Question | Category | Answer | Detail |
Threat management |
How we protect our infrastructure from a technological standpoint. |
||
Do you utilize firewalls for your network to prevent unauthorized access? | Firewalls | Yes | EC2 Security Groups function as a virtual firewall, network traffic is restricted to only allowed ports and assets. |
Do you host firewalls for your staff? | Firewalls | No | SSC does not manage employee networks as everyone is remote. |
Do you run any vulnerability scanning on your servers like an antivirus/antimalware solution? | Vulnerability Scanning | No |
Servers are unix-based and do not require AV/AM for protection. Implementing virus scanning on data we process is not practical due to real-time needs and scale. |
Do you have any host or network-based intrusion detection or prevention on your servers? | Vulnerability Scanning | No | We do not use any signature or traffic-based detection on our networks to detect threats. |
Do you harden your servers against malicious attacks? | Server Hardening | Yes | We harden our servers to protect against malicious attacks. |
Do you perform regular penetration testing of your infrastructure? | Penetration Testing | No | We will likely implement regular penetration testing in 2022 as part of our ISO security initiative project |
Do you use endpoint application control technologies to control the execution of programs and applications on servers? | Server Application Control | N/A | Users and employees do not directly run applications on the servers, everything is running as a service with restricted access to server administrators only. |
Do you have requirements on your password length and complexity? | Password Security | Yes | Password must be at least 6 letters long, including at least one uppercase letter, one lowercase letter, one number, and one special character. |
What are your Physical Security policies? | Physical Security | N/A | Our servers are hosted by AWS and are subject to their security standards detailed here. |
Compliance |
Our current adherence to existing information security and data protection regulations and certifications |
||
GDPR, CCPA | EEA | Yes | Mailparser and Docparser are GDPR and CCPA compliant and employ a Data Protection Officer. Customers based in the EEA and California, US are safe to process their data through our services. |
PIPEDA | Canada | No | As our servers are based in the United States and cannot yet be used on-premise, we do not conform with PIPEDA's requirements of processing data in Canada only. |
HIPAA | US Healthcare | No | We are currently exploring self-certifying to comply with HIPAA. Until then, we are not a good fit for healthcare-related use cases and will not sign a BAA. |
SAS70, SSAE19, SOC | SOC | No | We do not have any SOC reports available and do not have plans to furnish one in the immediate future. |
ISO27001 (app) | ISO | No | We are currently undergoing an ISO 27001 review process to cover most facets of ISO-27001 Annex A controls, many of which are defined on this page. |
ISO27001 (servers) | ISO | Yes | AWS Certification |
Incident Management |
|
|
How we prepare for and respond to unexpected problems with our service |
Do you have a Formal Change Management process? | Process / Policy | Yes | Changes are done on a test environment. We go through both a QA and a Code Review process. All code changes are handled via Git which makes any problematic code easy to revert or branch. |
Do you have a Business Continuity Plan? | Process / Policy | No | We have a multitude of policies and practices in place to ensure continuity of our service, but the process has not been consolidated into a single BCP document. We understand this is a need that is will be addressed by this year. |
Do you have a Disaster Recovery Plan? | Process / Policy | No | We have a multitude of policies and practices in place to ensure service can be restored in response to severe incidents within 24 hours, but the process has not been consolidated into a single DRP document. We understand this is a need that is will be addressed by this year. |
Do you have an Information Security Policy? | Process / Policy | Yes | Standard policies and IS best pratices are detailed in the Employee Handbook. |
Do your employees undergo annual Information Security training? | Process / Policy | No | Organized annual employee training is in the works. Employee training on security policy is always ongoing, but it is sporadic for now. |
Where is your app hosted? | Hosting Details | AWS US-EAST-1 (N. Virginia) | Our apps are spread across two AWS availability zones based in Virginia. AWS Status Center |
Can I follow the progress of incident management as it happens? | Incident Tracking | Yes | Mailparser Status Center |
How many security incidents have you had in the past year? | Track Record | None | No security incidents. |
Has there been a loss of customer data in the past year? | Track Record | No | Data may fail to be imported to our services, but no customer data that has been stored on our app has ever been unexpectedly lost |
Do you have backups stored of your servers? | Backups | Yes | We have two tiers of backups (Full database backups and EC2 snapshots) that are taken daily and kept for 7 days. We have recovery capabilities anywhere in that time frame. |
Data |
How we protect your information as a data processor |
||
What data are you sending us | Data Processing | PII, Billing information, Email data | PII required to be a paid customer, emails with data to be parsed, covered in our Privacy Policy. |
Data deletion policy | Data Retention | Yes |
We are GDPR compliant and adhere to those regulations for PII. All documents and parsed data are deleted after 30 days by default. This can be set to 0 days so documents and data are deleted immediately after processing. |
Data encrypted in transit and at rest | Encryption | Yes |
In transfer: AES-128 At rest: AES-256 |
Do you have a data classification policy | Data Classification | Yes | We have a 5-tiered data classification policy ranging from non-company-related public data to highly confidential data. |
Do you capture and securely store user activity logs? | Activity tracking | No | We log the transfer of data through our service but do not yet offer user-specific auditing of behavior in the system. |
Staff / HR |
How we select, train and manage our staff |
||
Do employees sign a Confidentiality/NDA agreement? | Confidentiality | Yes | Employees sign a confidentiality agreement upon hiring. |
Do employees sign an IS policy acknowledgment? | Acknowledgment | Yes | Employee handbook details InfoSec policies for remote work that new employees must acknowledge and adhere to as part of their employment. |
Do job descriptions define IS responsibilities? | Acknowledgment | No | |
Do yes do background checks on new hires? | Employee Vetting | Yes | We perform background checks on all new employees. |
Are access rights specified by job type? | Access Control | Yes |
In-app customer data: No - all staff have administrative access to all customer data within the app Access outside of the app: Role-based, with most web tools being managed by the PM and GM Critical infrastructure, change management: Only the engineering team have access to infrastructure and change control |