1. Does the Vendor ensure data segregation?
Yes, Data is logically segregated for each customer. All data access is ensured to be prefiltered for a given customer.
2. Does the Vendor have specific role-based access profiles for each role following the principle of least privilege?
Yes, each person has only the needed privileges to do their job, because there are differentiated access rights (user profiles, roles, transactions and objects).
Also, just system administrators have access to data processing systems.
3. Is the administrator access secured using multiple controls? Explain how the additional controls are implemented.
No.
4. Does the Vendor have a minimum password policy of 12 characters using a passphrase? Explain the reason for using a weaker control.
Yes, moreover we always prioritize the use of certificates when possible disabling passphrase access options.
5. Does the Vendor undertake regular reviews of access control lists?
Yes, we have a policy for hiring and dismissal of employees with appropriate access reviews.
6. Are Cryptographic controls used for obfuscating authentication credentials if they are stored? Explain how the control is implemented.
Yes, all the credentials used by our infrastructure are stored encrypted with strong cryptographic algorithms using keys stored on external key management systems with user access restrictions.
7. Are there strict controls over access to data and independent checks to ensure data has not been accessed, manipulated or extracted unless required for a particular task?
Yes, we store and monitor every query launched to our data.
8. Are the Vendor’s employees required to use strong authentication measures to connect to third-party platforms (for example, an identifier and a password and a secret code sent to a phone?)
Yes, we enable MFA where available
9. Are systems processing data patched against vulnerabilities using a risk-based approach?
Yes, we monitor all the software we are using and update it in case of any security updates.
10. Do systems processing data have the most up-to-date level of antivirus available for the operating system, application, and manufacturer?
No
11. Does the Vendor use data leakage software to detect loss of data via email HTTP/S and portable media?
Not applicable
12. Are quarterly vulnerability tests carried out on external-facing IP addresses? Explain the reason for lower frequency.
Yes, but not automated yet
13. Is all maintenance of any kind managed through a defined change management process?
Updates are managed via CI/CD tools using our VCS as the source of thrust.
14. Has all software used for processing data been developed against a secure software development standard, that takes into consideration data privacy requirements, by software developers trained in data privacy and the secure development of software?
Yes, all the developments are done with a secure by default approach and all the developers had gone through data privacy training.
15. Is the software used for processing data tested for vulnerabilities listed in the OWASP top 10, prior to new releases being operationally implemented?
Yes, but not automated yet
16. Does the Vendor assess threats to data security arising from the backup process (from the point of backup creation, through the transit process, to the ultimate place of storage)?
Yes.
17. Is backed-up data transferred by secure internet links if carried out online?
Yes, data is transferred using secure connections
18. Is physical backed-up data held offsite encrypted?
No but stored in a different location
19. Is the level of encryption regularly reviewed to ensure it remains appropriate to the current risk environment?
Yes, we use up-to-date algorithms
20. Are intrusion detection/prevention, anti-virus software and firewalls (including network-level firewalls) in place and kept up to date?
Firewall and network monitoring: yes
21. Are regular audits of the contents of laptops undertaken to ensure that only staff who are authorized to hold customer data and personal data on their laptops are doing so and that this is for genuine business reasons?
No
22. Have you implemented technical and organizational measures to prevent unauthorized persons from accessing the data processing systems available in the premises and facilities where Personal Data are processed (including databases, application servers and related hardware)?
We do not have data processing systems in our facilities. All our providers hold certifications that guarantee an appropriate level of compliance in their facilities like ISO-27001, SOC-2 or equivalents.
23. Have you implemented technical and organizational measures in order to make sure that the Personal Data is protected from accidental (physical or logical) destruction or loss? Consider:
- Back-up procedures: yes
- Hard disk mirroring process (such as RAID technology): no, due to all our systems being replicated
- Uninterrupted power source (UPS): yes
- Remote storage: yes
- Antivirus/ firewall systems: yes
- Disaster recovery plan: no