Regulatory Compliance

ControlStatusCheckmark
Monitoring
Service infrastructure maintainedThe company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.✔️
Production data backups conductedThe company performs periodic backups for production data. Data is backed up to a different location than the production system.✔️
Intrusion detection system utilizedThe company uses an intrusion detection system to provide continuous monitoring of the company’s network and early detection of potential security breaches.✔️
Database replication utilizedThe company’s databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails.✔️
Remote access MFA enforcedThe company’s production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.✔️
Access revoked upon terminationThe company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.✔️
Unique production database authentication enforcedThe company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.✔️
Encryption key access restrictedThe company restricts privileged access to encryption keys to authorized users with a business need.✔️
Production data segmentedThe company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.✔️
Network segmentation implementedThe company’s network is segmented to prevent unauthorized access to customer data.✔️
Firewall access restrictedThe company restricts privileged access to the firewall to authorized users with a business need.✔️
Organizational security
Portable media encryptedThe company encrypts portable and removable media devices when used.✔️
Anti-malware technology utilizedThe company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.✔️
Password policy enforcedThe company requires passwords for in-scope system components to be configured according to the company’s policy.✔️
Security awareness training implementedThe company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.✔️
Confidentiality Agreement acknowledged by contractorsThe company requires contractors to sign a confidentiality agreement at the time of engagement.✔️
Production inventory maintainedThe company maintains a formal inventory of production system assets.✔️
Confidentiality Agreement acknowledged by employeesThe company requires employees to sign a confidentiality agreement during onboarding.✔️
Product security
Data transmission encryptedThe company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.✔️
Vulnerability and system monitoring procedures establishedThe company’s formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management, system monitoring.✔️
Internal security procedures
Vulnerabilities scanned and remediatedHost-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.✔️
Incident response plan testedThe company tests their incident response plan at least annually.✔️
Access requests requiredThe company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.✔️
Production deployment access restrictedThe company restricts access to migrate changes to production to authorized personnel.✔️
Change management procedures enforcedThe company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.✔️
Configuration management system establishedThe company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.✔️
Service description communicatedThe company provides a description of its products and services to internal and external users.✔️
Support system availableThe company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.✔️
Roles and responsibilities specifiedRoles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.✔️
Third-party agreements establishedThe company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.✔️
Cybersecurity insurance maintainedThe company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.✔️
System capacity reviewedThe company evaluates system capacity on an ongoing basis, and system changes are implemented to help ensure that processing capacity can meet demand.✔️
Data and privacy
Privacy policy establishedThe company has a privacy policy is in place that documents and clearly communicates to individuals the extent of personal information collected, the company’s obligations, the individual’s rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.✔️
Customer data deleted upon leaveThe company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.✔️
Privacy compliant procedures establishedThe company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company’s designated tracking system and communicated to the individual.✔️
Privacy policy availableThe company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.✔️
Privacy policy reviewedThe company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.✔️
Privacy policy maintainedThe company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company’s practices and purposes for collecting, processing, handling, and disclosing personal information.✔️