Trust & Security

Smoothx Cloud Security Guide

How does Smoothx help Owners, Builders and Subcontractors.

Procore has over 10,000 Owners, Builders and Subcontractors leveraging their software around the globe. They provide construction management software that connects the entire project team, from the office to the field and across companies, providing one place to work together to do what they do best––build.

In order to expand Procore platform, they offer open APIs that allow other applications to integrate, giving users the option to choose the tools that work best for them and their business. This is exactly what Smoothx has done. We have provided purpose built integrations to the Procore platform to cater for unique business needs and processes to assist in supporting the entire project lifecycle with an integrated set of applications.

We help facilitate Procore vision of providing a single source of data, reducing miscommunication, errors and rework; eliminating delays; and maintaining history or future projects and dispute resolution, with a real-time, consolidated view of the entire project – so users know if projects are on-time, on-budget, and course correct quickly.

What Does Smoothx Do?

Smoothx is a multiproduct ecosystem that seamlessly integrates with Procore. Whether its seamlessly integrating Procore with industry leading accounting systems, allowing Procore customers that ability to efficiently manage Cost+ contracts, removing manual uploads and silhoud email inboxes with our OCR invoice scanner or bulk extracting critical Procore data for close-out and handover process, Smoothx is purpose built to maximise your investment and increase your value in Procore.

Smoothx is offered as a multi-tenant, Software as a Service SaaS, cloud-based solution, and is accessed via the public internet (over a securely encrypted connection). With cloud-based technology, software and hardware management and maintenance tasks are offloaded to the service provider, which frees up resources for you to focus on driving value with your business.

Smoothx is hosted on AWS Global Infrastructure, as well as DigitalOcean Global Infrastructure and offers native mobile apps for iOS and Android for relevant Products.

What Does Smoothx being a cloud-based SaaS solution mean?

Before cloud-based solutions, users typically installed software on their computer hard drives, which ran a program. And they stored the data locally, on their hard drives. Later, software was installed on servers that resided at the customer’s business so that people who worked in that office could access the program and store their information in-house. The challenges that companies faced with these approaches were:

1. Keeping software up to date
2. Maintaining enough storage space
3. Troubleshooting and repair
4. Ensuring access to information

Cloud-based solutions like Smoothx, address all of these challenges. Smoothx offers a cloud-based solution made available to customers as Software as a Service SaaS. Data is securely stored for efficiency and accessibility for users. The service is delivered over the internet and accessed via a web browser. This eliminates the need for a large capital expense to buy hardware and software to set up and run an on-site data center.

- - The Smoothx team keeps the software up to date and secure and regularly introduces new functionality. Smoothx makes unlimited storage available for an unlimited number of users. It is flexible to meet customer needs.
  - Smoothx offers 24/7 support to everyone on your team.
  - Smoothx has comprehensive security and logging tools for managing access and determining who can see what information, according to their role.

An added benefit of cloud computing is that data is backed up in multiple regional locations. This makes it easier to recover in the case of a disaster and supports business continuity. The storage is flexible and scalable, and Smoothx maintains the software remotely. Therefore, you can focus on building while we focus on building software for people like you, who build the world.

Security

Smoothx understands that our customers have a lot of trust on behalf of our customers to keep their data on the Cloud. Security is a top priority for Smoothx, and we continue to invest significantly in broad initiatives to ensure that our customers’ data is safe, secure, and private. Smoothx uses a shared responsibility model, which means that while Smoothx employees perform some administrative tasks, customers manage their accounts, data, projects, and more.

How does Smoothx design security?

Smoothx takes steps to protect your information throughout the Software Development Lifecycle and in the design of our architecture and infrastructure. Our Information Security team is consulted at each phase of development, and they are part of code reviews.

Where is customer information stored?

To provide redundancy and reduce latency, Smoothx uses a robust global network of servers in 5 locations, maintained by DigitalOcean and Amazon Web Services, for file storage. All systems run monitoring tools with automated alerts integrated with an on-call rotation and automatic escalation. Information on which File Storage Profile is being used to house a customer’s data is available in their portal.

- Data Redundancy means the same piece of information exists in multiple places. Having redundancy helps Smoothx restore the data in case of corruption or accidental deletion in the event of an incident.
- Latency refers to the time it takes for data to be transferred between its original source and its destination. By having a worldwide network of servers, customer data can be stored at a site in their designated region.

AWS & DigitalOcean provide enterprise-class tools that have been proven to be both reliable and secure for today’s web-based applications. Amazon’s & DigitalOcean’s cloud computing services are in use at companies of all sizes, from startups to large enterprises. By leveraging the AWS & DigitalOcean network, Smoothx can offer our customers unlimited data storage on the Smoothx Platform.

Data Center Security and Compliance: How does Smoothx’s Cloud Service Provider CSP safeguard data?

Amazon Web Services (AWS) & DigitalOcean are Smoothx’s Infrastructure as a Service IaaS providers. AWS/DigitalOcean provide Smoothx and our customers the flexibility to scale as needed and the knowledge that all data is hosted securely and privately. AWS/DigitalOcean provides the physical security access controls to the physical hardware used to provide the Smoothx solution. For more information on AWS or DigitalOcean security protocols, please refer to their webpage.

How does Smoothx monitor its data server provider?

Smoothx’s relationship with AWS and DigitalOcean are as an Infrastructure as a Service IaaS vendor. They provide the hosting capacity on which we build the Smoothx SaaS platform. AWS/DigitalOcean is not engaged in a consulting or product-specific capacity. They have no responsibilities or duties that are derived from the specific nature of our software or our customers. The access granted to Infrastructure Partners is managed via technical controls based on the policy of least privilege: “Access to Information: The provider must be given the least amount of network, system, and/or data access required to perform the contracted services. This access must follow applicable policies and be periodically audited.”

Smoothx Access and Information Sharing

Smoothx takes steps to ensure the right people have access to the right information and the wrong people don’t. We built in tools and control mechanisms at multiple levels to help you collaborate and securely share information to the extent you decide.

How does Smoothx handle access for users?

During the implementation process, company-wide settings are applied for access levels and security settings. These are called role-based access controls RBAC. Administrators then execute these controls on an ongoing basis. For subsequent configuration changes, people with the appropriate permissions submit requests.

Smoothx provides options for role-based permissions for web and mobile applications. Among the security setting selections are: 2 factor authentication, lockout after failed sign-in attempts, password expiration, and idle session timeouts. Company administrators can unlock accounts.

Which teams at Smoothx can access my information?

Smoothx’s Access Control Policy adheres to the principle of least privilege, where employees, contractors, and all third-party vendors will be provided the least amount of access required to perform their job functions. Management is committed to testing and monitoring programs designed to ascertain whether the systems of controls and their component parts are functioning as intended and whether they afford an acceptable level of protection as time and technology advance. At a minimum, management will review access granting and control effectiveness on a semi-annual basis. Direct access to client data is limited to legitimate business needs, including activities required to support clients’ use of the Smoothx SaaS applications. Employees may only access resources relevant to their work duties.

Network Security Management

Smoothx takes network security very seriously to ensure that customer data is transferred to and from the production system securely. Smoothx manages this through network observability, web application firewalls, hardened server configurations, patching, strong encryption, and DDoS protection.

How are Smoothx’s firewalls configured?

Following the principle of network segmentation, Smoothx only allows necessary communication for valid business purposes. System firewalls, network security groups and advanced WAF technology are employed to protect Smoothx assets. All system firewall rules are managed by configuration software, and all changes are reviewed before deployment.

How does Smoothx protect against distributed denial of service DDoS attacks?

Smoothx utilizes DDoS mitigation services from its hosting provider to protect all Smoothx production networks. These are robust cloud-based solutions encompassing real-time traffic modeling right down to server-level anomaly detection and attack mitigation and include three layers of protection to identify and filter hostile traffic 24 7 365 to ensure customer uptime in the event of a DDoS.

How does Smoothx monitor for technical vulnerability and viruses?

Smoothx subscribes to manufacturer and independent security notification services to monitor potential external threats. Smoothx uses automated tools and documented procedures to build and configure all network equipment, systems, and servers from approved playbooks. Systems, platforms, and applications are configured to minimize security risks.

Leveraging state-of-the-art CSPM and Vulnerability Management tools, Smoothx continuously monitors all environments for vulnerabilities and risky misconfigurations. Our Vulnerability Management Program VMP handles identified vulnerabilities and misconfigurations. System patches are measured against documented Service Level Objectives SLOs).

Smoothx has established a standard Incident Response Plan that is used for any application level or security incident. This is based on industry best practices and is reviewed regularly.

How does Smoothx secure applications?

Smoothx customers access the Smoothx environment via the public Internet. Transport Layer Security TLS is an encryption technology that Smoothx utilizes to protect clients’ private information while it is in transit via the Internet.

To protect all data stored by our customers on the Smoothx Platform, Smoothx encrypts that data while stored at our data center providers. Data at Rest DAR For DAR Smoothx utilizes provider-managed device encryption services.

Data in Transit: Smoothx connections are secured using HTTPS protected by Transport Layer Security TLS. The data in transit is encrypted using the AES256 standard, the secure hash algorithm SHA2 for message authentication, and RSA as the encryption key exchange mechanism.

All services use one of the strongest block ciphers available, 256-bit Advanced Encryption Standard AES256, to encrypt your data. The provider-managed encryption services provide that the keys are securely managed.

Onboarding, Integrations, and Updates

What do onboarding processes look like?

Smoothx Customer Success team is dedicated to ensuring that you will have a successful rollout of Smoothx Products across your entire company and any new construction project. For all customers and Smoothx Products, a dedicated Smoothx Implementation Manager will walk you through each phase of the Implementation Roadmap. We also recommend that you establish an implementation team with focus for us to work with. Together, we will work as a team to ensure that the entire implementation process is both efficient and thorough. The goal is for each member of your team to be sufficiently trained on how to use Smoothx Products to perform their respective roles and responsibilities.

How does Smoothx manage software updates?

Smoothx regularly releases software updates with new features and improvements. We provide information and release notes on new releases, as well as early looks at upcoming new features. For more information, please see our Product Releases page. The Smoothx SaaS solution is updated for all clients at the same time. There is no scheduled downtime window. Updates and Maintenance are designed not to affect the user experience.

In the event that a planned maintenance issue would affect access to the platform, this would be communicated ahead of time so that any impact could be discussed with clients.

Smoothx Product and Technology teams embrace an agile development & deployment framework. This allows individual product squads to continuously release fully Q/A’d product upgrades and enhancements across the entire platform, with the product releases happening multiple times per day/week. For major functionality or UI updates, Smoothx will often allow for the use of the “legacy solution” for a period of time to allow for testing and feedback.

Smoothx utilizes Test and Development servers to provide testing and validation on any update to the platform prior to general release. For planning purposes, all releases, enhancements, and major changes are fully described and delivered to the system admin well in advance.

How does Smoothx enhance the software on an ongoing basis?

Regarding product enhancements, the most important thing about Product and Technology at Smoothx is the common thread of our customers. Nothing happens without the input, ideas, and consultation all coming from the customers. There are a few ways that customers can get involved with Smoothx’s Development Process. After doing so, you will be taken to our User Voice Feedback Forum, where you can vote on other users’ ideas. This feedback informs our Product team’s development priorities. We also run beta programs on new products and features and invite customers to participate.

For information on the international process for product release, please speak with your customer success manager.

Smoothx Resources

Smoothx Account Executives stay beside you to make sure the onboarding process goes smoothly. Our Customer Support team manages the integration process. Our technical services team gets engaged in executing the plan. We also provide on-demand and live training.

Smoothx will provide two key resources to our clients: an Account Executive (Sales), and a Customer Success Manager (Customer Success). Resources also include a variety of documentation, training materials, and services, such as an online support portal that contains written/tutorials, videos, FAQs, and guides. Smoothx has materials to help a variety of learning styles.

Smoothx also offers specialized consulting services for a fee.

How does Smoothx maintain data availability?

Smoothx uses several industry standard enterprise application management solutions to monitor systems, trigger alerts based on event logs, and facilitate alerting, trend analysis, and risk assessment.

Continuous monitoring of critical network events with our robust observability and eventing platforms give the Product Security team the ability to identify and address any unauthorized access to assets (including access to client data) within the SaaS production network. Alerting is in place to notify the Product Security team of any issue.

Support and incident management

Smoothx has established a cross-organization standard Incident Response Plan that is used for any application or availability incident. This is based on industry best practices and is reviewed regularly.

Backup and retention

Smoothx maintains a robust “high-availability” strategy to protect our customers against software problems, hardware failure, and large-scale natural disasters. The pillars of this approach are redundancy, geographic diversity, and replication of data. These pillars protect our entire information technology infrastructure. All hardware and software used to store customer data and deliver the Smoothx application to our customers is protected. Smoothx also maintains a disaster recovery plan in case a full restoration is needed.

Smoothx maintains several replicas of the application software on each server. This replication allows for a fast roll-back in the event of a software issue. We maintain the software on multiple servers located in different secure data centers. This diversity protects against hardware failure and local service issues. In the event of any failure, our system logic sends any customer requests to another server. This redundancy allows us to service the affected system with no customer impact.

Our service providers host the database in secure data centers. Smoothx’s “simultaneous replication” architecture maintains the data across these data centers. Data is written to independent servers located in at least three separate locations at any time.