Encryption key access restricted
Privileged access to encryption keys and key vaults is restricted exclusively to authorized personnel with a defined business need, through PIM (Privileged Identity Management) or PAM (Privileged Access Management).
Account authentication enforced
Strict credential validation protocols established through comprehensive identity verification procedures, including required biometric or token-based MFA and integrated SSO mechanisms for seamless secure access.
Production application and database access restricted
Privileged access to production application and database is restricted exclusively to authorized personnel with a defined business need, through PIM (Privileged Identity Management) or PAM (Privileged Access Management).
Network and Firewall access restricted
Privileged access to the Network and Firewall is restricted exclusively to authorized personnel with a defined business need, through PIM (Privileged Identity Management) or PAM (Privileged Access Management).
Log management utilized
A log management solution is employed to detect events that could potentially impact the ability to meet defined security objectives.
Network and system hardening standards maintained
Network and system hardening standards are documented in alignment with industry best practices and reviewed at least once per year.
Access revoked upon termination
Termination checklists ensure timely revocation of access for employees leaving the organization, in accordance with established SLAs.
Global Access Control enforced
Access from High-Risk Regions such as the OFAC list is restricted.
Endpoint Detection and Response (EDR) deployed
Endpoint Detection and Response (EDR) solutions are implemented across all endpoints to continuously monitor, detect, investigate, and respond to advanced threats.
Zero Trust Architecture implemented
A Zero Trust security model is followed with implementation of least privilege across network segments. All access requests are continuously verified, validated, and authenticated regardless of source or destination.
Anti-malware technology employed
Anti-malware solutions are deployed to environments susceptible to malicious attacks, ensuring regular updates, maintaining logging, and installing them on all applicable systems and devices.
Portable Devices encrypted
Encryption is enforced on all portable and removable devices when used.
Code of Conduct acknowledged by employees and enforced
Employees are required to acknowledge the code of conduct upon hiring. Violations result in disciplinary actions consistent with disciplinary policy.
NDA acknowledged by employees and contractors
Employees and contractors are required to sign a confidentiality agreement during onboarding.
Password policy enforced
Strong passwords are required and enforced for all devices and systems in accordance with the company's policy.
SSO and MFA utilized
Centralized authentication system implemented with mandatory SSO integration for all compatible applications, complemented by MFA requirements for all user access attempts.
MDM system utilized
A Mobile Device Management (MDM) solution is used to centrally administer mobile devices used to support the service or access resources.
Security awareness training implemented
Mandatory security and compliance training is conducted at least once a year for every employee.
Employee background checks performed
Background checks are performed on new employees.
SOC 2 Type 2 compliance maintained
SOC 2 Type 2 certification is maintained, demonstrating ongoing adherence to rigorous controls for security, availability, processing integrity, confidentiality, and privacy.
ISO 27001 and 9001 compliance maintained
ISO 27001 and ISO 9001 certifications are maintained to ensure robust information security management and quality management systems.
Data encryption utilized
Datastores housing sensitive customer data are encrypted with TLS 1.2+ at rest and in transit.
Bug Bounty program employed
A managed bug bounty program involving external researchers is operated.
Secure Development Lifecycle (SDLC)
A secure software development lifecycle is implemented, embedding security controls into each phase from initial design through deployment.
Patch and Update Management
Security patches and updates are provided regularly and promptly applied to products to mitigate newly discovered vulnerabilities.
Incident Response
Incident response procedures are defined specifically to address security events related to products swiftly and effectively.
Customer Notification established
Relevant security advisories, updates, or identified vulnerabilities are promptly communicated to customers with guidance for mitigation or remediation.
Continuity and Disaster Recovery plans established
Business Continuity and Disaster Recovery Plans are maintained, which include defined communication strategies to ensure the continuity of information security if key personnel become unavailable.
Management roles and responsibilities defined
Defined roles and responsibilities are established to oversee the design and implementation of information security controls.
Security policies established and reviewed
Information security policies and procedures are documented and reviewed at least annually.
Risk management program established
A documented risk management program provides guidance on identifying potential threats, assessing the significance of associated risks, and defining appropriate risk mitigation strategies.
System changes externally communicated
Customers are notified of critical system changes that may affect their processing.
Cybersecurity insurance maintained
Cybersecurity insurance is maintained to mitigate the financial impact of business disruptions.
Data retention procedures established
Formal procedures are maintained to ensure secure retention and disposal of company and customer data.
Customer data deleted upon leaving
Customer data containing confidential information is purged or removed in accordance with best practices, contractual obligations, and applicable regulatory requirements when customers discontinue the service.
Data classification policy established
A data classification policy is maintained to ensure confidential data is appropriately protected and access is restricted to authorized personnel.
GDPR Compliance
GDPR compliance is achieved by integrating privacy by design and default, employing data minimization, encryption, and pseudonymization, and adhering to strict data protection laws and regular audits to ensure compliance with privacy regulations..
EU AI Act Compliance
Compliance with the EU AI Act is achieved by adhering to transparency obligations and classifying AI systems as minimal-risk, ensuring no high-risk activities are performed.
Privacy by Design and Default
Robust privacy measures are integrated into products and services from inception to ensure compliance with international data protection regulations.
Data Leakage Prevention (DLP)
An API is provided to integrate with clients' existing DLP programs, enhancing monitoring and protection of sensitive information like client identifying data (CID) and personal identifying data (PII).
AI Policy defined
An AI Policy is defined on how AI systems are procured, used, adapted, offered, and sold within the organisation.
AI Governance Framework established
Appropriate management and control of the AI systems are defined to effectively and systematically oversee the use and sale of AI systems.
ISO 42001 certification maintained
ISO 42001 certification is maintained, demonstrating adherence to international standards for AI management systems and governance.
AI Risk Assessment methodology implemented
A structured AI Risk Assessment methodology is employed to identify, evaluate, and mitigate potential risks associated with AI systems throughout their lifecycle.
AI Performance Benchmarking implemented
Systematic AI benchmarking processes are implemented to automatically evaluate the accuracy of AI systems by comparing generated outputs with human-verified responses.