Data Center
Hosting Environment
Data Sheet
Online solutions from Vertafore® help our customers
focus resources where they are most important—
servicing customers and growing their business.
Vertafore’s Software as a Service (SaaS) Solutions
Our online solutions allow thousands of insurance companies to provide unparalleled
service and support every day. Vertafore’s SaaS solutions provide cost savings, high
availability, transparent disaster recovery, and multi-layered security; which allows
agencies to focus their IT resources in areas that support business growth.
System Performance, Monitoring, and Maintenance
The equipment in Vertafore’s data center is sized and configured based on peak
month-end loads to ensure we do not have drops in performance during peak
periods. We have multiple monitoring systems in place to measure performance,
and proactively identify potential performance issues. A third-party scripting probe
allows us to measure synthetic end-user response time across all of our servers.
Vertafore has two separate data
centers—a primary active data center
facility in Texas and a secondary passive
(disaster recovery) data center in
Georgia. The primary data center deploys
redundant equipment at every level—
from the network equipment to the web
servers. Vertafore leverages a pooling
infrastructure for our web and application
servers, and we cluster our database
servers for high availability/performance
and active/active failover.
Vertafore has implemented change control policies based on the information
technology infrastructure library (ITIL) standards. The standards that have been
adopted ensure that only approved changes are made to the production systems.
We employ weekly maintenance windows for system changes such as product
updates, operating system patches and security fixes.
Key Benefits:
Operations Recovery
• Segregated duties
The power system within the Vertafore Data Center was designed and built for fault
tolerance. In the event of a power failure, a large uninterruptible power supply system
immediately kicks in and can operate all data center systems. Emergency generators
start within seconds of a power failure to support the data center during a power
outage. The generators are tested monthly, and are equipped with 48 hours of fuel
with a short notice contingency delivery of additional fuel as necessary. Also, at least
three versions of set-up, database and configuration information is available at all
times. One is live; one is a local backup and finally, there is an off-site backup. We can
also provide customers with encrypted backups of data.
• Defense in-depth security strategy
and architecture
• Redundant failover with continuity
of operations, high availability, and
backup facilities
• Third-party audits of operational
controls (i.e. SSAE 16)
Formal recovery plans are tested at least annually for failover
of our primary data center to our secondary data center.
Our recovery time objective is 24 hours and a recovery point
objective is two hours.
Dedicated to Security
Our People
Vertafore has a full time security team. The team, headed
by the Chief Information Security Officer, has oversight of
enterprise Information Risk Management which includes
information security, data privacy compliance, product and
business application security, and incident response.
Personnel security measures include nationwide criminal
background checks before hire, security and data privacy
awareness training, and a signed confidentiality agreement
covering responsibilities to protect customer data. Should an
employee leave, access to systems is immediately removed.
The Data Center
Access to the data center is restricted to authorized employees
via a computerized key card system. External doors to the
building are locked at all times and require entry by the key
card system. Guards are on duty 24 hours a day and monitoring
multiple video cameras and intruder alert systems. Internal
security zones further restrict access with a “mantrap,”
biometric access systems, and caged server areas. Also,
temperature, humidity, power management, smoke detection,
and fire suppression controls are all in place at the data center
to manage environmental risks.
We have implemented a defense in-depth strategy with
redundant firewalls, DMZ network security architectures,
identity and access management controls, intrusion detection
systems and anti-malware solutions. Also, Vertafore’s
internal information security team runs weekly vulnerability
assessment scans to search for, and remediate potential
network and host security exposures.
Applications Development
Vertafore has separate development, QA, staging, and
production environments, and performs periodic testing for
OWASP’s top ten web application security vulnerabilities (e.g.,
XSS, SQL Injection, CSRF, Directory Traversal, etc.).
Our applications facilitate customer use of common application
user ID and password control parameters, password encryption,
and SSL 128-bit encryption. Also, host level logical access is
limited with system controls designed to enforce authentication,
authorization, and accountability requirements such as the use
of two-factor authentication, unique administrator accounts,
and the removal of default accounts.
With regard to security monitoring and incident management,
production systems have 24/7 monitoring, alerting and
response to significant security events with assistance from
a well-known managed security service provider.
3rd Party Assessments
Annual Service Organization Control reports (formerly known
as ‘SAS70’) are prepared by a top accounting firm. This report
confirms our effective deployment of standard security
measures for our hosting center and applications. Vertafore has
consistently passed the SOC audits.
The controls tested as part of the SOC audits include:
• Infrastructure Change Management
• Application Change Management
• Physical Access
• Logical Access
• Data Processing
• Operations Recovery
We also have a third-party security firm performing additional
technical security testing on quarterly and annual schedules.
They test the effectiveness of:
• Data center security policies, procedures and processes
• External network security—including email, and antivirus security
• Internal network security—including wireless, phone, and
workstation security
• Physical security
For more information, please contact your Vertafore Account
Manager at 800.444.4813 or visit vertafore.com.
© 2014 Vertafore, Inc. and its subsidiaries. All rights reserved. Trademarks contained herein are owned by Vertafore, Inc. This document
is for informational purposes only. Vertafore makes no warranties, express or implied, with respect to the information provided here.
Information and views expressed in this document may change without notice. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners. VAM.DS.DCHE.1114
vertafore.com | 800.444.4813