IT security at Smart Tribune

Hébergement et infrastructures

Hosting and Infrastructure

As a pioneer in cloud services, we have chosen Amazon Web Service (AWS) to host our solution on the AWS Europe (Paris) infrastructure. This allows clients with data localization requirements to store their data in France, ensuring that the content will not be moved.

On average, AWS customers use 77% fewer servers, 84% less energy, and their energy mix is 28% greener. They can achieve an 88% reduction in carbon emissions by migrating to the cloud and AWS.

Our hosting provider (AWS – Paris) holds the following certifications: CIDSS 1, SOC1, SOC2, SOC3, CSA, SOC1, ISO 27001, ISO 9001, ISO 27017, ISO 27018, FedRAMP, CJIS, DoD SRG, HIPAA, ASIP HDS, CISPE.

AWS is based on the NIST framework.

We also utilize Microsoft Azure Cloud to meet the needs of large language model (LLM) consumption, particularly the GPT family, with infrastructure located in the France Central region for product usage and our production workloads.

Our hosting provider (Microsoft Azure) holds the following certifications: ISO/IEC 27001, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, CSA STAR. Azure also complies with GDPR, UK G-Cloud, and EU Model Clauses regulations. It is important to note that Microsoft Azure is based on the NIST framework.

For certain internal explorations, we may use other regions, but exclusively within the European Union, such as Sweden and Germany.

Vulnerability Management

Frameworks and Tools

Smart Tribune has built its software suite on modern and proven languages and frameworks, including ReactJS, PHP, Kotlin, Python, Golang, and Rust.

We also use Kubernetes, a leading solution for container orchestration. Updates are performed at regular intervals to incorporate evolutions and security patches as quickly as possible, depending on the criticality of the elements involved.

We employ a multi-notification system to monitor various key events, including cluster status and other performance and security indicators. These notifications are sent through multiple channels, such as email alerts, Mattermost, SMS, and push-over, ensuring optimal responsiveness.

Continuous Integration and Security

The continuous integration (CI) tool implemented at Smart Tribune is based on GitLab CI. It incorporates several security stages using various tools and solutions:

• Dependency Scanners: We verify vulnerabilities in the dependencies used with tools such as Security Checker, govulncheck, and Dependency-Check.
• Container Scanners: We verify vulnerabilities in the dependencies used with tools such as Security Checker, govulncheck, and Dependency-Check.

Code Analysis and Security Testing

Static Application Security Testing (SAST) is integrated directly into the continuous integration process to automatically detect potential issues and vulnerabilities in the code. Additionally, tools are used on developers’ workstations to reinforce this vigilance.

Regular manual security tests are conducted using specific tools, notably ZAP (Zed Attack Proxy). These tests are based on well-known frameworks such as OWASP and W3AF to ensure maximum coverage of potential vulnerabilities.

By combining these proactive and reactive approaches, Smart Tribune ensures continuous monitoring and protection of its environments, thereby guaranteeing robust and reliable security for its users.

Vulnerability Tracking and Management

Any detected vulnerabilities can be reported via email to vulnerabilities@smart-tribune.com. Our technical team is committed to addressing each vulnerability as quickly as possible, informing the client about the detection and the expected resolution timeframe. Temporary workarounds may be implemented in anticipation of the complete resolution of the vulnerability.

Data Protection and Compliance

Cookie Policy

In the context of using Smart Tribune solutions, two types of cookies may be used:

1. Mandatory functional cookie:

• used for our products requiring authentication through a personal account (Smart Knowledge)
• mandatory and essential for the proper use of the authenticated solution
• compliant with CNIL recommendations and GDPR obligations

2. Optional analytical cookie:

• the Smart Tribune solution operates independently of the user’s acceptance or refusal of analytical cookies
• if the user refuses these cookies, certain behavioral usage data will not be collected, limiting some statistical analyses
• a “cookieoptin” parameter allows managing the activation or refusal of cookies related to Google Analytics based on user preferences.
• for Google Analytics, the anonymization option is enabled, ensuring that IP addresses are anonymized before data is sent
• by using PianoAnalytics, our solution remains GDPR compliant

These adjustments ensure respect for users’ privacy preferences while ensuring the proper functioning and security of our solutions.

Personal Data

Our solutions comply with the General Data Protection Regulation (GDPR). All AWS services in the AWS EU (Paris) region adhere to GDPR standards.

Artificial Intelligence (AI)

All Smart AI functionalities are deployed exclusively in France. No data is sent or stored abroad, ensuring GDPR compliance across all functionalities.

Smart AI V.0 (Content Generation and Transformation)

• Model used: GPT-3.5 Turbo 16k
• Features include response generation, tone change, spell correction, translation, etc.
• Smart AI V.0 functionalities use the Microsoft Azure service deployed in France
• No data is sent abroad, ensuring GDPR compliance

Smart AI V.1 (Knowledge Builder)

• Model used: GPT-4 Turbo
• Added PDF documents are stored in an S3 bucket, Amazon Simple Storage Service, encrypted with key management in our Key Management Service based in France. Only necessary paragraphs are shared with the LLM (GPT-4 Turbo)

Semantic search

• Model used: OpenSource base + fine-tuning, hosted in our infrastructure in the Paris region

Smart Bot

• We anonymize all personally identifiable and named data via models we host before any processing by generative AI
• We access LLM models from our Microsoft Azure tenants, all based in Europe. Data sent to LLM models via Microsoft Azure is not used to train these models (access the documentation)

Auditability

Regular security audits are conducted by internal or external auditors. If a client wishes to perform an audit, a one-month notice is required. The audit is at the client’s expense, who must provide details on dates, authorized personnel, content, and results.

SLA and Availability

Smart Tribune guarantees a monthly service availability rate of at least 99.50%. All details are available in our general terms and conditions.

Smart Tribune guarantees a monthly service availability rate of at least 99.50%, calculated as follows:

Monthly availability = 100 x (calculation period – service downtime) / calculation period

All details on solution availability and response times are present in the paragraph “Annex 1: Handling Anomalies > 3/ Solution Availability and Response Times” available in our GTC at the link: https://fr.smart-tribune.com/cgv/

Note: Different conditions may apply to certain contracts; these conditions are defined in the special conditions agreed upon during contract signing.

Anomaly Correction

All details related to anomaly correction are present in our general terms and conditions. Specific conditions may apply depending on the signed contracts.

For more information, please consult our general terms and conditions on our website.