Netsuite Data Center

Enterprise-Class Data Management, Security, Performance and Availability

NetSuite Data Center

Oracle NetSuite currently operates geographically distinct data centers across North America, Europe, and Asia-Pacific. Each data center has a Data Center Locations counterpart that provides data mirroring, disaster North America • Seattle recovery and failover capabilities in its region in case any data center becomes non-operational. • Santa Clara The NetSuite service is natively multi-tenant and • Phoenix leverages cloud infrastructure designed around • Chicago multiple layers of redundancy. • Boston • Ashburn

Europe • London • Dublin • Frankfurt • Amsterdam

Asia-Pacific • Sydney • Melbourne

www.netsuite.com NetSuite Data Center Infrastructure • Scalability: NetSuite supports over 26,000 Data Management customers with over 1.5 billion application • Redundancy: Many layers in the NetSuite requests per day and more than six petabytes of system contain multiple levels of redundancy. data under management. The system has been This design allows uninterrupted service designed to accommodate routine surges and because redundant systems automatically spikes in usage, and to scale upward smoothly assume processing in the event that one or to address increased transaction volume. more elements fail. Application Security • Disaster Recovery (DR): Within each region, data • Encryption: Transmission of user credentials, is replicated and synchronized between data as well as all data in the resultant connection, centers. Semi-annual DR exercises ensure that are encrypted with industry standard protocol systems and processes are in place, as well as and cipher suite. NetSuite supports Custom to assess and enhance the competency of all Attribute encryption and provides encryption personnel key to the successful implementation APIs. NetSuite uses token-based application of DR activities. Data centers use archival media authentication and multi-factor backups, which supports customer-initiated data end-user authentication. restores for up to a year.

© Oracle | Terms of Use and Privacy Page 2 • Role-Level Access and Idle Disconnect: Operational Security Each end user can be assigned a specific role • Continuous Monitoring: NetSuite employs both with permissions that are specific only to his or network and server-based Intrusion Detection her own job. There is a complete audit trail that Systems (IDS) to identify malicious traffic tracks changes to each transaction by the user attempting to access its servers and networks. login details and a timestamp. Security alerts and logs are sent to a Security • IP Address Restrictions: Customers can restrict Information and Event Management (SIEM) access to a NetSuite account from specific system for monitoring and response actions by computers and/or locations, which is valuable a dedicated security team. for those who are concerned not only about • Separation of Duties: In addition to mandatory who is able to access their NetSuite account but employee background checks at all levels of from where they access it as well. This feature the operations organization, job responsibilities significantly reduces the risk of unauthorized are separated. The Principle of Least Authority third parties accessing a user’s account. (POLA) is followed and employees are given • Robust Password Policies: Customers have only those privileges that are necessary to do granular password configuration options, their duties. ranging from the length of the passwords to • Physical Access: All data centers maintain the password expiration policy. They can set up stringent physical security policies and controls strict policies to ensure that new passwords vary including photo IDs, proximity access cards, from prior passwords and that passwords are biometrics, single person entry portals and complex enough to include a combination of alarmed perimeters. numbers, letters and special characters. • Dedicated Security Team: Oracle NetSuite Accounts are also locked out after several employs a global security team dedicated to unsuccessful attempts. For customers who desire enforcing security policies, monitoring alerts and a higher level of access control, there is a multi- investigating any anomalous system behavior factor authentication option using text SMS, including unauthorized connection attempts and one-time passwords (OTP) and backup codes. In malicious software. Near real-time monitoring addition to entering their own passwords, users is in place with a 24x7 worldwide incident must possess TOTP-compatible devices to response capability. All access to production is receive the random one-time passwords. These approved and regularly reviewed by the cryptographically robust passwords prevent security team. key loggers, shoulder surfers, phishers and password crackers from accessing a user’s account.

© Oracle | Terms of Use and Privacy Page 3 • Data Center Performance Audits: There are a secure environment. A PCI Qualified Security auditing controls appropriate for SOC 1 Type II, Assessor (QSA) issues an Attestation of SOC 2 Type II, ISO 27001 and PCI compliance. Compliance (AOC) to NetSuite. NetSuite has implemented a comprehensive • Privacy Certifications: Oracle Corporate risk management process modeled after the (Oracle EMEA Ltd) has obtained EU/EEA-wide National Institute of Standards and Technology’s authorization from the European data protection (NIST) special publication 800-30 and the ISO authorities for its Binding Corporate Rules for 27000 series of standards. Periodic audits Processors (BCR-p). This helps our customers are carried out to help ensure that personnel address their privacy and security requirements performance, procedural compliance, under the EU General Data Protection equipment serviceability, updated authorization Regulation (GDPR) and other European data records and key inventory rounds meet or protection laws and regulations in the EU/ exceed industry standards. EEA, the UK and Switzerland (“European Data • Security Certifications: Oracle NetSuite issues Protection Law”). See the Privacy Code for reports upon the completion of periodic SOC 1 Processing Personal Information of Customer Type II and SOC 2 Type II audits and is certified Individuals (Oracle Processor Code). for PCI DSS and ISO 27001:2013. Oracle NetSuite provides Product Feature ¤ Oracle NetSuite has defined its Information Guidance documents that describe how the Security Management System in accordance service functionality is designed to assist with NIST 800-53 and ISO 27000 customers with their EU GDPR requirements. series standards. Oracle NetSuite has extended the ISO 27001 ¤ Independent third-party auditors prepare Information Security Management System to and conduct SOC 1 Type II and SOC 2 Type II include the ISO 27018 control set, demonstrating audits. A SOC 1 Type II audit report is essential protection and adequacy for processing to meeting the reporting requirements on the Personal Information as a Public Cloud Hosting effectiveness of internal controls over financial Provider. Oracle NetSuite performs reviews reporting of Section 404 of the Sarbanes- and annual audits, conducts privacy risk Oxley Act. SOC 2 Type II reports on controls management and oversees remediations, has that directly relate to the security, availability a third-party vendor management program to and confidentiality trust services criteria at a ensure that the suppliers adhere to the privacy service organization. regulations, oversees privacy by design in technology and processes, and is committed ¤ PCI DSS is a security standard designed to to maintaining and improving its privacy ensure that companies are processing, storing information management and data and transmitting payment card information in protection programs.

© Oracle | Terms of Use and Privacy Page 4 Performance Availability • Scalable Application Architecture: The NetSuite • Service Level Commitment (SLC): An SLC application runs on a three-tiered architecture guarantees a 99.7% uptime (outside scheduled supported by additional specialized services. All service windows) for the NetSuite production tiers are highly scalable and support multi-data application for all customers. A credit is available center deployment. if NetSuite does not deliver its application • Performance Team: NetSuite invests heavily services with 99.7% uptime. A publicly available in performance at every layer. This includes status page is provided to display system status a dedicated performance team of developers at all times that includes quantitative current and database engineers whose sole purpose is and historic uptime metrics as well as up-to-the- to proactively verify application performance minute announcements during disruptions. benchmarks and tune the application for • World-Class Hosting Operations Team: A maximum performance. global team of dedicated operations personnel • High-Performance Databases: The NetSuite proactively monitors the health of the entire application runs on high-performance system with industry leading alert and trend- database server hardware with multiple cores based tools designed to identify and resolve and maximum RAM configuration. NetSuite events before they impact the live site. This production database servers run exclusively on team provides 24x7 coverage to respond to any solid state storage ensuring the fastest possible incident with automated recovery procedures. database I/O performance available in • Dedicated Event Response Team: A global cloud the industry. event response team is dedicated to expediting • Performance Monitoring Tool: The NetSuite responses and resolutions while establishing Application Performance Management (APM) communications and regular updates during tool provides a comprehensive performance service-impacting events. This team is active dashboard that allows users to easily and quickly 24x7 from multiple worldwide locations. drill down and investigate the root cause of a • Network Design: The network was built to meet site’s performance issues. By capturing critical or exceed commercial telecommunications performance data and quickly identifying, standards worldwide for availability, integrity analyzing and fixing the problem areas, customers and confidentiality. The network design ensures can optimize performance, improve user reliable connectivity and maximum uptime with experience and maintain critical transactions. no single-point data transmission bottlenecks to or from the data center. Finally, NetSuite uses a content delivery network (CDN) to enhance network reliability and help protect against denial-of-service attacks.