Security and Compliance Leadership
A dedicated security, compliance, and data privacy team works with leadership to ensure the business is advised and conducts secure, compliant, and ethical business.

Security Awareness Training and Testing
Onboarding training, quarterly training, ad-hoc training for situational threats, monthly social engineering tests with action for failures, and a 3 strikes policy that is enforced.

Tabletops
Simulations are conducted for a variety of scenarios to test the business response to business continuity, security, or other potential business-impacting scenarios.

Communications
Internal and external communications standards and channels are clearly defined.

Board Oversight
A board charter, quarterly meetings, and vetted members with experience in the SaaS and InfoSec space are current members.

Whistleblower
The company’s ethical values encourage accountability.

Cyber Insurance
We maintain multiple coverage types with adequate cover for business needs addressing things like ransomware, insider threats, and more.

Confidentiality Agreements
Employees are required to execute a confidentiality agreement on day one. Contractors, vendors, and partners are bound by Mutual Non-Disclosure Agreements.

Background Checks
These happen during the hiring process and annually on the anniversary date of the employee.

Role-based Access
Access is controlled based on role and any privileged access is handled with separate unique accounts

Access Reviews
We conduct regular access reviews to ensure our onboarding, offboarding, and change of status processes are effective.

SSDLC
We have a clearly defined secure software development life cycle with separate environments for DEV, QA/TEST, and Production. Releases are controlled and limited to certain staff to push to production.

Change Management
Weekly change management is adhered to and covers both infrastructure and product.

Vendor Management
Onboarding and offboarding with a strict vetting process including annual reviews and questionnaires. Vendors have clearly defined classifications known by the team.

Security Audits
Configuration, process, and other audits randomly happen to ensure that security and compliance are happening consistently.

Standards
Standards for configurations, encryption, and passwords are clearly defined and used.

Controlled and Limited Remote Access
A multi-layer approach to allowing remote access that includes “jump-points”, ACLs, encryption, and unique accounts allowed for remote access.

Continuous External Scanning
Attack surface area scanning on a continuous basis provides multiple levels of risk and vulnerabilities on the internet-facing items for the business.

Pen Testing
This happens annually and rotates between pen testers so we always get new eyes, experiences, and techniques used to evaluate product risk.

Encryption
Established guidelines in policy, transit, and at rest at ALL places.

EDR
Fully managed on all endpoints and servers.

IAM
Unique general and privileged accounts for all accesses.

SSO
Where available we use SSO to enhance security authentication

MFA
If SSO is not available all other systems require MFA through an approved authenticator app.

ACL’s
Access control lists are used throughout the enterprise to limit access to resources where possible.

WAF
Web application firewalls are in place and monitored.

Code Scanning
All code is scanned for source code vulnerabilities using multiple tools.