Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

Security

Every aspect of our service is built with security at the heart of all our business and technical decision-making processes.

How do we handle security at NT-ware?

We have implemented industry-leading security and vulnerability assessment tools to maintain a strong security position.

All our infrastructure is regularly scanned by industry leading vulnerability assessment tools. Every endpoint in our company is protected by enterprise-grade antivirus and malware detection. We have invested heavily into the Microsoft Security Suite to protect our email and file level security handling and proudly support and enforce the safe handling and distribution of email through Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) security. All our mail infrastructure is protected and filtered through Microsoft Exchange Online Security features, Phish, SPAM and Malware detection. End users are also protected using Microsoft Safe Links, attachment sandboxing and desktop virus integrations on-demand detection.

Next to our security infrastructure, identity protection for our staff is vital. Multi-factor Authentication (MFA) is mandatory on all cloud accounts, integrated Azure accounts and any 3rd party services we utilize. High-value assets and service accounts can be further protected using Microsoft Entra Conditional Access. All workstations are automatically locked when the station has been inactive for five minutes.

In addition, we actively participate in security readiness programs and training, helping our staff stay informed and alert. These include but are not limited to Cyber Security Assessment, Cofense Phishing Campaigns and access to external security training programs.

NT-ware and uniFLOW Online within the Microsoft Azure infrastructure

uniFLOW Online is delivered as a pure Software-as-a-Service (SaaS) which we have built natively on the Microsoft Azure Web Service platform.

The NT-ware Operations and Development access to the Microsoft Azure tenants is secured through Microsoft Entra ID Identity Protection which also incorporates the following security standards:

The above list is not exhaustive and we repeatedly review and improve our security standing.

uniFLOW Online security white paper

The uniFLOW Online security white paper provides an overview of the system security used within uniFLOW Online. It covers the following security information:

  • How a user prints a confidential document.
  • How user information is stored and managed in the cloud.
  • How the printers communicate with the cloud service.

Want to know more? Check it out the uniFLOW Online security white paper.

NT-ware security policies

Security is a layered approach within NT-ware. We work with enterprise-level products and services to protect both ourselves and your data.

Our policies have been built by capturing best practices from industry certification standards, including ISO 27001, and by aligning our measures with all relevant controls and sub controls for Group 2 of the Top 18 CIS Controls® (Center for Internet Security). This initiative forms much of our security planning and future strategy. We perform internal reviews of this program every six months and are also externally reviewed by the Canon Europe Security and Forensics team.

We have built a strong set of security guidelines which govern both the end user and IT operations within NT-ware. Hardware disposal, remote access, network segmentation and BYOD are only some examples of the complete set. These are openly communicated within the company and form part of our onboarding program for new starters. All security policies are reviewed at least annually and any changes are communicated to all concerned.

Security standards as part of our development

Security and risk management is initiated during the product planning phase which involves all key stakeholders (dedicated Product Planning, Development, Security and Quality Assurance teams).

All members of the NT-ware Development team follow best coding practices to prevent security leaks and vulnerabilities from the start. We use multiple sources as input to guarantee secure development, such as Common Weakness Enumeration (CWE), OWASP Top 10 Most Critical Web Application Security Risks, National Cyber Security Centre (NCSC) and others. This way, we stay up to date on the latest security findings or threats related to technology in our software products.

The utilization of the following industry security suites is also part of our development and quality assurance processes:

  • Atlassian Jira software package to organize sprints and product releases.
  • Visual Studio as the main development platform.
  • StyleCop/ JetBrains ReSharper for static code analysis.
  • Jenkins as continuous integration system.
  • Tricentis Tosca to perform automated smoke, scenario, functional and load tests.

NT-ware development for uniFLOW and uniFLOW Online is in-house; there is no contractor or external developer involvement. Other software components such as Canon-embedded device software is developed in close cooperation with Canon INC development. Non-Canon-embedded device development is conducted by an external development company. Development and company security practices are reviewed by NT-ware to align with our best practice and methodologies.

All code changes and ‘check ins’ are performed through an open peer review process limiting the chances of any one individual injecting malicious code into our development pipeline.

Security Incident Management

We consider a security incident to be any instance where there is an existing or impending negative impact to the confidentiality, integrity or availability of our customers' data, NT-ware data or NT-ware services. When we respond to security incidents, we continue to uphold our core values i.e. focusing on putting the best processes in place so that we handle security incidents in a way that is always aligned with the best interests of our customers and ensures they continue to have an outstanding experience when using our products.

Within NT-ware, we have a defined approach for responding to security incidents affecting our services or infrastructure. Our incident response approach includes comprehensive logging and monitoring of our products and infrastructure to ensure we quickly detect potential incidents. Defined processes ensure there is clarity in what we need to do during an incident. This is managed by our IT and Operations team coordinating with relevant departments and internal subject matter specilists. We also have access to a range of external experts to assist us with investigating and responding as effectively as possible.

For more information on our Security Incident Management, click here: Security Incident Management.

NT-ware Penetration Testing

The importance of performing Penetration Testing is recognized and actively performed with every feature release of uniFLOW Online and uniFLOW Server. For such testing we work in conjunction with Canon Europe Security so the testing is carried out by an accredited industry PEN testing and security organization.

Every report is reviewed directly by the Chief Information Security Officer (CISO) and Development Director. In addition, matter specialists are consulted where needed. We review the threat for exploitability or attack vector among our key indicators to determine the priority and schedule accordingly.

All security incidents or findings discovered during testing will be ticketed in accordance with our Security Incident Management process. NT-ware regularly reviews the ticket priority and general security matters among key department heads.

For more information on our PEN Testing Methodology, click here: PEN Testing Methodology.

Customer Penetration Testing

NT-ware fully supports customers performing PEN testing activities. We welcome the testing as this provides valuable feedback from our customers and helps to further improve the overall security position of uniFLOW Online. To do this safely, the instructions below must be followed should customers wish to PEN test uniFLOW Online.

Non-invasive testing

If the PEN testing is non-invasive, this can be performed directly against the customer's uniFLOW Online tenant. It is acknowledged such 'tests' happen on the internet every day against online infrastructure. Such testing MUST NOT include any intentional service saturation, denial of service (DOS) tests that impact the system’s performance or stability and would be a direct breach of the Service Agreement signed by all parties.

We request that any relevant findings are shared with NT-ware to review and qualify/ rule out any false positive results.

What if I need to perform possible ‘invasive’ testing?

Please contact Canon or your Canon Business Partner to raise a project request with NT-ware through our Jira Software ticketing system. We will review the request and at the discretion of NT-ware provide a suitable ‘test' tenant of uniFLOW Online that will not impact the service we provide to other customers.

  • Requests are evaluated by NT-ware and, at the sole discretion of NT-ware, approved or rejected.
  • The customer security team must provide NT-ware with timings for the test window when they will perform the PEN test.
  • It is requested that the results of the PEN test are provided to NT-ware or, at the very least, any fail points.
  • Should a non-disclosure agreement (NDA) be required for the sharing of information in any direction this will be considered based on the engagement and planned exchange of information.
  • Any other legal requirements from the customer must be presented in writing via the Canon and/or Canon Business Partner channel.

Infrastructure and hardware security

The physical security of our infrastructure and hardware is a crucial point to recognize. All uniFLOW Online hardware is hosted within Microsoft Azure data centers. For Microsoft Azure data center hardware disposal protocols, please check the Microsoft hardware disposal procedures.

NT-ware’s corporate IT infrastructure is hosted globally in Germany, Singapore and the US office. We follow strict security access and hardware disposal processes in all locations.

  • All data centers and server infrastructure are secured by key card access and restricted to IT personnel only.
  • The hardware lifecycle within NT-ware is managed by an established inventory system.
  • Hardware is disposed of in accordance with our strict 'Hardware and Data Destruction Policy'.

    • Hardware is always disposed of with an accredited eWaste service following ISO 14001.
    • Hard drives and any storage media containing personally identifiable information (PII) or company sensitive data is destroyed by an industrial crusher.
    • Destruction services are accredited and/ or supervised by NT-ware staff to ensure they comply with our hardware handling policies.

  • All laptops and field-based computers must have Microsoft Bitlocker enabled to protect against physical theft.
  • 'End-of-Life' devices are returned to NT-ware headquarters IT or to local IT support staff for handling in accordance with our security guidelines.