Security Controls
Our comprehensive security controls are organized by category. Each control is actively maintained and regularly assessed to ensure effective operation.
Infrastructure Security
| Control | Description | Status |
|---|---|---|
| Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | active |
| Unique production database authentication enforced | The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key. | active |
| Unique account authentication enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | active |
| Production application access restricted | System access restricted to authorized access only | active |
| Production database access restricted | The company restricts privileged access to databases to authorized users with a business need. | active |
| Production network access restricted | The company restricts privileged access to the production network to authorized users with a business need. | active |
| Unique network system authentication enforced | The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | active |
| Remote access MFA enforced | The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | active |
| Remote access encrypted enforced | The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | active |
| Infrastructure performance monitored | An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. | active |
| Network firewalls utilized | The company uses firewalls and configures them to prevent unauthorized access. | active |
Organizational Security
| Control | Description | Status |
|---|---|---|
| Performance evaluations conducted | The company managers are required to complete performance evaluations for direct reports at least annually. | active |
| MDM system utilized | The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service. | active |
Product Security
| Control | Description | Status |
|---|---|---|
| Data encryption utilized | The company's datastores housing sensitive customer data are encrypted at rest. | active |
| Control self-assessments conducted | The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA. | active |
Internal Security Procedures
| Control | Description | Status |
|---|---|---|
| Cybersecurity insurance maintained | The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions. | active |
| Whistleblower policy established | The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns. | active |
| Board oversight briefings conducted | The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed. | active |
| Board charter documented | The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control. | active |
| Board expertise developed | The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed. | active |
| Board meetings conducted | The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company. | active |
| Support system available | The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. | active |
| Company commitments externally communicated | The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS). | active |
| External support resources available | The company provides guidelines and technical support resources relating to system operations to customers. | active |