會議記錄
IT Supplier Assessment Questionnaire(Novotech)
document_id: TMP-ITC-002_V1.0 parent_document: SOP-ITC-001 confidential: true
Information Security and Privacy
Page 3 of 12
Q: Is Novotech data stored in your data center locally on premise, co-located, hosted, or with a cloud provider?
A: Novotech data is hosted on Airtable, a cloud-based SaaS platform. Airtable operates on major public cloud infrastructure providers.
**
Q: Novotech 的資料是儲存在您本地的資料中心、共置、託管,還是由雲端服務提供者管理?
A: Novotech 的資料託管於 Airtable,這是一個基於雲端的 SaaS 平台。Airtable 運行於主要公共雲端基礎設施提供者上。
Q: If a Cloud Service Provider (CSP) is utilised: Do you have real-time monitoring in place to detect and log when CSP personnel access customers’ data, and the ability to quickly terminate any access that is unauthorised?
A: Yes. Airtable, as the cloud service provider, maintains monitoring, logging, and access control mechanisms to detect and respond to unauthorised access to customer data. Infrastructure-level access is managed by Airtable.
**
Q: 若使用雲端服務提供者(CSP):您是否有即時監控機制來偵測並記錄 CSP 人員何時存取客戶資料,並能快速終止任何未經授權的存取?
A: 是的。作為雲端服務提供者,Airtable 維護監控、記錄和存取控制機制,以偵測並回應未經授權的客戶資料存取。基礎設施層級的存取由 Airtable 管理。
Page 4 of 12
Q: Describe your data classification policy used for customer owned data and CSP owned data.
A: Customer-owned data is classified and managed by TailorMed in accordance with our internal data governance policies.
**
Q: 請描述您用於客戶擁有資料及 CSP 擁有資料的資料分類政策。
A: 客戶擁有的資料依據 TailorMed 的內部資料治理政策進行分類和管理。
Q: If data is transmitted to and from Novotech/Supplier, is the communication channel secured with an SSL/TLS Cert?
A: Yes. Data transmitted between Novotech and TailorMed systems is secured using SSL/TLS encryption. For cloud-based systems, all data in transit is protected using industry-standard SSL/TLS protocols enforced by the cloud service provider.
**
Q: 若資料在 Novotech/供應商間傳輸,通訊通道是否使用 SSL/TLS 證書加密?
A: 是的。Novotech 與 TailorMed 系統間傳輸的資料皆使用 SSL/TLS 加密。對於雲端系統,所有傳輸中的資料均採用由雲端服務提供者強制執行的業界標準 SSL/TLS 協議進行保護。
Q: How do you ensure the secure storage and management of encryption keys for customer data?
A: For cloud-based systems hosted on Airtable, encryption key management is handled by Airtable in accordance with their security and compliance framework. TailorMed does not manage or access encryption keys directly.
**
Q: 您如何確保客戶資料加密金鑰的安全儲存與管理?
A: 對於託管於 Airtable 的雲端系統,加密金鑰管理由 Airtable 根據其安全與合規框架負責。TailorMed 不直接管理或存取加密金鑰。
Q: Detail your procedure used to move data into or out of your infrastructure, including any content filtering, malware analysis and data integrity checks performed.
A: 此題不屬萬能數維工作範疇。
**
Q: 請詳細說明您將資料移入或移出基礎設施的程序,包括任何內容過濾、惡意軟體分析及資料完整性檢查。
A: 此題不屬萬能數維工作範疇。
Page 5 of 12
Q: Do you support a multitenant offering? Describe the methods used to segregate boundaries and at what layer the separation controls are applied.
A: 此題不屬萬能數維工作範疇
Q: 您是否支援多租戶服務?請描述用於隔離邊界的方法及其應用的層級。
A: 此題不屬萬能數維工作範疇。
**
Q: What measures do you have in place to ensure separation of duties?
A: 此題不屬萬能數維工作範疇
Q: 您採取哪些措施以確保職責分離?
A: 此題不屬萬能數維工作範疇。
Q: Detail how you manage change and how customers are notified.
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與。
**
Q: 請詳細說明您如何管理變更及通知客戶。
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與。
Q: With reference to your data classifications, describe how you destroy customer data and metadata once a service is no longer in use.
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與。
**
Q: 依據您的資料分類,請描述在服務停止使用後,如何銷毀客戶資料及其元資料。
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與。
Q: Is there a data flow diagram to understand how data flows into and through your service?
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與,若需要觀看 Airtable 資料流間的關聯,可以參考 Airtable 裡的 Extensions > Base schema。
**
Q: 是否有資料流程圖以瞭解資料如何流入及通過您的服務?
A: 此題屬 TailorMed 內部工作,萬能數維不經手或是參與。若需要查看 Airtable 資料流之間的關聯,可參考 Airtable 中的 Extensions > Base schema。
Page 6 of 12
Q: Which tier performance certification does your data centre have in place?
A: Airtable provides publicly available security and compliance documentation describing its cloud-based infrastructure and security controls. Data centre tier certifications are managed by the underlying cloud service provider and can be referenced from CSP documentation if required. https://www.airtable.com/company/trust-and-security
**
Q: 您的資料中心具備哪一級別的效能認證?
A: Airtable 提供公開的安全與合規文件,描述其基於雲端的基礎設施與安全控制。資料中心的等級認證由底層雲端服務提供者管理,必要時可參考 CSP 文件。https://www.airtable.com/company/trust-and-security
Page 7 of 12
Q: Describe your practices for managing personnel security, including personnel vetting, training and awareness practices.
A: 此題不屬萬能數維工作範疇
**
Q: 請描述您管理人員安全的做法,包括人員審查、培訓及意識提升措施。
A: 此題不屬萬能數維工作範疇。
Q: When were the plans last tested?
A: 此題不屬萬能數維工作範疇
**
Q: 計畫最近一次測試是在何時?
A: 此題不屬萬能數維工作範疇。
Page 9 of 12
Q: How does your application store API keys?
A: A limited tracking web function is implemented to display non-sensitive shipment status information only, such as order reference numbers, estimated time of arrival (ETA), and shipment milestone timestamps. This tracking function does not expose or process customer personal data. Data access is performed via server-side functions hosted on Netlify, where Airtable API credentials are securely stored and not exposed to the client-side application. No direct access to Airtable data or API keys is available from the frontend. Secure development practices are applied to ensure separation between frontend presentation and backend data access.
**
Q: 您的應用程式如何儲存 API 金鑰?
A: 實作了一個有限的追蹤網頁功能,僅顯示非敏感的貨運狀態資訊,如訂單參考編號、預計到達時間(ETA)及貨運里程碑時間戳。此追蹤功能不會暴露或處理客戶個人資料。資料存取透過 Netlify 托管的伺服器端函式執行,Airtable API 憑證安全儲存於該處,且不會暴露於前端應用程式。前端無法直接存取 Airtable 資料或 API 金鑰。採用安全開發實務以確保前端呈現與後端資料存取之分離。
Q: Describe your access management strategy:(auth tokens, passwords, API credentials, certificates)
A: Access to Airtable data is managed through Netlify functions server-side functions hosted on Netlify. API credentials are stored securely as environment variables and are never exposed to the client-side application. Access is restricted to the minimum scope required for the tracking functionality. No customer credentials or sensitive data are stored or processed on the front-end.
**
Q: 請描述您的存取管理策略:(認證令牌、密碼、API 憑證、憑證)
A: Airtable 資料的存取透過 Netlify 托管的伺服器端函式管理。API 憑證以環境變數安全儲存,絕不暴露於前端應用程式。存取權限限制於追蹤功能所需的最小範圍。前端不儲存或處理任何客戶憑證或敏感資料。
Q: What is your server patch management strategy?
A: Server patch management is handled by the underlying cloud service providers. Netlify manages patching and security updates for its serverless infrastructure, and Airtable manages patching for its hosted SaaS platform. No customer-managed servers are operated as part of this service.
**
Q: 您的伺服器補丁管理策略為何?
A: 伺服器補丁管理由底層雲端服務提供者負責。Netlify 負責其無伺服器基礎設施的補丁與安全更新,Airtable 則管理其託管 SaaS 平台的補丁。此服務不操作任何客戶管理的伺服器。
Page 10 of 12
Q: Detail any dedicated backups that are performed of Novotech data, whether it is inherent in the use of your service or whether it relies on the configuration of the customer.
A: Novotech data stored within Airtable benefits from the platform’s inherent backup and availability controls as part of the SaaS service. Any additional data exports, backups, or retention policies are configured and managed by TailorMed based on internal requirements.
**
Q: 請詳述對 Novotech 資料所執行的專屬備份,無論是服務固有功能或依賴客戶設定。
A: Novotech 存於 Airtable 的資料享有該平台作為 SaaS 服務固有的備份與可用性控制。任何額外的資料匯出、備份或保留政策,均由 TailorMed 根據內部需求配置與管理。
Q: Detail the methods used to ensure service continuity and availability such as data replication across availability zones.
A: For systems hosted on Airtable and Netlify, service availability and continuity are provided through the platforms’ built-in high availability and resilience mechanisms. Infrastructure-level replication and redundancy are managed by the platform providers.
**
Q: 請詳述確保服務連續性與可用性的方法,例如跨可用區域的資料複製。
A: 對於託管於 Airtable 和 Netlify 的系統,服務可用性與連續性由平台內建的高可用性與韌性機制提供。基礎設施層級的複製與冗餘由平台提供者管理。
Q: Describe the ability of Novotech to move data out of your service either for backup, archive, or service decommissioning purposes.
A: Novotech data can be exported from the platform using standard data export capabilities.
Data retention, backup, archival, and decommissioning decisions are governed by TailorMed in accordance with customer requirements.
**
Q: 請描述 Novotech 將資料從您的服務中移出的能力,無論是為備份、歸檔或服務退役目的。
A: Novotech 可使用標準資料匯出功能將資料從平台匯出。
資料保留、備份、歸檔及退役決策由 TailorMed 根據客戶需求管理。