top of page

Security and privacy

ANS

Security is one of the key features of all products built at anteia, which is why we take steps to stay one step ahead.  We develop our products under security and privacy by design principles. We adapt to the regulatory compliance of each country where we operate. 

 

We ensure the integrity, confidentiality and availability of information according to risk profile, customer objectives and regulatory requirements. Thus, we implement an Information Security Management System (ISMS) that allows us to evaluate and deal with data security risks in a structured, efficient, documented manner that is adapted to changes in the environment.


DevSecOps. The security of our software is integrated in the life cycle of its development. From the moment our products are designed to their integration and deployment, we analyze possible vulnerabilities and weak points. Multiple authentication factors.

CICLe.png

Diagram 10: Vulnerability Management Cycle

We use a wide range of authentication factors that can be modified according to our customers' requirements. These factors include OTP messages (phone or e-mail), facial biometrics, device ID and GPS location.

 

Taxonomy of documents. 

When analyzing identity documents, we not only check that the information in the document matches official databases, but we also review the anti-counterfeiting measures of the documents such as digital codes, text fonts and holograms.

 

Proof of life.

The proof of life system verifies that the person doing the authentication is not using a photo or video of another person. This check is done with a passive and an active verification. In the passive verification it is checked that the video is not being modified by a "Deepfake". On the other hand, the active verification consists of instructing the person to do different poses while recording the video to ensure that the video is not pre-recorded.

 

Biometric data protection. 

Biometric data captured by anteia are transformed into biometric templates before being saved. These templates cannot be linked to a user, therefore, in the case of data filtering, they do not represent a risk of exposure of sensitive data.

 

Service availability.

anteia offers an availability of 99.9%, which is equivalent to an approximate downtime of 8.77 hours per year. anteia takes multiple measures to guarantee a high availability of its services. These include auto-scalability of its services depending on demand, malicious packet blocking, DDoS detection and the use of failovers and backups.

Privacy of information. 

We anonymize the information so that no data can be associated with the identity of a user. We have created a system in which we do not need to store personal data of users such as: names, surnames, identity documents, contact information, geographic locations and other personal data will be stored as hashes, which are impossible to associate with the user's identity. We make sure that the user understands what is done with their personal information.

 

Information processing policy.

anteia does not manage the data as such, but stores the Hash, which is anonymous, which prevents the data from being linked to the identity of the End User. anteia performs the procedure of anonymization of the data that through the Client manages to know, so it is responsible for the security of the data until it makes it anonymous.

 

General information security policy.

Our security policies and processes are aligned to comply with the security standards of the ISO/IEC 27000 family. Within anteia we are constantly working to manage our security policies and improve day by day to keep our customers and end users safe.

 

Sensitive Data. 

We use Biometric Data (such as facial features, voice, among others) in order to verify personal identities and obtain biometric templates for further identity verification.

Support and maintenance

Particular Requirements (customization or adaptation).

 

It may happen that the organization requires a series of particular additions or adaptations to the anteia system, which by definition will require programming work by the anteia development team. If the requirements are generic, i.e. apply to the installed base of anteia customers, they are evaluated and included in the anteia release roadmap and will then be available at no cost (when the corresponding version is released).

 

In case the requirements are particular and exclusive to the Organization or if it is not possible to wait for the next version to have them, the Organization must make a requirements survey (following the requirements specification guidelines) for each requirement and send the specification to anteia.

 

With this written specification anteia quotes the requirement. After the quotation is accepted in writing by the organization, development begins, according to the priorities of the anteia development team. All system programming tasks are performed in Colombia, where the development team is located. The cost of the installation after the development of these particular requirements will be included in the respective quotation and in case of agreement and if there is an existing contract, the corresponding annex will be modified. 

 

Definition of Maintenance and Support:
 

  • Maintenance: are those updates, improvements and new versions of the platform, which may be performed by anteia freely at any time as long as it does not affect the service. In the event that a change is required by the client at the integration level, the client will be notified in advance in order to make the migration plan. The adjustments will be made during non-business hours. 

  • Support: it is the operative support that anteia offers to its clients, in relation to the platform, with the purpose that these can go to anteia, according to the following Levels of Services: 

 

Technical Support.

​

In a first instance, we assume that the internal resources (application support staff) of the organization analyze the problem and determine if the solution can be produced without the need to resort to anteia. Some examples of this internal support have to do with database disconnections, failure of information to reach anteia due to errors in the data source, communication network failures, etc., which are problems unrelated to anteia.

 

In many cases the problems are solved at this level and the response times depend on the organization itself. To reduce emergencies, all new installation work, database maintenance, and any other adjustments that jeopardize the stability of the system and that are to be performed by the customer on his own, must be validated by anteia support staff.


Support cases induced by actions not validated by anteia should be billed separately. However, even in this case the customer may choose to contact by email the anteia support team in Bogota D.C./ San Jose CR to clarify doubts; in the email: support@anteia.co

If the problem is not solved internally, then the customer can turn to anteia's support scheme. The support times that anteia offers for the different levels of support are as follows:

 

First Level Support.

In this case, the internal support level has already been exceeded and people within the organization are unable to resolve the issue. The anteia support team in Bogota Colombia, via email or telephone, contacts the customer's contact person.

 

The contact will be the lead user if the problem is functional, or the designated support engineer if the problem requires technical attention. In case of requiring version upgrades (application of a "patch"), the support engineer designated by the organization will take care of the case.

 

Second Level Support.

When the problem cannot be solved in the first level and in case of a serious case, a remote VPN connection must be activated (in case the infrastructure belongs to the client) previously defined and following the client's security criteria, which will allow anteia's personnel in Colombia/Costa Rica to take express control of the machine or machines of the organization where the problem is occurring and to try to solve it as soon as possible.

 

anteia accepts the security provisions and understands that access through the VPN must be limited to cases of extreme urgency. Urgent cases will be determined by the customer. It is anteia's intention to provide adequate support and to handle cases through a VPN, which is technically feasible. It must be possible to use this means before deciding whether an on-site expert presence is warranted.

 

The organization will log all incidents escalated to the first and second level through a ticketing system available on the Internet, provided by anteia. In this system, the customer reports the support cases and should preferably attach (using the same system) screenshots, reports, messages, etc. to help anteia engineers determine the causes of the problem.

 

Support schedule.

​

Support is provided on business days from 8 a.m. to 6 p.m. Colombian time. In this case, support reports must also be made through the Ticketing System. Thus, the general procedure for the attention of failures/incidents reported by customers is as follows:

​​

  • Dialogue with the user.

  • Receipt and documentation of the request or incident.

  • Definition of the incident or request.

  • Categorization of the incident or request. 

  • Functional/operational testing.

  • Fault localization.

  • Incident diagnosis (if required).

  • Execution of solution procedures. 

  • Technical verification of the solution.

  • Solution confirmation with the end user.

  • Incident or requirement closure with customer authorization.

Impact
 

A measure of the effect of an incident on business processes and/or activities. The Impact is generally based on how the Service Levels will be affected, the following is the Impact scale that is defined.

 

IMPACT SCALE
 

High

The organization can no longer provide some critical services to any user.


Medium

The organization has lost the ability to provide a critical service to a subset of system users.


Low

Minimal effect; the organization can still provide all critical services to all users, but has lost efficiency.

​

Response (Contact) Times

Response times to customer-reported incidents are directly proportional to the scale of impacts described in the previous item (Impact) and measure the time in which anteia support staff will be on top of incident handling. 

 

High Impact

Software components from 1 to 2 hours*.
 

Medium Impact

Software components from 2 to 4 hours* Medium Impact


Low Impact

Software components from 4 to 8 hours* Low Impact

 

Incident Resolution Times
 

High Impact

Maximum Temporary Solution Time (2 hours)

*Maximum time of definitive solution (see Note)

 

Medium Impact

Maximum temporary solution time (4 hours)

*Maximum time of definitive solution (see Note)

 

Low Impact

Maximum temporary solution time (8 hours)

*Maximum time of definitive solution (see Note)

 

*Note: All the SLAs described in this document must be analyzed together with the client in the initial project definition stage according to the real demand of the service and the client's responsibility as a preliminary.

 

The definitive solution time is not established initially since there may be different incidents that involve some in-depth investigation or development of the solution and may involve both the customer and anteia's processes. Once the analysis of the incident is done, the estimated time for the final solution will be provided.

Last Update: October 2022

bottom of page