July 15, 2022
See How Flexport’s Data Security Practices Protect Your Supply Chain
Real-time supply chain data and actionable insights are fueling growth for high-growth brands but it’s becoming increasingly hard to protect your data from breaches. Multiple high-profile hacks on transportation and logistics companies have reminded us of the vulnerabilities that companies face in an increasingly digital world.
The pandemic has made it very clear that better technology and the efficiencies it delivers will determine the leaders and laggards of this decade. For example, with the Flexport Platform, brands get end-to-end tracking of their global supply chains, can use the data to identify issues and blockers, and make real-time decisions to navigate delays and congestion.
Your data is one of your most valuable assets, if not the most. That's why as a technology-first freight forwarder, cybersecurity is our top priority and is fundamental to the services we provide. Our clients can feel confident that their supply chain and logistics data—including information from upstream vendors and other partners—is safe and protected while using the Flexport Platform and APIs.
Our systems allow our teams, customers, and partners to collaborate as a cohesive unit to better manage and track end-to-end supply chain lifecycles, while also offering peace of mind about data security.
The following is a summary of our approach to data security.
Led By Data Security Experts
The Flexport Cybersecurity Team is led by Kevin Paige, our Chief Information Security Officer (CISO). With 25+ years experience, Kevin has taken on numerous roles and challenges leading cyber security at companies like Salesforce, Mulesoft (application network platforms), and xMatters (incident management) before he joined Flexport. He also served in the U.S. Air Force and U.S. Army with leadership roles in network defense and datacenter operations and security. Kevin is also a certified CISSP, CCNP, and an ethical hacker.
Since one of Flexport’s primary differentiators is the digitization of supply chains and end-to-end visibility within our platform, it’s part of our promise that our teams work as a seamless unit with our clients and partners to manage and track cybersecurity across the supply chain lifecycle.
With this goal in mind, Flexport’s Cybersecurity Program has been independently certified by a third party to meet the international standards for information security known as ISO/IEC 27001 & 27002 (more information below).
Rigorous Security Standards for Employees and Partners
All Flexport employees are required to participate in extensive security training when joining the company and receive ongoing training throughout their Flexport careers. Topics covered include device security, acceptable use, preventing spyware/malware, identifying and reporting phishing emails, physical security, data privacy, account management and incident reporting, among others. Employees are directed to report any suspected or actual security incidents to the Flexport Security team.
Careful selection of our partners is also necessary for supply chain security. Flexport follows a risk-based Service Provider Due Diligence Program. A potential partner must go through a risk assessment and meet our rigorous security standards. This part of our efforts ensures that service providers engaged to support freight-forwarding needs are conducting business in a compliant manner that's in accordance with applicable laws, rules, and regulations.
Attention To Detail: The Information System Triad
Flexport relies on a gold-standard information security model known as the Information Security Triad or CIA Triad. In this case, CIA doesn’t refer to the U.S. intelligence agency. It stands for Confidentiality, Integrity, and Availability.
Protecting unauthorized access to your data is a first line of defense that must include end-to-end data encryption and two-factor authentication for access control. At Flexport, cybersecurity teams monitor and audit your information to ensure only authorized people have access, and that they can only view the data they need to manage your shipments, accounts, billing, etc.
Data integrity refers to the wholeness and completeness of your information. From a security perspective, integrity risks could include accidental or malicious manipulation or deletion. Ensuring data authenticity matters too—not just to foil the intentions of bad actors, but to substantiate product claims, trace origin for compliance, and perform supplier reviews or logistics scenario planning.
Availability is all about access. Can you get to your data when you need it—even if a security risk has been realized? High uptime, a measure of working availability is crucial in today’s fast-paced supply chain world. If a security breach occurs, availability prevents data loss and complex retrieval or replacement.
Security Certifications and Credentials
That attention to data security has garnered us a number of industry standard certifications, including ISO/IEC 27001 & 27002. These certifications are recognized as the premier global information security management system (ISMS) and are organized and overseen by the International Standards Organization.
Flexport has also undergone a SOC 2 audit which validated our systems, applications, people, and processes via an audit by an independent third-party auditor. Service Organization Controls (SOC) Reports are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organization.
Along with the independent third-party auditor’s opinion on the effective design and operation of our controls, 3rd Party risk reporting agencies like BitSight regularly identify Flexport as a top 5 Program in the freight forwarding industry.
Other Things to Know About Flexport’s Cybersecurity Program
Based on ISO 27001 standards, our Cybersecurity Program has adopted a defense-in-depth strategy for managing security threats.
Key highlights include:
- Segregated Corporate and Production environments.
- Strong authentication and authorization controls with mandated multi-factor authentication (MFA).
- Encryption of data at rest and in transit.
- Operational Security testing and exercises including phishing and ransomware initiatives
- Real-time and continuous security monitoring including configuration changes, malware protection, and intrusion detection.
- Incident management services including detection, triage, and remediation.
- Secure Development Lifecycle (SDLC) is incorporated within Flexport’s change management and deployment pipelines.
- Active scanning of systems for known vulnerabilities.
- Third-party penetration testing by independent security experts and ethical hackers.
- Cloud-based backup and recovery services are regularly tested and restored.
- Formalized Business Continuity and Disaster Recovery Program including annual recovery training and testing.
As a tech-first supply chain and logistics platform, Flexport has been built from the start to leverage the most advanced data capabilities and cyber security standards available today. That means your supply chain data can remain confidential, safe, and available.
Keeping Up With Modern Supply Chains - How Tom Gould & COAC Are Prepping U.S. Customs for the Future
Unpacking California’s AB5 and Its Impact on Trucking and Supply Chains
How Cargo Insurance Can Prepare You For Evolving Supply Chain Risks