IT Security Questionnaires |
  
|
IT Security Questionnaires |
|
This document is provided as a means of providing the information our clients need in order to complete questionnaires, assessments, and similar documents related to information technology security and our software.
These documents come under many names, including “Cyber Risk Assessment” and “IT Solution Requirements Questionnaire”.
Completing one of these documents is a simple task. Completing thousands of them over time is incredibly time-consuming, particularly given that the questions understandable repeat from questionnaire to questionnaire. The original version of this document took 5 hours to complete. Rather than review and complete hundreds or thousands of these forms each year, our answers are provided to you in a central location that we update as needed. One upside of that is that you might benefit from the questions others ask that you might not.
SCOPE
These responses always apply to the current public build of ENERCALC software. They should not be presumed to apply to builds from the past.
The term “ENERCALC software” applies to ENERCALC SEL, whether installed or in the cloud.
LAST UPDATE
This document's last regular monthly review occurred on Apr 2, 2024.
This document was last updated on Apr 2, 2024.
This document is reviewed monthly but is only updated when the data changes or new questions / answers are added.
PRIVACY
Does ENERCALC software collect / include personally identifiable information (PII)?
ENERCALC software (ie: ENERCALC SEL, ENERCALC for Revit) do not collect PII.
It is possible that a user could enter PII into a SEL project file for their user or their client, but we do not collect or require this data, nor do we have access to the project files unless the customer uses our cloud platform or hosted storage feature. In our experience from reviewing project files sent to our support team, literally no one completes these fields in their project files. If this information is entered, it will appear on engineering reports printed by the software. This information is easy to remove by the end user if they decide not to keep it in their project file.
Is ENERCALC software HIPAA-compliant?
Not applicable. Our software is not designed nor intended for the collection or storage of health care patient data.
ENERCALC is not a health care provider. HIPAA applies only to health care providers. ENERCALC software does not collect health care patient data, nor is it designed or intended to do so.
Do you require your vendors to enforce your security and privacy policies?
As a small company, we have no ability to demand that our vendors behave in a certain way. As a small company, our only leverage is to vote with our feet when a vendor's behavior does not meet our needs and the needs of our customers. We use that option when necessary.
Is there a disciplinary policy in place that includes security, privacy, and data protection?
There is no formal policy of this nature. We're a small company. We take care of each other, and our clients.
Does ENERCALC require cookies?
ENERCALC's installed software does not use cookies, as it is a desktop Windows application. Our cloud login page does use cookies for username/password storage.
Do you review internal policies (privacy, etc) at least annually?
Yes, they were last reviewed by our software attorney in October 2023. Updates to our license agreement ( https://enercalc.com/pdf/ENERCALC_License_Agreement.pdf ), privacy policy (https://enercalc.com/privacy-policy/ ), and terms of service (https://enercalc.com/pdf/ENERCALC_Terms_of_Use.pdf ) were published in December 2023.
EMPLOYMENT AND EMPLOYEES
Does ENERCALC have a documented employment termination policy?
No. ENERCALC operates according to Montana law, or the law that applies to each team member where they live. All ENERCALC employees are US citizens living in the US.
What formal training do ENERCALC employees and contractors complete before they begin work?
We perform onboarding for the use of internal systems and vendor systems (such as AWS). We do not have a formal, sit-down classroom introduction to ENERCALC. We're a small,100% remote company. New staff members are trained by our existing staff. There is no formal paperwork "sign off" that an employee is trained. We do not have an ongoing formal training program, however, our staff is constantly learning and being mentored by other staff members. We have extensive internal process documentation, which includes our onboarding and offboarding process. Our offboarding process has never been used, as no employee has ever left ENERCALC (the owner did leave when he sold the company in 2022, but we don't feel that counts as losing an employee). We have extensive internal systems that exert control over our data and systems environment.
Does ENERCALC have an office policy and procedures document for managing the work environment, tools, etc?
ENERCALC has no office. We have always been a 100% remote company. This means there are no keypads, security barriers, or other physical security assets other than what our employees use to secure their homes. They have no physical access to AWS IT assets, since they are not AWS staff.
Are former employees "off-boarded" when they are no longer working for or on behalf of ENERCALC?
Yes. Documented procedures for system access are used for on and off boarding. As noted previously, our offboarding process has not been used as no employee has left ENERCALC.
Are all ENERCALC personnel US citizens?
2 of our software development contractors live outside the US. They do not provide support to customers and do not have access to customer data. All other personnel are United States citizens who reside in the United States.
Do all ENERCALC personnel reside in the United States?
2 of our software development contractors live outside the US. They do not provide support to customers. All other personnel are United States citizens who reside in the United States.
Does ENERCALC perform background checks on all contractors and employees?
No, but we are exceedingly selective in our hiring process and have never hired someone not in an existing employee's network.
Do ENERCALC contractors and employees operate under a NDA and/or confidentiality agreement?
Yes, both groups are under NDA / confidentiality agreements.
Does ENERCALC have a physical asset management policy?
As of April 2024, ENERCALC owns 3 developer laptops and a developer desktop. The 2 of the 3 laptops do not have access to customer metadata. The desktop does and one of the laptops do because the US-based users of those machines provide technical support to our users and as such, need access to user contact information in order to do their job. Our customer support database is never stored on permanent media (disk drives of any technology) on a computer accessing that data. All other hardware belongs to the employee or to AWS.
CUSTOMER DATA MANAGEMENT, SHARING AND/OR SALES
Does ENERCALC sell or rent its clients’ or prospects’ personal or business data?
No. Absolutely not.
Does ENERCALC share its clients’ or prospects’ personal or business data?
Yes, under limited conditions, as follows:
•When we send direct mail to clients and/or prospects, a mailing house is often used to address, mail, and apply postage when the mailing is large. In those cases, the mailing house receives the name and mailing address so they can produce a properly addressed mail piece. No other information is shared with the mailing house.
•We use transactional email services (ie: SAAS vendors who specialize in sending transactional email). Their area of specialization is making sure that a very high percentage of email gets delivered and is delivered promptly. In order for these services to send email on our behalf, a client’s or prospect’s mail is provided to them as part of a HTTPS API call used to request an email send. No other information is shared with the mailing house other than the content of the outbound email and the email address they are asked to send it to.
Does ENERCALC use a certified secure hardware destruction vendor when hardware is discarded?
AWS handles this for our server infrastructure. These vendors are not used by our remote end users' computers as customer data is not stored on those machines. It is accessed in memory by proprietary applications. In the very limited situations where certified hardware destruction would be necessary, we will use Brass Valley.
Is ENERCALC customer data purged from ENERCALC systems if they cease to be a customer of ENERCALC?
If requested, customer project data is purged. Customer metadata is not purged. Many times, customers return after a brief period.
Is ENERCALC production data used in test environments?
The only "production data" ENERCALC maintains other than a customer project directory, metrics, and customer project data - is our customer data platform. That data is used within our test platforms when CRM and related internal / ecommerce testing is performed. The test platforms are security and managed in the same manner as production IT assets / platforms. Customer project data is only used for testing during bug report resolution, if that data is provided by the customer, or permission to access it has been granted. This occurs on a ticket-by-ticket basis.
Is ENERCALC software GDPR compliant?
Not applicable.
ENERCALC software does not collect PII, nor does it track users.
Are ENERCALC websites GDPR compliant?
Not applicable.
ENERCALC software does not promote its software in the EU and does not currently support EU engineering-related governing codes. It is our position that the EU has no jurisdiction over a US-based company with no employees, contractors, offices, clients, or marketing / sales efforts in the EU. If / when that changes, ENERCALC will take steps to become compliant with GDPR.
Is ENERCALC CCPA compliant?
Yes, because the act does not apply to ENERCALC, LLC. ENERCALC, LLC. does not sell anyone’s personal information.
The California Consumer Privacy Act (CCPA) applies to for-profit businesses that sell personal information of more than 50,000 California residents annually, or have an annual gross revenue exceeding $25 million, or derive more than 50% of its annual revenue from selling the personal information of California residents. This does not describe ENERCALC, LLC.
Is ENERCALC CPRA compliant with respect to the sale or sharing of personal information, the right to correct inaccurate information, and the right to have personal information collected subject to data minimization and purpose limitations?
Yes.
The California Privacy Rights Act (CPRA) modifies the California Consumer Privacy Act (CCPA) and provides people with the ability to opt out of the sale and sharing of their personal information with third parties. The CPRA also conveys other rights to consumers / the public.
ENERCALC does not sell personal information of our clients or prospects. We do share the minimum required data to use transactional email services and direct mail services, as noted elsewhere in this document.
ENERCALC does not collect or store the following information:
•information revealing a social security, driver’s license, state ID card or passport number
•account log-in, financial account, debit card or credit card number in combination with the access code, password or credentials to those accounts / cards.
•racial or ethnic origin, religious or philosophical beliefs, or union membership
•mail, email and text messages, other than messages to and from customers as a result of aiding a customer.
•genetic data
•biometric information for the purpose of identifying someone
•information collected and analyzed concerning a person’s health, sex life, or sexual orientation
GEOLOCATION
On occasion, our license management system does record the imprecise location of a user’s computer - based on internet geolocation APIs. For a U.S. location, we would typically receive city and state as the location. For locations outside the U.S., this information varies widely. Internet geolocation is routinely inaccurate but it is sufficient given our limited use case.
Internet-based geolocation information is collected in limited situations where we are assessing security risks to our clients’ licenses - and in particular if a user expresses a concern about this. For example, if we see a license activated from Tokyo, Japan for a small town client in Kansas, we may reach out to the client’s main office in Kansas to make sure they have someone in Tokyo who is working with or on their behalf. These situations are quite rare and typically occur only when a client asks why their licenses are consumed, or they report that they see a name they don’t recognize. Typically, this would only happen if the client’s email system has been breached. Specifically, this would mean a breach allowed an unauthorized party access to the client’s ENERCALC credentials and license information, which is delivered to the client via email.
We do not have the capability, the desire, nor a business need to monitor our clients’ precise geolocation while using our software or at any other time.
Is ENERCALC CPRA compliant with respect to the right to opt out of sharing personal information with third parties?
Yes, with exceptions.
Because the definition of “third parties” is imprecise, strict adherence to an opt-out request re: sharing your personal information with third parties presents obstacles that prevent us from doing business with you.
Complying 100% with an opt out request means we cannot:
•Send transactional email to you, such as receipts, password reminders, etc. (more discussion of our use of SAAS vendors for transactional email is provided above)
•Mail an invoice to you (we often use cloud-based / API-based mailing services, such as Lob.com)
•Use the personal details and credit card info you provide in order to accept funds from you for our services.
•Cash your check, since your personal information is on a check that we would physically handle when depositing it, thus sharing it with our bank.
A request of strict adherence to no sharing of your personal information impedes your ability to be an ENERCALC customer. The impracticality of not sharing anything using any non-specific definition of sharing impedes our ability to accept funds from you, properly communicate with you, etc.
While stating these exceptions may seem frivolous, our language must be precise.
Is ENERCALC CPRA compliant with respect to the requirement to inform the public of data breaches?
Yes.
The California Consumer Privacy Act (CCPA) clarifies that people can opt out of both the sale and sharing of their personal information to third parties. The California Privacy Rights Act (CPRA) expands this to cover data breaches where the personal information that was exposed includes a username and password.
Are ENERCALC websites CCPA compliant?
CCPA, the California Consumer Privacy Act, does not apply to ENERCALC. ENERCALC does not sell its clients’ personal data.
The CCPA applies to businesses which:
•Have $25 million or more in annual revenue, or
•Possess the personal data of more than 50,000 consumers, households, or devices, or
•Earn more than half of its annual revenue selling consumers' personal data.
These criteria do not describe ENERCALC, LLC.
Of the information ENERCALC software collects and stores, what privacy and/or security-related regulatory standards is the information applicable to?
Not applicable. For example, ENERCALC does not store credit card information, nor do we store "tokens" for credit cards. We use a credit card vendor (Stripe) who are recognized industry experts who are certified in this area, and comply with all regulations and certifications required of them in this context.
Is the data ENERCALC software collects or stores accessible only to the client?
Yes, with exceptions.
Our staff will at times be required to access this information to:
•Provide business support to you or those acting on your behalf
•Provide technical support to you or those acting on your behalf
•Answer engineering-related questions in the context of our software
•Diagnose a software problem demonstrated by or related to your data.
No other access is provided to ENERCALC staff.
Regarding the information collected by ENERCALC software, what mechanisms are in place to prevent access by ENERCALC staff, or anyone else?
Access to information of this nature is limited by job scope via security built into our internal customer relationship / information system (CRM) and our subscription management platform. It is otherwise accessible only to systems administrators performing duties that require access.
Regarding the information collected by ENERCALC software, what mechanisms are in place to prevent the loss of or damage to the data?
All data is stored in Amazon Web Services (AWS) data centers. We use industry-standard security techniques, redundant copies in different physical locations, and file storage versioning to protect your project file data from loss or damage. AWS security measures, compliance details, and other security-related information can be found at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/.
Any data stored on the client’s local computer is the responsibility of the client or client’s employer.
Do you allow system administrators or other support staff to access our company’s data through non-ENERCALC devices?
ENERCALC owns 2 developer laptops and 1 support technician desktop.
That aside, yes. AWS logging facilities are used to monitor such use, where possible.
Encryption and authentication requirements are identical for both company owned devices and non-company devices. Staff members are limited to access only at their home office IP address.
Can the data collected and stored by ENERCALC software be accessed via a mobile device application?
No. Our cloud-based application stores data on AWS. A html5 device can access the cloud application, but not the data - other than via the application, which does not run on the mobile device like a typical mobile application. We do not have any capability to manage mobile devices, control which mobile devices use our software (other than "they must support a html5 browser"), or any other restrictions on mobile devices. These limitations are left to the customer, as we don't offer a true mobile application.
Can the data collected and stored by ENERCALC websites be accessed via a mobile device application?
No, with the exception of email. IE: an ENERCALC team member can read their email on their phone / laptop / tablet. Customer data is not stored or even accessible via tablets or phones.
What is "hosted storage project files?"
Hosted storage is an optional way to share ENERCALC project files between users in different locations - or with yourself. They are stored securely on AWS S3, and are versioned (which means every save is kept, though users can only see the current version of the file).
Hosted storage project files are mirrored between two US AWS regions (VA and CA). Our IT team has access to the project files on AWS S3 as is needed to perform their duties. We do not currently purge old projects, since we have no way to know what "old" means - and it may change for each client.
There is NO requirement to use our hosted storage feature and it can be disabled on your account in order to prevent your users from placing project files there. Contact our support team if you want to disable your users' access to hosted storage.
Is customer data stored together with the data of other customers?
The following applies ONLY to customers who use "hosted storage" or our cloud application:
Project data is stored on S3 in separate objects. While each customer's project data is in S3, customer data is not merged in a single S3 object, nor are S3 objects shared between customers.
The project directory for all customers is a single database table, so it is shared, however customer A does not have access to customer B's project file directory (ie: a list of project files and high level metadata like project name).
If hosted storage and our cloud application are not used, no customer project data resides on ENERCALC systems.
Can a single customer or project's data be recovered without impacting the data of other customers?
Yes, easily and quickly.
Do you offer hosting in different geographical regions?
Yes, our cloud-based application has supported 7 different AWS regions since early 2022.
Do you provide failover to non-AWS service providers?
No. We have no plans to add Azure, Google Cloud, or other providers to our infrastructure.
Do you perform business continuity testing?
Not formally, no. We're a small 100% always-remote company that's been in business since 1982. We currently have 10 staff members. We are financially sound. We can easily take a "punch" of the nature of a pandemic (we experienced double digit growth in 2020, 2021, and 2022), or (as an example) the 2008 financial crisis. We are always watching macro-economic and industry conditions.
Can we restrict the storage of our data to a particular country?
No. All data is stored in AWS data centers in the United States.
Can our customer data be stored in a different location than the data of other customers?
Not at this time.
Can you describe how backup is handled for cloud-hosted data collected and stored by ENERCALC software?
Project files are stored on S3. S3 data is replicated between two AWS data centers in physically distant locations. S3 data is versioned. This means that every time a user saves a project, that file is saved to S3 and all prior saved versions of that file are retained. S3 data is encrypted.
SQL databases are backed up daily, with 5 minute intervals for rollback. We keep a set of daily backups for two weeks. Weekly backups are kept for a month. Monthly backups are kept indefinitely.
Our VMs (EC2 instances) are snapshotted daily. Critical path EC2 instances are also snapshotted. These critical path instances are also preserved via multiple Amazon Machine Images (AMI) and exist in multiple AWS regions.
Cloud VM images are imaged and backed up, as well as replicated across seven different AWS regions.
How are locally stored project files backed up by the ENERCALC software?
Backups are primarily the responsibility of the user. However, the software does maintain a user-configurable number of local backup copies. These copies are created when a project file is saved.
What is ENERCALC's data retention policy?
ENERCALC has no stated policy on this matter. We have never been asked to provide data to a government entity or court of law. We will respond to those requests on the advice of legal counsel.
We do not collect the sort of data that is routinely "purged" or subject to retention policy. Customers do not have any control over this, other than their ability to contact us and request that their hosted storage / cloud-based project data be deleted. If such a request (regarding cloud-based project data) is received, it will be performed. Outside of that, data retained by ENERCALC is not customer provided data, other than basic contact information.
Does ENERCALC use offsite backups?
Yes, but the data does not leave the AWS infrastructure.
What is your procedure for restoring cloud-based outages?
Cloud-based outages are exceedingly rare. Our API servers are self-healing and experience very little downtime, thanks in part to the fact that they are hosted in 7 different AWS regions. Our API servers are currently being migrated to AWS edge locations. When an outage occurs, our technical team is alerted via email and text message within 1 minute. Our internal notification and monitoring checks take place every 15 seconds in each AWS region.
ENCRYPTION
Does your ecommerce platform use industry-standard open-source security / encryption technologies?
Yes.
Do your internal systems use industry-standard open-source security / encryption technologies when communicating?
Yes.
Will all the data collected and stored by ENERCALC software be stored in encrypted format?
Yes.
Will all the data collected and stored by ENERCALC websites be stored in encrypted format?
Some is, some is not. Note that we do not store credit card data, health care data, or PII (other than basic contact information). Project data is encrypted. The data that is not yet encrypted is transactional license management and aggregated metrics data and is of use only to ENERCALC. Even that data is encrypted when in transit.
Will our company’s data (confidential or otherwise) transferred between our company and ENERCALC systems be transferred in encrypted format?
Yes.
What policies manage ENERCALC's use of encryption technologies? Is there an Information Security Management Program (ISMP)?
No written policy exists. We do not have an ISMP. We are a small company using experienced technical people who use common sense to apply state-of-the-art technologies.
Is Transport Layer Security (TLS) used by ENERCALC software and other systems?
Yes.
What level of TLS is currently in production?
TLS 1.2 and TLS 1.3
What protocol(s) are used to transfer data?
HTTPS.
Are system administrators or other support staff able to access our company’s data in an unencrypted state when it is stored on ENERCALC systems?
Yes, however that data is stored in an encrypted state. Note that ENERCALC has no "file server", no office network, or similar facility. Our IT assets live at AWS.
What methods are used to ensure that unauthorized users cannot intercept the transport of this unencrypted data?
Data in transport is always encrypted. We use AWS IAM authentication and AWS EC2 security groups to control access.
Does ENERCALC software encrypt data in transit?
Does ENERCALC software encrypt data at rest?
Yes, however this is a "feature" of the b-tree storage mechanism our software development tools use when saving project files (*.EC6 files). This encryption should not be considered secure by any modern definition in this context. We cannot disable this feature as it is "baked in" by our tools vendor.
Are ENERCALC encryption keys stored securely?
Yes.
How are ENERCALC encryption keys protected during generation and disposal?
Generation is available only via HTTPS connection to AWS. Disposal is only available via HTTPS connection to AWS.
SECURITY, SECURITY CERTIFICATIONS, AUDITS, SOC2, ISO
Is ENERCALC ISO27001 accredited or certified?
No. We have no plans to pursue ISO27001. All of our data center assets are at Amazon Web Services (AWS). You can learn more about AWS security and certifications at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/.
Is ENERCALC SOC 2 certified?
No. All of our data center assets are at Amazon Web Services (AWS). You can learn more about AWS security and certifications at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/.
Is a copy of ENERCALC's Information Security Policy available for our review?
This document supplies Information Security Policy information. There is no other policy statement available.
Are security audit reports available?
No.
Do you conduct internal audits?
Yes, however, the term "internal audits" is vague. Without context and specifics, it has little meaning to a broad group of individuals assessing such systems.
Are the results of internal audits available to ENERCALC customers?
No.
Do you conduct external audits?
Our financials are audited annually. Our IT systems were reviewed in early 2023 using AWS's Well-Architected Review process, which was done with the help of AWS and DoIT International (an AWS partner). In the view of some, that might constitute an external audit.
Are the results of external audits available to ENERCALC customers?
No.
Do you have documented change management procedures for IT systems available for review by ENERCALC customers?
No.
Do you provide a formal security awareness training program, including cloud-related access and data management issues to ENERCALC staff members with access to data stored by ENERCALC software or ENERCALC websites?
No.
Technical staff with access and/or design authority for these systems have decades of experience in this context and regularly review developing information on these topics. Support and business office staff are advised of our confidentiality and security requirements, which are included in our business process and operations documentation. Security events of importance to the industry are discussed during regular team meetings, and more often as necessary.
Do you have a notification procedure in the event of a breach of security?
See the answers to the following 3 questions.
How soon after a security incident will clients be notified?
ENERCALC, LLC is a Montana corporation. Notifications and the timeline associated with them will comply with the laws of Montana, until that time when a United States breach notification law takes precedence over Montana law on this subject. We have no ability to respond based on individual customer incident response plans.
If notification occurs, who will be notified?
Each ENERCALC client has a primary account contact, whose contact information is provided by the client. The primary account contact will be contacted.
Who else will be notified?
Anyone else we are legally required to notify will be notified, e.g. government entities, partners (as appropriate).
How do you manage the installation of unauthorized software onto ENERCALC systems?
Our server assets reside in several AWS VPCs and in most cases, are not public facing. Our IT staff has access, but no one else does. This access is controlled via credentials, AWS VPCs, and via AWS security groups.
Our public facing API servers require API authentication and in most cases, access is limited by IP. ENERCALC does not own most computers used by employees at this time, thus there is little control over those systems. However, the access to ENERCALC IT assets is extremely limited, primarily through custom applications used by our staff (such as a CRM).
Public-facing web servers are accessible by our IT staff, and again, such access is controlled via credentials and AWS security groups.
We do not offer an API to our customers.
We do not allow access to ENERCALC VPCs by our customers.
Is ENERCALC software FEDRAMP compliant?
No.
We have never attempted to become FEDRAMP-compliant.
Is ENERCALC software SOC2 compliant?
No. We have never attempted to become SOC2 compliant. We have no plans to do so.
PENETRATION TESTING, ANTI-VIRUS AND/OR ANTI-MALWARE SCANNING, PHYSICAL SECURITY
Are network and application penetration test results of ENERCALC systems available?
No.
Do you conduct penetration tests of your data center infrastructure?
We are a 100% remote company and do not have a data center or physical office. 100% of our IT assets are hosted at AWS. We do not pen test AWS.
Do you scan your staff's machines? Are the results available?
Yes, of course we scan our own machines (note - these machines are in our homes). This is automated and occurs daily. The results are not available. We do not have the ability to push changes to each user's machine. We don't own most of them. We don't have a network. We don't have a central office. We don't have a traditional file server in a traditional office.
Can customers conduct penetration tests against known ENERCALC endpoints?
We can't stop you. AWS might see your test as an attack. We cannot control how they respond.
Do you conduct application penetration tests?
No.
Do you ensure that security threat detection systems which use signatures, lists or behavioral patterns are updated across all infrastructure components within industry-accepted timeframes?
Yes.
Do you share network capacity data?
No. We don't have a network, other than the AWS network.
How often do you update virus definitions?
All systems are set to automatic, which deploys updates as soon as they are available.
How is physical data center security handled?
We are an Amazon Web Services (AWS) shop. We do not have in-house servers.
Physical data center security information can be found here:
•https://aws.amazon.com/compliance/data-center/data-centers/
•https://aws.amazon.com/compliance/data-center/controls/
•https://aws.amazon.com/compliance/data-center/perimeter-layer/
SOFTWARE DEVELOPMENT PROCESS / LIFECYCLE
Is ENERCALC's QA process available to ENERCALC customers?
No, however a discussion on the matter is welcome if a customer wishes. We use practices common to modern software development shops: source control, peer code reviews, controlled repositories, feature branching, CI/CD, and so on.
Can ENERCALC customers access a list of known software issues or incompatibilities?
Technical requirements to use our software are documented on our website. Software issues that a customer has reported are available to the customer via our tech support ticketing system. Customers do not have access to ticketing data related to other customers.
What is your procedure for repairing software bugs?
Bugs are tracked, assessed and prioritized by structural engineers and in some cases, company leadership. Some of our developers are structural engineers, some are not. The developers who are not engineers work closely with a practicing engineer to ensure the quality and accuracy of their work. Our developers who are structural engineers also work closely with a practicing engineer to ensure the quality and accuracy of their work.
Does ENERCALC publish release dates for each build?
The release date is always part of the build number. For example, 20.21.11.30 was released on November 30, 2021.
Does ENERCALC publish end of life dates for each build?
We do not publish end of life dates for our software because they are not applicable to subscription software given that access to any build ends when the subscription is canceled. Of course, if the subscription is renewed, the natural question is - would a still-installed older build be supported? While it's fine that engineers use older builds of our software, if a support case is opened because of unexpected behavior, we will always attempt to reproduce the behavior on the current build. If this behavior cannot be reproduced on the current build of the software, we will suggest that you update to the current build. We do not patch older builds of the software, which also makes "end of support date" questions moot.
Does ENERCALC publish end of support dates for each software build?
We do not patch older builds of the software, which also makes "end of support date" questions moot. Users with an active subscription always have access to the current build, so the need to get patches for older builds is eliminated. We understand that organizations sometimes perform acceptance testing on software builds and authorize them for use as such, however we are not positioned to provide patch support for older builds.
INSTALLED AND CLOUD, SUPPORTED OPERATING SYSTEMS, RUNTIME REQUIREMENTS, DATABASES
Is ENERCALC software available as installed software?
Yes. Our software runs on Windows. You can run it as installed software on the Mac and/or linux only via the use of a Windows virtual machine (via VMWare, Parallels or similar software). Our software will run on Windows 11 ARM on Apple Silicon on VMWare or Parallels. Our support team is not versed in Mac topics, so they cannot provide help with those matters.
What operating systems does ENERCALC software support?
Our installed software runs only on Windows. Our cloud-based platform allows use via any OS that supports a html5 browser. We do not support Opera or Internet Explorer, primarily because our cloud infrastructure vendor does not support them.
Technical support is available for installed software on the current Windows Pro build (Windows 10 Pro and Windows 11 Pro, at this time), the current Windows Server builds (Windows Server 2019 and Windows Server 2022), and one prior Windows Server build (Windows Server 2016). Our software is not supported on Windows Home since critical required features are missing from the Home editions of Windows.
Is ENERCALC software available as “Software as a Service” (SaaS)?
Yes.
Our license allows use of both installed software and cloud-based (SaaS) software. You can choose to use the installed software, or the cloud platform, or both. If you require that access to the cloud platform is disabled, please contact support@enercalc.com
What cloud platform does ENERCALC software run on?
Amazon Web Services (AWS) with the infrastructure as a service (IAAS) management by Nutanix.
Where do ENERCALC cloud services reside?
Our services use the AWS US-West-1 (Northern California), US-East-1 (Virginia) data centers. Cloud users may also access our SaaS platform via other AWS data centers in Ohio USA, Oregon USA, Frankfurt Germany, Mumbai India, Sydney Australia, and Tokyo Japan. All data collected and stored by ENERCALC software is stored only in US-based AWS data center locations. Users are never forced to use a specific datacenter and likewise would never be forced to use a data center outside of their country. Since we only have data centers in 5 countries (7 AWS regions) at this time, you may have to choose not to use the cloud platform if you are required to use software hosted in your country. ALL data is stored in AWS data centers in the United States.
Does ENERCALC software require a dedicated or specialized database server?
No. No DBMS is used.
Are SQL statements embedded in the application source code?
No. Our application does not use SQL on the user's computer.
What database engines does ENERCALC software require?
ENERCALC software requires no database software. As such, no database roles are required by the user or installer. No database administration is necessary. No database server authentication is involved. No DBMS is involved. External DBMS' cannot be incorporated into ENERCALC software.
Does ENERCALC software offer change control or logging functionality?
No.
Does ENERCALC have a wireless network? If so, how it is secured?
ENERCALC doesn't have a physical office, so we don't have a wireless network. We also don't have a traditional file server. All IT assets are hosted by AWS.
Are there different editions of ENERCALC software, such as "Basic", "Pro", etc?
Not at this time.
Does ENERCALC software communicate over a LAN?
No. ENERCALC project files are used by one person at a time. While they are sometimes stored on a network drive, this is not done for the purpose of simultaneous use, therefore the LAN acts mostly as a large storage drive. ENERCALC software can use a network-attached printer similar to the way most other desktop applications use network-attached printers. That aside, there is no specific network functionality built into our software.
Does ENERCALC software communicate over a WAN?
Yes, our software connects with our REST API servers for license management. If our hosted storage capability is used, REST API calls are made directly to AWS S3 using pre-signed URLs. No other WAN functionality is provided.
Can we disable access to the ENERCALC cloud platform and/or your hosted storage feature?
Yes. Contact support to request this. Disabling these features is a simple change in our CRM.
Is ENERCALC software available as an open-source application or on a no-fee operating system?
No.
Does ENERCALC software require a database?
No.
Does ENERCALC software require any other third-party software in order to operate normally?
Windows is the only requirement. Cloud users must have a supported html5 browser, such as Google Chrome, Microsoft Edge, Brave, etc. We do not support Opera or Internet Explorer, primarily because our cloud infrastructure vendor does not support them.
Does ENERCALC software use any open-source components?
Prior to 2022, no.
As of 2022, our ENERCALC For Revit (EFR) product uses https://github.com/GregFinzer/Compare-Net-Objects (Compare .Net Objects) and a modified (now in-house) version of https://github.com/harrymattison/VCExtensibleStorageExtension (Revit Extensible Storage Extension). ENERCALC for Revit (EFR) is not a built-in part of SEL. It is an additional cost add-on that requires an active annual SEL subscription.
Does ENERCALC software contain a web client? Does ENERCALC software connect to a web server?
Yes, our software contains a web client which enables it to connect to our REST API for license management and other needs. No other web client features exist and none are available directly to the user.
Does ENERCALC software work without shareware or freeware that must be obtained by the user?
ENERCALC software does not use or require shareware or freeware.
Does ENERCALC software use Active X, Java, or Flash?
Our software does not use Java or Flash. We do use an OCX (Active X) control for the display of detailed 2D drawings.
Does ENERCALC software contain business rules that require configuration?
No. ENERCALC contains calculations related to the laws of physics and the properties of construction materials, as well as industry-accepted calculations of other kinds. The user can select which governing codes and industry specifications are used to check their designs.
What language is ENERCALC software written in?
Our software is primarily written in Clarion and uses the Clarion compiler. Some of our software is written in C++, and some in C#.
What framework is used?
Not applicable.
What data architecture is used in the ENERCALC project files?
The project files are simple keyed b-trees. Project files are not SQL-based, primarily because of their compact size and lack of need to be used simultaneously by multiple users.
Is ENERCALC available as a web application?
Not in the traditional sense. However, our software can be accessed via a html5 browser, however this is a web sockets based session to a user-dedicated AWS EC2 instance.
Does ENERCALC software work with proxies, firewalls, and other network security infrastructure?
In general, yes. However, there is no guarantee that your security infrastructure is compatible with our software. In most cases, it will be, but there will be exceptions. It should be noted that our AWS-hosted assets are also protected by AWS security groups and other AWS security facilities.
Does ENERCALC have name service or IP addressing requirements or dependencies?
Other than the necessity of our software's internal web client to reach our public facing HTTPS API servers, no.
Does ENERCALC support IPv6?
Not at this time. There is no roadmap in place for this at this time.
Does ENERCALC support configuration via Windows Group Policies?
Not directly. You can certainly control access via GPO but our software is not GPO-aware.
Does ENERCALC require or use data replication or caching?
Hosted storage project files are mirrored by AWS, but otherwise our desktop application has no features of this type.
Does ENERCALC's software have an Export Control Classification Number (ECCN)?
No ECCN has been specifically confirmed by or assigned to ENERCALC software by the US Government. That said, "most" software is classified as 4D001. ENERCALC does not claim 4D001 to be the appropriate / correct ECCN for our software.
What are the server requirements for ENERCALC software?
Aside from deployment on a "terminal server", ENERCALC software is not what one would consider traditional client-server software. It does not require a user to have a server. It is a desktop application and all application work takes place on the desktop. Since users do not simultaneously share the same project file, there are no in-context WAN or distributed use suggestions.
Regarding terminal server, Citrix, and similar systems, the primary requirements you will face are related to the terminal service software itself. Our software has a fairly small footprint. We do not have the staff or expertise to provide operating system specific support, nor support for terminal session management software - and this assistance is not priced into our subscriptions. While we have users running ENERCALC software on Citrix, Nutanix and similar servers, we are not positioned to provide our customers with support related to configuring those platforms. See also What operating system does ENERCALC software require?
What are the RAM, disk space, and processor requirements for ENERCALC software?
See https://enercalc.com/Products/Specs
What operating system does ENERCALC software require?
We support use on the last 2 desktop versions of Windows (currently this includes Windows 10 and Windows 11). We also support use on Microsoft Windows Server versions that are currently supported. We do not support Home versions of the Windows OS due to feature limitations outside of our control. We do not have the staff or expertise to provide OS support and this assistance is not priced into our subscriptions.
Is ENERCALC available as mobile software?
No, however you can use the cloud version via iPad or similar devices that include a html5 browser capable of using websockets. No data resides on the device used to access our software via the cloud.
Does ENERCALC provide remote access or messaging capabilities between users?
No.
Does ENERCALC support virtualization?
Yes, however there is no code specifically in the software to detect or augment use on a virtualized system. Our cloud instances use Hyper-V because that's what AWS uses for Windows. We use VMWare extensively for our internal use (only on a few developer machines), but there is no VMWare-sensitive code in the software we deploy.
Does ENERCALC software send email?
No, however there are a few functions to open an email in the default email client on the user's computer - primarily for the purpose of requesting technical support.
Does ENERCALC software contain a web server?
No.
What architecture does the installed ENERCALC software use?
ENERCALC software is a Windows-based Win32 multi-document interface (MDI) application.It is not a client-server application. It does utilize REST API calls over HTTPS for license management, update checks, management of hosted storage project files, and similar functionality.
What architecture does the cloud-based ENERCALC software use?
ENERCALC software is a Windows-based Win32 multi-document interface (MDI) application. In the cloud, our installed software is delivered to html5 browsers via Dizzion Frame.
Does ENERCALC software need to be customized for our use?
No.
Does ENERCALC software support open or public-facing APIs to support integration?
No.
How do you ensure that our users update the software regularly?
Our installed software has built-in notifications to advise the user that an update is available. We do not force updates on our clients. Updates are generally available on a monthly basis, though there are exceptions to that from time to time. Our software notifies users in the software of an updated build. In addition, we email the account holder no more than once every 60 days with a list of computers that are running outdated builds of our software. This is done primarily to help our users get new features and fixes as soon as possible.
Our cloud software update process is managed by ENERCALC. In general, our cloud software is updated at least monthly. The client has no additional responsibilities in this area, other than using a supported html5 browser.
LICENSING, SCALING USAGE
How is ENERCALC software licensed?
We use a concurrent active user model. We do not use named users. Active installed and active cloud users are treated equally by our license - each active user consumes one of your license "seats". You are welcome to install the software on as many computers as you like - your use is only limited by the number of concurrent active users.
Does ENERCALC software automatically scale up and down as requirements change?
Yes, limited only by the client’s currently licensed number of seats.
Our clients are welcome to adjust their license count at any time.
Our installed software is installed on a user’s computer, therefore scaling is not an issue. Our cloud software provides an AWS EC2 instance (ie: a VM) for the sole use of the logged in user during that session. No 2 users are on the same VM at the same time. Scaling in the cloud is limited only by the scaling capabilities of AWS EC2.
Scaling requires no action on the part of the user or the user's IT staff, other than to manage the number of subscribed seats.
What scaling is possible?
Because ENERCALC software does not simultaneously share the data for a project file between users, there is very little limitation on your ability to scale.
Most limitations to scaling are the responsibility of the client (you), such as:
•Your budget for licenses, users and computers
•The number of users you have available
•The number of licenses (seats) you’ve subscribed to
If you need to add 100 users of our software, you’ll need 100 computers whether using our installed software or the cloud. For purposes of this discussion, html5 devices can be used to access the cloud software.
The addition of 100 or 1000 (etc) users increases ENERCALC’s server loads in a very small way. The impact required to demand adjustments and/or expanded deployment of AWS infrastructure is on the scale of 10,000+ new ENERCALC users in a short amount of time.
What customization is required before using ENERCALC software?
None.
ACCESS MANAGEMENT
Does ENERCALC automate the review of audit logs?
Only via AWS
How is account control managed in cloud-based ENERCALC software?
Our cloud software is accessed via a single account login. Inactivity results in a disconnected session, which times out a few minutes after disconnection. The timeout process includes deletion of the session. Any unsaved data in the session is saved. There are no administrator / user class designations on the cloud login as there are no administrative functions in the application.
How many invalid login/password combination attempts are allowed in the cloud-based ENERCALC software before the account is disabled?
There is no limit at this time.
Is there a provision / feature to display an internal access / licensed use / advisory message from our company after a successful login to the cloud-based ENERCALC software?
No.
Is there a provision / feature to display an internal access / licensed use / advisory message from our company after a successful login to the installed ENERCALC software?
The installed software has no login / password feature or controlled access management. Access control to the software is the responsibility of the licensee.
Does ENERCALC software request authentication?
The installed software does not ask for authentication. Our cloud platform does require authentication. Account-wide access to the cloud platform can be disabled. Please contacting support.
Does ENERCALC’s installed or cloud software support Okta, RSA ACE, or other identity management solutions?
No.
Our installed software does not offer a login.
Our cloud software uses credentials managed by ENERCALC.
Since ENERCALC software uses AWS, how is our connection to AWS managed?
Our clients do not connect to AWS via AWS facilities. Our applications leverage assets in AWS data centers via our private, secure API, and via services provided by Nutanix, our cloud desktop-as-a-service provider.
Can we host ENERCALC software within our AWS environment?
You can run our installed software on AWS EC2 instances managed by your company, but not for the purpose of sharing the software with users who are not performing work with or on behalf of your company. You may not install our software on a server for the purpose of providing our software as service. As with locally installed software and our cloud platform, each active user consumes a seat.
How do you control access to ENERCALC software in the cloud?
We use our own credential setup, in conjunction with the same license management process used for installed software.
We do not control how our clients disseminate credentials. If your staff is provided with your cloud credentials, they’ll be able to access our cloud software using your account.
Can ENERCALC installed software or cloud users sign on using Single Sign-On (SSO)?
No.
Can ENERCALC staff use SSO?
No.
Does ENERCALC provide role-based security for its software?
There is no login process associated with or integrated into our software. Access control to the software is the responsibility of the licensee. If you have access to the software, then you have access to all features of the software.
How is account control managed in installed ENERCALC software?
Our installed software has no account control, logins, or other access management features. Access control to the software is the responsibility of the licensee.
Does ENERCALC maintain audit logs?
Only via AWS
Does the ENERCALC REST API use authentication? If so, how so?
ENERCALC REST API access to our servers is authenticated. Access to our servers from the installed software is managed via encrypted signatures. AWS S3 access is secured via common AWS security measures, including "pre-signed URLs" (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html)
MISCELLANEOUS
How long has ENERCALC software been on the market?
ENERCALC was founded in September 1982. 2024 is our 42nd year.
Does ENERCALC offer a contractual SLA? (service level agreement)
No.
Is there insurance coverage for interruptions of service?
No.
Interruptions of service are covered by our license agreement, which is available at https://enercalc.com/PDF/ENERCALC_License_Agreement.pdf
Are ENERCALC internal systems and processes documented?
Our business processes are documented and updated quarterly. Our internal systems and internal API documentation total over 500 pages and are updated regularly.
Are ENERCALC systems protected against acts of nature (hurricanes, earthquakes, etc), power failures, environmental events, and/or intentional damage or sabotage?
100% of our technical infrastructure is hosted at AWS and is situated in multiple AWS regions. A review of AWS's security, certification and additional statements on these subjects is left for your review.
How are ENERCALC servers kept up to date?
Each of our servers are updated at least once a month, sometimes more often. We generally give Windows updates two weeks to "set" before we roll out Microsoft updates to our Windows servers. Secure certificates are checked via an automated daily process.
How is support provided to ENERCALC customers?
Technical support is available to active subscribers. Our primary means of providing support is email. If necessary, phone and/or remote session support may be required depending on the nature of the support case.
