users know if projects are on-time, on-budget, and course correct quickly.

WHAT DOES SMOOTHLINK DO?

Smoothlink is a multiproduct ecosystem that seamlessly integrates with Procore. Whether its seamlessly integrating Procore with industry leading accounting systems, allowing Procore customers that ability to efficiently manage Cost+ contracts, removing manual uploads and silhoud email inboxes with our OCR invoice scanner or bulk extracting critical Procore data for close-out and handover process, smoothlink is purpose built to maximise your investment and increase your value in Procore.

Smoothlink is offered as a multi-tenant, Software as a Service SaaS, cloud-based solution, and is accessed via the public internet (over a securely encrypted connection). With cloud-based technology, software and hardware management and maintenance tasks are offloaded to the service provider, which frees up resources for you to focus on driving value with your business.

Smoothlink is hosted on AWS Global Infrastructure, as well as DigitalOcean Global Infrastructure and offers native mobile apps for iOS and Android for relevant Products.

WHAT DOES SMOOTHLINK BEING A CLOUD-BASED SAAS SOLUTION MEAN?

Before cloud-based solutions, users typically installed software on their computer hard drives, which ran a program. And they stored the data locally, on their hard drives. Later, software was installed on servers that resided at the customer’s business so that people that worked in that office could access the program and store their information in-house. The challenges that companies faced with these approaches were:

    1. Keeping software up to date
    2. Maintaining enough storage space
    3. Troubleshooting and repair
    4. Ensuring access to information

Cloud-based solutions, like Smootlink, address all of these challenges. Smoothlink offers a cloud-based solution made available to customers as Software as a Service SaaS. Data is securely stored for efficiency and accessibility for users. The service is delivered over the internet and accessed via a web browser. This eliminates the need for a large capital expense to buy hardware and software to set up and run an on-site data center.

      • The Smoothlink team keeps the software up to date and secure and regularly introduces new functionality. Smoothlink makes unlimited storage available for an unlimited number of users. It is flexible to meet customer needs.
      • Smoothlink offers 24/7 support to everyone on your team.
      • Smoothlink has comprehensive security and logging tools for managing access and determining who can see what information, according to their role.

An added benefit of cloud computing is that data is backed up in multiple regional locations. This makes it easier to recover in the case of a disaster and supports business continuity. The storage is flexible and scalable, and the software is maintained remotely by Smoothlink. Therefore, you can focus on building while we focus on building software for people like you, who build the world.

SECURITY

Smoothlink understands that there’s a lot of trust on behalf of our customers to keep their data on the Cloud. Security is a top priority for Smoothlink, and we continue to invest significantly in broad initiatives to ensure that our customers’ data is safe, secure, and private. Smoothlink uses a shared responsibility model which means that while Smoothlink employees perform some administrative tasks, customers manage their accounts, data, projects, and more.

How does Smoothlink design security?

Smoothlink takes steps to protect your information throughout the Software Development Lifecycle and in the design of our architecture and infrastructure. Our Information Security team is consulted at each phase of development, and they are part of code reviews.

Where is customer information stored?

To provide redundancy and reduce latency, Smoothlink uses a robust global network of servers in 5 locations, maintained by DigitalOcean and Amazon Web Services, for file storage. All systems run monitoring tools with automated alerts integrated with an on-call rotation and automatic escalation. Information on which File Storage Profile is being used to house a customer’s data is available in their portal.

    • Data Redundancy means the same piece of information exists in multiple places. Having redundancy helps Smoothlink restore the data in case of corruption or accidental deletion in the event of an incident.
    • Latency refers to the time it takes for data to be transferred between its original source and its destination. By having a worldwide network of servers, customer data can be stored at a site in their designated region.

AWS & DigitalOcean provides enterprise-class tools that have been proven to be both reliable and secure for today’s web-based applications. Amazon’s & DigitalOcean’s cloud computing services are in use at companies of all sizes, from startups to large enterprises. By leveraging the AWS & DigitalOcean network, Smoothlink can offer our customers unlimited data storage on the Smoothlink Platform.

Data Center Security and Compliance: How does Smoothlink’s Cloud Service Provider CSP safeguard data?

Amazon Web Services (AWS) & DigitalOcean are Smoothlink’s Infrastructure as a Service IaaS providers. AWS/DigitalOcean provide Smoothlink and our customers the flexibility to scale as needed, and the knowledge that all data is hosted securely and privately. AWS/DigitalOcean provides the physical security access controls to the physical hardware used to provide the Smoothlink solution. For more information on AWS or DigitalOcean security protocols, please refer to their webpage.

How does Smoothlink monitor its data server provider?

Smoothlink’s relationship with AWS and DigitalOcean are as an Infrastructure as a Service IaaS vendor. They provide the hosting capacity on which we build the Smoothlink SaaS platform. AWS/DigitalOcean is not engaged in a consulting or product-specific capacity. They have no responsibilities or duties which are derived from the specific nature of our software or our customers. The access granted to Infrastructure Partners is managed via technical controls based on the policy of least privilege: “Access to Information: The provider must be given the least amount of network, system, and/or data access required to perform the contracted services. This access must follow applicable policies and be periodically audited.”

Smoothlink Access and Information Sharing

Smoothlink takes steps to ensure the right people have access to the right information and the wrong people don’t. We built in tools and control mechanisms at multiple levels to help you collaborate and securely share information to the extent you decide.

How does Smoothlink handle access for users?

During the implementation process, company-wide settings are applied for access levels and security settings. These are called role-based access controls RBAC. Administrators then execute these controls on an ongoing basis. For subsequent configuration changes, people with the appropriate permissions submit requests.

Smoothlink provides options for role-based permissions for web and mobile applications. Among the security setting selections are: 2 factor authentication, lockout after failed sign-in attempts, password expiration, and idle session timeouts. Company administrators can unlock accounts.

Which teams at Smoothlink can access my information?

Smoothlink’s Access Control Policy adheres to the principle of least privilege, where employees, contractors, and all third-party vendors will be provided the least amount of access required to perform their job functions. Management is committed to testing and monitoring programs designed to ascertain whether the systems of controls and their component parts are functioning as intended and whether they afford an acceptable level of protection as time and technology advance. At a minimum, management will review access granting and control effectiveness on a semi-annual basis. Direct access to client data is limited to legitimate business needs, including activities required to support clients’ use of the Smoothlink SaaS applications. Employees may only access resources relevant to their work duties.

Network Security Management

Smoothlink takes network security very seriously to ensure that customer data is transferred to and from the production system securely. Smoothlink manages this through network observability, web application firewalls, hardened server configurations, patching, strong encryption, and DDoS protection.

How are Smoothlink’s firewalls configured?

Following the principle of network segmentation, Smoothlink only allows necessary communication for valid business purposes. System firewalls, network security groups and advanced WAF technology are employed to protect Smoothlink assets. All system firewall rules are managed by configuration software and all changes are reviewed before deployment.

How does Smoothlink protect against distributed denial of service DDoS attacks?

Smoothlink utilizes DDoS mitigation services from their hosting provider to protect all Smoothlink production networks. These are robust cloud-based solutions encompassing real-time traffic modeling right down to server-level anomaly detection and attack mitigation and includes three layers of protection to identify and filter hostile traffic 24 7 365 to ensure customer uptime in the event of a DDoS.

How does Smoothlink monitor for technical vulnerability and viruses?

Smoothlink subscribes to manufacturer and independent security notification services to monitor potential external threats. Smoothlink uses automated tools and documented procedures to build and configure all network equipment, systems, and servers from approved playbooks. Systems, platforms, and applications are configured to minimize security risks.

Leveraging state-of-the-art CSPM and Vulnerability Management tools, Smoothlink continuously monitors all environments for vulnerabilities and risky misconfigurations. Our Vulnerability Management Program VMP handles identified vulnerabilities and misconfigurations. System patches are measured against documented Service Level Objectives SLOs).

Smoothlink has established a standard Incident Response Plan that is used for any application level or security incident. This is based on industry best practices and is reviewed regularly.

How does Smoothlink secure applications?

Smoothlink customers access the Smoothlink environment via the public Internet. Transport Layer Security TLS is an encryption technology that Smoothlink utilizes to protect clients’ private information while it is in transit via the Internet.

To protect all data stored by our customers on the Smoothlink Platform, Smoothlink encrypts that data while stored at our data center providers. Data at Rest DAR For DAR Smoothlink utilizes provider-managed device encryption services.

Data in Transit: Smoothlink connections are secured using HTTPS protected by Transport Layer Security TLS. The data in transit is encrypted using the AES256 standard, the secure hash algorithm SHA2 for message authentication, and RSA as the encryption key exchange mechanism.

All services use one of the strongest block ciphers available, 256-bit Advanced Encryption Standard AES256, to encrypt your data. The provider-managed encryption services provide that the keys are securely managed.

HOW DOES SMOOTHLINK MAINTAIN DATA AVAILABILITY?

Smoothlink uses several industry standard enterprise application management solutions to monitor systems, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment.

Continuous monitoring of critical network events with our robust observability and eventing platforms give the Product Security team the ability to identify and address any unauthorized access to assets (including access to client data) within the SaaS production network. Alerting is in place to notify the Product Security team of any issue.

Support and incident management

Smoothlink has established a cross-organization standard Incident Response Plan that is used for any application or availability incident. This is based on industry best practices and is reviewed regularly.

Backup and retention

Smoothlink maintains a robust “high-availability” strategy to protect our customers against software problems, hardware failure, and large-scale natural disasters. The pillars of this approach are redundancy, geographic diversity, and replication of data. These pillars protect our entire information technology infrastructure. All hardware and software used to store customer data and deliver the Smoothlink application to our customers is protected. Smoothlink also maintains a disaster recovery plan in case a full restoration is needed.

Smoothlink maintains several replicas of the application software on each server. This replication allows for fast roll-back in the event of a software issue. We maintain the software on multiple servers located in different secure data centers. This diversity protects against hardware failure and local service issues. In the event of any failure, our system logic sends any customer requests to another server. This redundancy allows us to service the affected system with no customer impact.

Our service providers host the database in secure data centers. Smoothlink’s “simultaneous replication” architecture maintains the data across these data centers. Data is written to independent servers located in at least three separate locations at any time.

ONBOARDING, INTEGRATIONS, AND UPDATES

What do onboarding processes look like?

Smoothlink Customer Success team is dedicated to ensuring that you will have a successful rollout of Smoothlink Products across your entire company and any new construction project. For all customers and Smoothlink Products, a dedicated Smoothlink Implementation Manager will walk you through each phase of the Implementation Roadmap. We also recommend that you establish an implementation team with focals for us to work with. Together we will work as a team to ensure that the entire implementation process is both efficient and thorough. The goal is for each member of your team to be sufficiently trained on how to use Smoothlink Products to perform their respective roles and responsibilities.

How does Smoothlink manage software updates?

Smoothlink regularly releases software updates with new features and improvements. We provide information and release notes on new releases, as well as early looks at upcoming new features. For more information, please see our Product Releases page. The Smoothlink SaaS solution is updated for all clients at the same time. There is no scheduled downtime window. Updates and Maintenance are designed not to affect the user experience.

In the event that a planned maintenance issue would affect access to the platform, this would be communicated ahead of time so that any impact could be discussed with clients.

Smoothlink Product and Technology teams embrace an agile development & deployment framework. This allows individual product squads to continuously release fully Q/A’d product upgrades and enhancements across the entire platform, with the product releases happening multiple times per day/week. For major functionality or UI updates, Smoothlink will often allow for use of the “legacy solution” for a period of time to allow for testing and feedback.

Smoothlink utilizes Test and Development servers to provide testing and validation on any update to the platform prior to general release. For planning purposes, all releases, enhancements, and major changes are fully described and delivered to the system admin well in advance.

Leveraging state of the art CSPM and Vulnerability Management tools, Smoothlink continuously monitors all environments for vulnerabilities and risky misconfigurations. Our Vulnerability Management Program VMP handles identified vulnerabilities and misconfigurations. System patches are measured against documented Service Level Objectives SLOs).

How does Smoothlink enhance the software on an ongoing basis?

Regarding product enhancements, the most important thing about Product and Technology at Smoothlink is the common thread of our customers. Nothing happens without the input, ideas, and consultation all coming from the customers. There are a few ways that customers can get involved with Smoothlink’s Development Process. After doing so, you will be taken to our User Voice Feedback Forum where you can vote on other users’ ideas. This feedback informs our Product team’s development priorities. We also run beta programs on new products and features and invite customers to participate.

For information on the international process for product release, please speak with your customer success manager.

Smoothlink Resources

Smoothlink Account Executives stay beside you to make sure the onboarding process goes smoothly. Our Customer Support team manages the integration process. Our technical services team gets engaged in executing the plan. We also provide on-demand and live training.

Smoothlink will provide two key resources to our clients: an Account Executive (Sales), and a Customer Success Manager (Customer Success). Resources also include a variety of documentation, training materials, and services, such as an online support portal that contains written\tutorials, videos, FAQs, and guides. Smoothlink has materials to help a variety of learning styles.

Smoothlink also offers specialized consulting services for a fee.