Technical and Organizational Measures / Security Controls
February 25, 2023
Company has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or those otherwise made reasonably available by Company.
- Company’s Information Security Policy establishes a framework of internal standards.
- Designated security team is responsible for the design, implementation and management of policies, standards, baselines, procedures, guidelines, and training programs for privacy and information security for personnel.
- Company authorizes access to information resources, including production systems and customer data, on the principle of least privilege and conducts annual access control reviews.
- Company requires two factor authentication to access sensitive systems and applications including user ID, password, OTP and/or certificate, for authentication, version control systems and infrastructure console, and requires context-aware access control for administrative access.
- Personnel must accept policies addressing security, including Company’s Code of Conduct and Acceptable Use Policy, and must pass a background check prior to commencing employment.
- Company has established formal guidelines for employee passwords to govern the management and use of authentication mechanisms, and requires use of password managers, automatic screensaver locks, hard disk encryption, and other endpoint security measures.
- A version control system helps manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator.
- Company has in place business continuity and incident response plans to effectively respond to a business interruption or security incident to minimize impact to customers.
- Formal risk management processes specify risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances. Company engages a third-party to conduct a risk assessment at least annually
- Company performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy
- Company ensures that all connections to its web application from its users are encrypted using certificated SSL and TLS configurations. Both website and application are reachable exclusively over HTTPS.
- Company stores customer data in databases that are encrypted at rest.
- A key management process (currently via Google Cloud Platform) supports the organization's use of cryptographic techniques.
- Network security
- Production environments run in an isolated Virtual Private Cloud network with only necessary services enabled. External administrative access is mediated through context-aware access control proxies.
- Company uses a load balancer to automatically distribute incoming application traffic across multiple instances and availability zones
- Company uses configurations that ensure only approved networking ports and protocols are implemented. A Web Application Firewall protects the application from outside threats.
- Company tools monitor server CPU use, free storage space, message age and read I/O in Company's databases, servers and messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy
- Company employs enterprise-grade Role-Based Access Control (RBAC), Single-Sign-On (SSO) authentication, and in-product data protection
- Company deletes customer data within 30 days of the customer terminating its contract
- Security team continuously evaluates controls and monitors employee devices, cloud environments, and networks for malicious activity.
- At least annually, the Company conducts a third party vulnerability scan of the production environment.
- Company provides processes for external users and employees to report failures, incidents, and concerns.
- Company maintains active AICPA SOC 2 Type II compliance with an independent auditor.