This document is designed to provide insight into the security- and availability policy of Blue10. Functionalities and measures taken by Blue10 in this area are described in this document.
Security & Availability Policy Blue10
Security stands at the core of Blue 10’s manifesto, and thus is given its highest priority. Blue 10 has implemented a variety of security measures and continuously monitor its processes to do everything in its power to ensure that its services and systems are constantly available to their customers.
Blue10 offers a Cloud solution for the digital processing of booking documents, such as procurement invoices, sales invoices, receipts, etc. There are three variations on this solution; Blue10 Scan & Recognize, Blue10 SME and Blue10 Enterprise. These solutions are further referred to as: the Blue10 service. Customers can log in to their own online Blue10 environment, after which they can easily book invoices in to the accounting system. If the customer uses Blue10, an online workflow is available to have an invoice inspected and approved digitally by one or more employees. Once an invoice has gone through the entire process in Blue 10, the document can easily be accessed in the digital archive and is retrievable from any location.
Accounting system integration
Online accounting system
From the Blue10 environment a direct connection is made to the accounting system. In doing so, Blue10 is supported by secure methods of the online accounting system.
Local accounting system
In combination with a local accounting system, a cloud connecter is installed on the server of the client. The communication between the cloud connector and the back end always takes place by HTTPS (TLS1.0 and higher). The cloud connector only makes an outbound connection with Blue10, and therefore requires no open ports in the firewall of the customer. The cloud connector uses an auto-update service to keep the cloud connector up to date.
Between Blue10 and the accounting system a set of predefined tasks take place. Tasks Blue10 can perform towards the accounting system include, booking of invoices, blocking and unblocking invoices for payment and retrieving master data. Master data are, among other things, supplier names, supplier numbers, VAT numbers and IBAN numbers. This data is used by the Blue10 service to identify a supplier of an invoice and to record the invoice in the Blue10 service to this supplier. Other master data that are exchanged are master data that are required to book an invoice in the accounting system. This includes, payment conditions, ledger accounts, VAT codes, etc.
Once an invoice is booked in the accounting system, the entry number, the due date, the booked invoice lines and ultimately the payment date are transferred to the Blue10 service.
Datacenter and hosting
Blue10 hosts the cloud solution on the public cloud of Microsoft, Azure, where Blue10 makes as much use as possible of the PaaS (Platform as a Service) services of Azure. Security is regulated at infrastructure level by Azure, which remarkably reduces the risk of configuration errors and other security risks. Western Europe (Amsterdam) is the Azure location where Blue10 is hosted. For more information about Microsoft Azure’s security measures, please visit: https://www.microsoft.com/en-us/trustcenter/cloudservices/azure.
The databases run on the SQL Azure platform. This platform provides built-in redundancy, backup and restore possibilities. These backups are made every quarter of an hour and are stored for 35 days.
Azure Blob Storage is used to store files. This service offers unlimited scalability and built-in redundancy. The Blob is backed up daily to another storage account.
Blue10 offers multiple authentication methods to users for logging in to the Blue10 service. Standard, a combination of username and password can be used. This password must contain at least 8 characters. After ten failed logins, the account will be blocked. Passwords are securely, irreversibly hashed and stored.
Blue10 also supports Single Sign-on (SSO) via Google, Microsoft account, Azure AD and Exact Online.
By providing the above authentication options, Blue10 has taken all steps, within its power, to prevent unauthorized access to the Blue10 service. The real access of users to the environment of the customer is managed by the customer themselves. The customer is responsible for managing its own (user) accounts, such as creating new employees, removing former employees and changing access, user roles or other user settings within the Blue10 service.
Monitoring key processes
The following key processes can be continuously monitored within the Blue10 service:
- Infrastructure availability
- Average response time of the website
- Response time of a login request
- Lead time per page from entry to conversion
- Lead time of the OCR process per page
- Response times between the Blue10 service and the different accounting systems
For the control of calamities, Blue10 has an emergency response plan, which can be used to get the affected business process, as quick as possible, up-and-running again.