Security Measures

The company is ISO 27001:2022 certified.

The Company has appointed an Information Security manager who reports directly to a Company senior executive.

A set of information security policies and standards are documented, approved and regularly maintained.

Company has Cyber insurance.

An Incident Response plan is documented and routinely tested to assure an effective response and shortest recovery in case of a security incident.

All company's employees undergo routine security awareness training sessions.

Background checks for new employees are in use where lawful under local law.

Company's employees are committed to compliance with the principles of privacy protection and information security.

Employees with access to personal data are subject to confidentiality based on non-disclosure agreements (NDA) or equivalent clauses.

Upon termination, employee access rights are revoked and a reminder about their security obligations is made.

Company sets security related goals as company goals and acts to raise awareness to information security and privacy issues.

Periodic security and privacy training and awareness sessions are carried out for all employees.

Company’s cloud environment is hosted and supported by AWS. For further information regarding physical security please refer to AWS security controls.

Data at rest and in transit is encrypted with industry grade encryption algorithms.

Use of firewalls (both network and application) and authentication systems.

Administrative access to cloud infrastructure is secured with strong passwords + 2FA enabled and remote access via VPN and SSH tunneling.

Full segregation of production network and cloud assets (VPC) from test and dev environments.

The use of intrusion detection systems, both network-based (NIDS) and host-based (HIDS).

All TCP outbound communication is TLS encrypted.

Personal data stored and processed by the company is suitably secured according to best business practices commensurate with similar companies in similar industries.

Access to client personal data is limited to a need-to-know basis.

Strong Passwords are enforced, stored passwords are fully hashed and encrypted.

Anonymisation/Pseudonymisation of personal and/or sensitive data wherever applicable in accordance with technical or business needs to provide the service and/or comply with the law.

Company will not provide users’ PII and/or business data unless proper verification of the identity of the account owner is established.

Customer Data will only be stored for as long as Company and the Customer has an active agreement and as long as it serves the purposes for which the data was collected.

Secured process for deletion of personal data by the end of the retention period and/or on-demand.

Subprocessors undergo a vendor information security and privacy review based on the sensitivity of data and/or the personal data they access and are required to comply with vendor security requirements.

Company laptops are equipped with anti-malware and anti-virus software.

Company laptops are equipped with a management solution which enforces the company's laptops security policy.

Regular vulnerability scans of open source packages (SCA), code (SAST), web-application (DAST), and cloud infrastructure.

Software updates process (i.e patch management) in place to fix identified vulnerabilities in a timely manner in accordance with risk assessment.

The use of logging, monitoring, and alerting systems.

Advanced systems to mitigate denial of service (DoS/DDoS) attacks.

The use of high-availability cloud-computing zones in multiple geo-locations.

Disaster recovery (DR) procedures are well documented and regularly reviewed and updated.

Regular backups are securely stored in a separate cloud environment and could be restored as needed.

Periodic and on-demand penetration-tests.