Security and data protection are embedded across the design, deployment, and operation of eFACiLiTY®—a platform built to support enterprise-scale facility management with strong controls for access, data protection, and auditability.
Designed for regulated and security-conscious environments, eFACiLiTY® incorporates structured security controls and compliance practices to safeguard operational data and support enterprise security and compliance requirements.
This page outlines the key security controls, certifications, and compliance measures implemented within eFACiLiTY®.
Security Certifications and Compliance
SIERRA maintains internationally recognized security certifications to demonstrate our commitment to data protection and operational security:
- SOC 2 Type II Certified: Validates controls related to security, availability, confidentiality, processing integrity, and privacy over an extended audit period.
- ISO/IEC 27001 (ISMS) Certified: Confirms the implementation of an Information Security Management System aligned with global best practices, supported by regular surveillance audits.
These certifications reflect our ongoing commitment to strong security governance and continuous improvement.
Benefits of Compliance
Compliance with standards such as SOC 2 Type II and ISO 27001 helps organisations strengthen security governance and meet enterprise audit and risk requirements.
Key outcomes include:
- Faster and more efficient audit cycles
- Reduced security risk exposure through standardized and auditable controls
- Alignment with enterprise IT, security, and governance frameworks
- Simplified vendor risk assessments and compliance reviews
Access Control and Identity Management
eFACiLiTY® provides strong access control mechanisms to ensure users can access only what they are authorized to:
- Role-Based Access Control (RBAC) with granular privileges
- User access can be restricted by site, location, module, program, screen, and report
- Support for table-level and field-level access controls
- Users can be associated with one or more User Groups
- Multi-Factor Authentication (MFA) is supported and mandatory for administrator and high-risk user roles
These controls help enforce the principle of least privilege across the application.
Application Security Controls
eFACiLiTY® includes configurable authentication and password policies that allow organisations to enforce their security standards. Key capabilities include:
- Controls for password length, complexity, expiry, reuse, and history
- Account lockout after consecutive failed login attempts
- Automatic user disabling after prolonged inactivity
- Password expiry alerts to users
Login credentials are protected using SHA-256 hashing, and sensitive personal data is stored in encrypted form using AES encryption at the database level.
Data Protection and Encryption
To protect customer data throughout its lifecycle, eFACiLiTY® implements multiple layers of data protection:
- Encryption at rest: Transparent Data Encryption (TDE) in Azure SQL Database
- Encryption in transit: Data transmitted between users, applications, and servers is secured using HTTPS with TLS 1.2+ encryption, protecting data from interception and unauthorized access
- Data protection controls: Implemented in alignment with established security best practices to safeguard authentication and personal data
These measures help ensure that customer data is secure, maintaining integrity and preventing unauthorized access during storage and transmission.
Security Monitoring and Audit Logging
eFACiLiTY® provides integrated monitoring and logging capabilities to support security oversight, traceability, and investigation of system activity.
- Configurable Audit Trail Configurator with table-level and field-level tracking
- Logging of create, update, and delete actions
- Reports available by user, date, module, table, and field
- Real-time alerts for suspicious activity
Additional system logs include:
- Application access logs
- API logs
- Mail, SMS, and notification logs
- Application error logs
- Scheduler logs
These capabilities provide visibility into system activity, support timely investigation, and help organisations meet compliance and audit requirements while maintaining data integrity and system security.
Infrastructure and Platform Security
eFACiLiTY® is built on Microsoft Azure’s secure cloud infrastructure, following a shared responsibility model to ensure strong protection across platform and application layers. The platform is designed to deliver high availability, resilience, and logical isolation of customer environments in a multi-tenant architecture.
Hosting and Data Residency
- Hosted in Azure Central India region, with flexibility to support additional regions based on redundancy and compliance requirements
Network Security and Isolation
- Web Application Firewall (WAF) to protect against common web-based threats
- Virtual Network (VNet) architecture for secure communication and environment isolation
- Built-in DDoS protection to mitigate large-scale attacks
- Network isolation controls to restrict unauthorized access
Availability and Resilience
- Availability Zones to distribute workloads across physically separate locations
- Load balancing and autoscaling to maintain performance and uptime during demand fluctuations
Backup and Disaster Recovery
- Automated backups with defined retention policies
- Zone-redundant (ZRS) and geographically redundant storage (GRS)
- Secondary data centre for failover in case of regional disruptions
- Recovery objectives:
- RTO ≤ 12 hours
- RPO < 4 hours
This approach ensures eFACiLiTY® operates with strong availability, data protection, and operational continuity, aligned with established cloud security and compliance practices.
Application Security Testing
- Security testing is conducted as part of a formal security testing process to identify and address potential vulnerabilities:
- Periodic vulnerability assessments and penetration testing
- Use of industry-standard tools such as:
- Burp Suite
- OWASP ZAP
- SQLMap
- Identified issues are reviewed and remediated in line with our security processes.
Third-Party Security Assessments
- Independent third-party security assessments are conducted periodically to validate the effectiveness of security controls. Additional assessments can be performed based on customer or regulatory requirements.
- Any vulnerabilities identified are reviewed and remediated in line with established security processes as part of ongoing security improvement.
Data Retention and Deletion
- Customer data is retained only for operational, contractual, and compliance purposes, with retention periods aligned to contractual obligations and applicable regulatory requirements.
- System backups are maintained in accordance with defined retention policies.
- Upon contract termination, customer data can be securely provided as agreed.
- Data is securely deleted from systems following completion of contractual obligations, unless retention is required by law or regulation.
- Data deletion is performed using industry-standard methods to ensure that information is permanently removed and cannot be recovered.
Contact
- For questions related to security, compliance, or data protection practices, please contact:
- Email: info@efacility.in
- Last updated: 25-March-2026
