Skip to main content
Security governance FAQ
Linda Gehrig avatar
Written by Linda Gehrig
Updated over a year ago

Quick links

Do you have a formal staff on-boarding process covering security and privacy aspects?After on-boarding, do all workforce members undergo security awareness training on a regular basis?

All personnel receive security and privacy training at on-boarding and they must complete a refresh training on an annual basis. In addition, we do continuous phishing simulations and offer self-learning materials. Further role-specific training is offered based on risks.

Do you have a set of written policies, plans and procedures governing information security and privacy? Can you share copies of these?

Yes, we have a set of policies which are audited by an independent third party as part of the ISO 27001 and ISO 27701 certification audits. You can access our security kit here, which includes the certificate files and our Information Security Policy that entails references to our other existing policies.

Are staff members required to sign an NDA?

Yes, this is part of our work contract signing process

Do you have a policy for managing access to the program source code?

Yes, we have an Access Management Policy, which governs all access management including program source code.

Do you have a formal encryption policy?

Yes, we have an Encryption Policy. All end user device and server disks must be encrypted, all traffic must be encrypted, including communications with external systems.

What are your network security practices for your office locations?

Our office networks do not have any elevated access to any production systems, access requires a separate VPN connection terminated in the production data centre (AWS). We employ firewalls and have WPA2 on Wi-Fi provided in the offices.

What are your network security practices for data center locations?

AWS VPC, firewalls (security groups) with minimal access b/w instances. Operator access only via VPN.

Do you have a formal Software Development Life Cycle (SDLC) and Secure Development Policy?

Yes, both are audited by an independent third party as part of the ISO 27001 and ISO 27701 certification audits.

What secure coding guidelines do you follow as part of the application development?

In addition to Software Development Life Cycle (SDLC) Policy and Secure Development Policy we follow OWASP TOP 10 and framework specific best practices.

What guidelines do you follow for building and maintaining AWS infrastructure?

In addition to hiring only AWS experts in their field, we follow AWS Well-architected guidelines

Do you outsource any aspect of your security or privacy program?

Yes, bug bounty program / penetration testing is sourced from HackerOne

Do you have policies in place to ensure a safe work environment?

Yes, we have work safety policies in accordance with local laws.

Do your workforce members have a way to anonymously report misconduct?

Yes, we employ a whistleblowing solution to report misconduct anonymously.

Do you have a formal vendor assessment policy and process?

Yes, we have a Vendor Management Policy that is audited by an independent 3rd party as part of the ISO certification audits. Furthermore, we vet applications and browser extensions installed on our endpoints.

Do you have a data classification policy?

Yes, we do classification in two ways

  1. We classify personal / non-personal data in accordance with applicable laws and regulations

  2. Information, such as documents, are classified as Public, Internal, Confidential or Restricted based on the information sensitivity.

--

Questions, comments, feedback? Please let us know by contacting our support team via the chat or by sending us an email at support@dealfront.com.

Did this answer your question?