FMX is cloud-based and available using any device with a web browser including PCs, tablets, and smartphones. Your data will always be in sync and you’ll automatically receive updates with new features. Over 20% of users access FMX on a mobile device allowing them to manage their facilities on the go.
When it comes to site security, we've got you covered! Here at FMX, we know how busy your day-to-day operations can be, so we've made it our priority to make sure that you don't have to worry about things like the safety and security of your data.
Common Security Questions and Answers
Do you perform security reviews of your application source code? Please explain.
Yes, we incorporate a code review step into our normal development process for every significant code change. A component of this is validating adherence to web security best practices.
Will you store customer data or configuration information in your infrastructure? If so, how will you protect this data?
Yes, the data we store is generally low in sensitivity and is stored encrypted at rest.
How do you ensure that sub-contractors and other third parties handle customer data securely? Sub-contractors and consultants are limited in access to development and test environments, which contain non-production data only. Do you have a position or organization responsible for overseeing the company’s overall security program? If so, please describe the responsibilities of the position or organization.
Yes, this role is satisfied jointly by the management of our company. Responsibilities include protecting our customer’s data and privacy through proactive measures, fostering a security-aware company culture, and responding to security incidents immediately and with transparency.
Please describe the process used to enforce strong authentication (e.g., complex passwords, multifactor tokens, certificates, biometrics).
Strong authentication can be enforced using single sign-on technology to offload authentication to the customer’s system where they have full control of the authentication process.
Do you run and monitor a process to ensure that all systems are protected with the most updated virus protection software? Are users made aware of their responsibilities in preventing the spread of viruses and other malicious code?
Systems that store executable files obtained from an external source as well as employee computers are protected with updated virus protection software.
Do you have a process to identify and patch vulnerabilities affecting network infrastructure, applications, and operating systems in your environment? If so, please describe.
Our cloud service provider handles the network and operating system layers. We have a logging and review process in place to identify application layer vulnerabilities and an automated deployment process to patch these in a timely manner.
Please describe (at a high level) the technical and operational controls you have implemented to help you detect and respond to security events and incidents.
We have implemented multiple layers of programmatic security assertions within our application that generate logs and halt execution when a potential risk is identified. These logs are reviewed regularly and if a real security risk is identified, it is addressed immediately and with highest priority. Also, our cloud service provider takes a rigorous approach to detecting and responding to network and infrastructure-level security events and incidents.
Please explain how you would communicate with customers during an emergency or an outage.
Messaging is handled by posting informational updates to our application’s normal URL and by emailing customers when services are restored.
Does your organization have system and/or process certifications? If applicable, please provide current attestations.
Our cloud service provider has the following attestations:
- SOC 1, SOC 2, SOC 3
- ISO/IEC 27001, ISO/IEC 27018
- Many others, see: https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview
What is your expected recovery time for the services provided?
One business day is the worst-case scenario.
Do you regularly log reports and inform customers in the event of any or security incidents and to take corresponding measures?
We inspect logs on a daily basis and have automated monitoring in place to trigger alerts when abnormal conditions arise. Additionally, our hosting provider has comprehensive logging and monitoring controls already in place for our server and network infrastructure.
Upon termination of our subscription, what assistance is provided for migrating and transferring our data to a different service provider?
We listen to customers and want to help them succeed. To this end we are continually enhancing our software and are even willing to work with customers to build in custom enhancements that solve their specific needs. In the unfortunate event that a customer does decide to cancel their subscription, we do provide bulk data export capabilities free of charge that are useful in migrating data to a different service provider. Assistance beyond the automated tools provided is available but will be billed at an hourly rate.
Describe the physical security and environment control capabilities in place for data centers and work spaces where customer information may be accessed, stored, or processed.
Our servers are hosted in a Microsoft Azure data center. Microsoft employs numerous measures to protect from power failure, physical intrusion, and network outages and complies with stringent industry standards for physical security and reliability. For more information, see: https://www.microsoft.com/en-us/trustcenter/Compliance.
For a complete list of FMX security questions and answers, click on the attachment below!
- FMX Security & Compliance FAQ.pdf (100 KB)