Overview

As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?

Restricted (i.e. highly confidential information such as PII, personal identifiable information)

What is the potential impact to your enterprise customer if the data and/or functionality you, as the vendor, are supposed to manage, is compromised?

Moderate

What is your recovery time objective in case of critical failure? (e.g., your DB is deleted)

8 hours

What is your recovery point objective in case of critical failure? (e.g., your DB is deleted)

1 hour

Will your product be a system that your enterprise customer critically depends on?  (e.g., your system is mission critical)

No

Are you also using other third-party services to manage or support your customers?

Yes

Are you hosted only on one of the major cloud providers or do you have any on-premise systems?

Major Cloud Provider

List of core infrastructure and other subprocessors utilized by us all under standard contractual clauses providing services to process information under consent or contractual obligations.

We have a cyber insurance plan providing coverage for security incidents.

Our Data Processing Agreement/Addendum (DPA) is located at (https://thoropass.com/data-processing-addendum/)

We maintain an independent/alternative dispute resolution provider designed to address complaints and provide appropriate recourse free of charge to individuals from an alternative dispute resolution provider based in the U.S.  If you believe your concerns were not addressed by contacting us directly, you can contact The International Centre for Dispute Resolution® (ICDR®) (the international division of the American Arbitration Association® (AAA®)) at https://go.adr.org/privacyshield.html to file a complaint.  You can also file a case by mail or email completing the appropriate Notice of Arbitration Form and forwarding it to the International Centre for Dispute Resolution:

International Centre for Dispute Resolution Case Filing Services

1101 Laurel Oak Road, Suite 100

Voorhees, NJ 08043

United States Phone: +1.212.484.4181

Email box: [email protected]

Thoropass provides the possibility, under certain conditions, for individuals to invoke binding arbitration.

Our Master Subscription Agreement (MSA) is located at (https://thoropass.com/master-subscription-agreement/)

Our Privacy Policy available on our website.

https://thoropass.com/privacy-policy/

We maintain service levels to guarantee the up-time of our product and how we can reach our recovery time objective.

We meet our service obligations with customers as established in our project plans and strive to respond to in-app comments within two (2) business days.

Our Terms of Service are available on our website.

https://thoropass.com/terms-and-conditions/

Our product logs all user activity to enable easy auditing of usage patterns.

Access to and activity on our systems are monitored appropriately, including maintaining audit trails for access as well as activity logs for a minimum of twelve (12) months (or other time period required by applicable law).

We implement and maintain commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of customers’ data as well as the nature of its activities.  We utilize these safeguards to protect the security, confidentiality, and integrity of customers’ data we process or in our possession/control including safeguards to protect the security of our systems and designed to prevent a data breach.

Our product supports data security through encryption, minimum necessary principles, limited data collection, and restricted access.

We ensure our customers’ data is compartmentalized (or otherwise logically distinct from) and in no way commingled with other information of ours (or our personnel, suppliers, customers or other third parties).

We maintain necessary technical and organizational measures to prevent our customer data from being:

• accidentally (or illegally) destroyed, lost or manipulated;
• shared with any third parties;
• subject to unauthorized use or disclosure; or
• being processed contrary to applicable law.

Our application user sessions expire sixty (60) minutes after the last activity.  A warning modal will be presented before the session expires providing the user the ability to extend their session.  If the user does not extend their session, they are redirected to the login page.  Once logged back in, they will return to the page they were previously working on.

Our platform provides monitors, which integrate with the major cloud service providers (CSP) [such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)] and other solutions.  Integrations require consent from the customer and may be somewhat configurable.  We disclose exactly what will be requested from the integration in the in-app wizard.

By design (and for security reasons), access is ‘read-only’ in order to obtain compliance related information for audit purposes.  This access will not change or impact the configurations of the integrated solution.  Generally, only the following access is required for integrations:

• Directory.Read.All
• AuditLog.Read.All
• IdentityProvider.Read.All
• Policy.Read.All

Users can protect their account through integrations with customer’s own multi-factor authentication solutions.

We developed a Compliance-as-a-Service platform (the Thoropass Platform) helping companies establish robust compliance practices and obtain information security certifications.  We are a hybrid software and services solution helping companies design and implement policies, procedures, management practices, and controls in order to prepare for and attain various information security and privacy attestations and certifications (such as SOC 2, ISO 27001, HITRUST, and others). We guide users through the implementation process, support them through the audit process, or perform the audit according to established standards, frameworks, or criteria.

Our platform leverages native services offered by Amazon Web Services (AWS) for hosting and infrastructure as well as tooling to perform critical functions such as backups, logging, and monitoring.

We utilize Google Workspace to provide primary email and document repository services.

We implemented Okta as our identity services provider for customers.  We utilize Rippling for our own internal employees.

Request our network diagram for further details.

Our product offers role-based access control allowing administrators to provision different levels of access.

We maintain a documented access management process to differentiate between regular and privileged account management. Authentication to our systems will require unique passwords and role-based access control, and where applicable, single sign-on (SSO). Multi-factor authentication is used for our privileged users, remote access to our systems, and access to our customer data and confidential information, where applicable.

Our product supports using SSO as the login mechanism for easy enterprise deployments.  User identification and authorization is leveraged through Okta for our customer facing platform.

Our product supports team management capabilities to help administrators manage user needs and permissions.

We will promptly notify our customers of any known (or suspected) material vulnerabilities we discover impacting our systems or our customers’ data.

We perform at least an annual application penetration test from an independent third-party.

We use bot detection to protect our web application from automated login attacks.

All of our code is reviewed and tested prior to deploying into our production environment.  We detect and test for vulnerabilities on components related to source code, dependencies, and infrastructure.  We measure code quality, efficiency, provide context, prioritization, and remediate identified security issues.  We maintain control, suggestions, and report on software dependencies.  We utilize several tools such as Sonarqube, Snyk, and Renovabot to assist in code analysis.

We manage credentials and granular permissions for credentials through an enterprise level password management solution (like 1Password) through vaults.

We manage all secrets using the AWS Key Management Service and rotate keys frequently.

All of our developers are required to participate in secure development training during onboarding and at least annually thereafter.

We take a systematic approach to software development to ensure any changes are reviewed, tested, approved, and communicated to impacted parties.  Prior to deployment of any changes to the production environment, changes are:

• Developed in a development environment segregated from production and customer data IS NOT used for testing;
• Reviewed by peers;
• Tested to confirm changes behave as expected and does not introduce any adverse effects; and
• Approved by authorized team members with appropriate oversight and understanding of business impact.

Most common applications within the Thoropass Production environment are listed within our System Security Plan.  Request access to this report for additional information.

We maintain a formal software development lifecycle.  We follow industry standard secure software development practices (such as Open Web Application Security Project “OWASP”) to develop our software in a secure manner. We maintain an inventory of any open-source code or third-party libraries (collectively, “TPLs”) used in our product and have measures in place for security of the TPLs.

We have controls in place to track and manage changes to software code and configurations. We maintain a documented change management process ensuring proposed changes to our systems (including any applications or software) are validated, authorized, tested in a non-production environment, and approved before deployment.  The process also includes handling emergency changes to our systems.

We continuously monitor for new risks to our systems (both internally and externally) including and without limitation, up-to-date controls to protect all of our systems from malware, ransomware, and unauthorized software.  We utilize vulnerability tools to check our code such as Sonarqube, Snyk, and Renovabot.  We also constantly monitor capacity and performance issues.

We maintain vulnerability management procedures and investigating tools to continuously monitor and remediate our systems for vulnerabilities to include, but not limited to:

• Open ports;
• Misconfigurations;
• Insecure or missing authorization;
• Insecure cryptography;
• Cross-site scripting;
• Code injections; and
• Other vulnerabilities.

Events, which reach a pre-defined threshold, are sent to an alerting console alerting the appropriate party to review and resolve.

We promptly implement all security patches when issued.

We maintain an Amazon Web Services (AWS) Web Application Firewall (WAF) to protect our platform.

We log and monitor all access attempts to our company resources.

Database Access is managed through a single-controlled access point, CloudBeaver Bastion, also providing encrypted communication between external tools (like Mode and Fivetran) and our database (Snowflake).

We obtain certificates of destruction for devices storing any information from vendors performing destruction activities as applicable.

Data Classifications include:

Level 1 – Public Information:  Information not protected from disclosure and if disclosed, will not jeopardize privacy/security of employees, customers, or partners.  Examples of low-sensitive information include information made available to the public via electronic, verbal, or hard copy. ALSO INCLUDES NO INFORMATION BEING SHARED.

Level 2 – Business Confidential Information:  Confidential information intended for business use exempt from public disclosure since disclosure would impact the privacy/security of employees, customers, or partners.  If the information is made available to the public or partners, the information disclosed to external parties must abide by our disclosure policies/procedures.

Level 3 – Sensitive Information:  Extremely sensitive information intended to be used by authorized individuals only.  Typically, this information is exempt from public disclosure.  Users are notified when accessing this data (such as personally identifiable information).

We perform daily backups on the application’s database and replicate critical data to another AWS Region.

We ensure data is synched up across multiple locations and can be retrieved within our recovery time objective if a failure does occur.

We can delete customer data upon request and will ensure the data is erased within a set timeframe.

We apply industry standard data sanitization practices (such as NIST 800-88 Guidelines for Media Sanitization) to our systems to ensure the secure destruction of all our customers’ data as soon as it is no longer required for a valid business purpose. We extend data sanitization to all electronically stored information, paper assets, and other physical media (such as backup tapes or external drives) under our possession and control.

We encrypt all of our data at rest using a generally recognized encryption standard (such as Federal Information Processing Standards (FIPS) 140 compliant encryption – Advanced Encryption Standard (AES)) to include encryption of all Mobile Devices (if applicable), removable media, backup copies, and systems containing (or processing) our customers’ data with a key size of at least 256 bits.  Keys are rotated according to best practices.

We encrypt all of our data in transit using a generally recognized encryption standard to include encryption of all Mobile Devices (if applicable), removable media, backup copies, and systems containing (or processing) our customers’ data with Transport Layer Security (TLS) 1.2 or above utilizing strong encryption.  Keys are rotated according to best practices.

We are a remote first company and have employees all over the world.  Customer data is only stored within the AWS environment with the US.

We abide by our privacy policy, data privacy framework, and data protection agreement as it relates to information disclosure practices.

We abide by our data retention policy concerning any data stored on media.

We restrict removable media within technical controls assigned to laptops.  We maintain only digital data assets of our platform within AWS.

We maintain secure media disposal procedures as necessary.

Physical access is restricted to our office to authorized employees and visitors.  Visitors must be logged and escorted at all times in restricted areas.

We ensure we abide by appropriate sensitive data management processes to ensure sensitive data is not exposed to unauthorized users.

We strive to use or deploy trustworthy AI systems abiding by regulations (such as the EU AI Act), standards (such as NIST AI RMF and ISO 42001), and contractual obligations.

We utilize artificial intelligence (AI) technologies, specifically Google Vertex AI and Azure OpenAI, to enhance and improve our platform and services. The AI models are trained using customer-provided documents, such as policies, procedures, and audit reports, to enable features like automated question answering and relevant information extraction to assist our auditors.

The primary purpose of using AI is to facilitate and assist customers in navigating the compliance process. By training AI models on customer-provided documents, we aim to automate the extraction of relevant information and provide accurate responses to questionnaire items and audit criteria, thereby reducing the manual effort required by our customers and auditors.

By uploading documents to our platform, customers consent to the use of their data for the purpose of improving our services, as outlined in our Privacy Policy, Terms of Service, and Master Subscription Agreement; however, customers may opt-out of having their documents used for AI training by contacting our support team at [email protected].

We are committed to being transparent about our AI use and using our AI models in a fair and unbiased manner. We regularly monitor and assess our AI systems for potential biases or discriminatory outcomes and take appropriate measures to mitigate any identified issues. Any disclosures about any modifications will be made in accordance to applicable law and in a manner balancing transparency with the protection of our intellectual property and confidential information.

We integrate AI risks into existing risk management processes by conducting AI specific risk analysis as well as determining contributing factors to AI risks.  Some AI risks we consider, but not limited to, include:  accuracy, robustness, reliability, privacy, interpretability, safety, and bias.  AI risks are classified according to existing risk levels except for those AI systems considered prohibited (and classified as such) by regulations such as the EU AI Act.  We mitigate risks to an acceptable level.  We leverage the NIST AI RMF when evaluating risks of AI systems to include the following activities:  govern; map; measure; and manage (a subset of measure).

While we strive for accuracy and reliability when using AI-powered features, we acknowledge AI technology is still evolving and may have limitations. Therefore, we provide human oversight and review mechanisms to validate the outputs generated by our AI models. This validation process is to allow for the continuous appropriate use of the AI system’s outputs and to mitigate potential risks. Customers are encouraged to review and approve all AI-generated responses before relying on them for compliance purposes.

We implement robust privacy and security safeguards to protect the data used for AI training and the personal information of our customers. These safeguards include:

• Access controls and strict data access policies based on the principle of least privilege
• Encryption of data in transit and at rest
• Regular security audits and assessments
• Employee training on data privacy and security best practices
• Contracts with sub-processors including data protection obligations

For more information about our privacy and security practices, please refer to this Trust Center.

All AI-related data processing and storage is performed within the Google Vertex AI platform, which is hosted in Google Cloud Platform (GCP) data centers located in the United States and OpenAI, which is hosted in Azure within Microsoft’s data centers located in the United States. Learn more about Google Cloud’s and Azure OpenAI’s Data Processing & Security measures here: https://cloud.google.com/terms/data-processing-addendum and [https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy] (https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy), respectively.  We implement appropriate technical and organizational measures to ensure the security and confidentiality of the data processed by our AI models.

To train our AI models, we use customer-provided documents, which may contain personal information; however, we strive to follow data protection principles with respect to the use of personal data in the training process and encourage our customers to provide sanitized versions of their documents whenever possible. The types of personal data present in these documents may include names, email addresses, phone numbers, addresses, and other employee-related information. Such data is used in accordance with applicable data protection laws and our data governance practices.

We do not develop AI systems, but rather, we are a user of AI systems already developed by other third parties.  We may use (or integrate) these AI systems into our operations, processes, or platform.  We implement accountability structures to ensure appropriate teams and individuals are empowered, responsible, and trained in mapping, measuring, and managing AI risks.  We ensure roles/responsibilities and lines of communication over AI risks are documented and are clear to individuals/teams throughout our organization.  AI risk management training is provided to enable personnel (and partners) to perform their duties/responsibilities consistent with related. policies, procedures, and agreements.

Our Executive Management Team is committed to responsible AI use and implementation of AI systems by ensuring privacy, security, accessibility, and digital safety as required.  Our Executive Management Team:

• Ensures roles and responsibilities of AI governance are established and understood;
• Establishes organizational risk strategy and tolerances with stakeholders;
• Provides knowledge resources/training to foster/promote a culture of continuous ethical AI behavior;
• Approves policies to manage third party AI risk to ensure end-to-end accountability; and
• Understands differences in norms/expectations across countries.

Our Executive Management Team determines if AI is a suitable solution and is ultimately responsible for AI risks and mitigations.  They will assess risk tolerance and approve/accept risks not able to be mitigated to an acceptable level.  They will take responsibility for decisions about risks associated with AI system use and deployment.

We are committed to conducting business in an ethical and compliant manner abiding by all applicable regulations as well as contractual obligations.  Our executive management team requires Thoropass, its employees, and anyone acting on behalf of Thoropass to abide by its policies and all applicable laws in any country where we operate, including specific anti-corruption laws.

The purpose of this Anti-Bribery/Anti-Corruption (ABAC) Policy is to implement requirements to support our compliance with applicable laws relating to bribery and corruption to include, but not limited to, the Foreign Corrupt Practices Act (US) and the Bribery Act (UK).

Anti-corruption laws make it illegal for us (or anyone acting on Thoropass’s behalf) to bribe any person (or entity) to accept a bribe from any person (or entity). We have zero tolerance for any bribery/corruption and will implement training along with internal controls to proactively manage risks of bribery/corruption. We are also required to keep accurate records to maintain proper internal accounting controls.

Our officers, directors, employees, contractors, consultants, agents, (collectively, “employees”), and third-parties are required to abide by applicable laws related to bribery and corruption.

Employees and third-parties MUST NOT provide (or offer to provide) a payment (or other incentive) to anyone in exchange for gaining any sort of improper benefit. Payments or incentives can be items other than money such as gifts, services, job offers, loans, travel expenses, and entertainment. Gifts may be anything of value given (or received) from customers (and others we do business with) as a result of a business relationship for which the recipient does not pay fair market value. Employees and third-parties MUST NOT offer anything of value in an attempt to improperly influence any person in the private/public

sector or government official. In addition, employees and third-parties MUST NOT accept anything of value in order to provide an improper benefit.

We prohibit payments offered to a person in government (or other individual) to secure (or speed up) a government process or decision.

All financial records MUST accurately reflect all transactions by (or behalf of) Thoropass.

We apply environmental, social, and governance (ESG) principles into our business model and operations.  Our board of directors ensures ESG matters are considered in our strategy as well as provide effective governance over ESG.  We performed a step-by-step review abiding by a standardized ESG Oversight Framework to understand the ESG landscape, understand material ESG matters requiring board oversight, determine allocation of oversight responsibilities, conduct an ESG assessment, plan resource requirements, and monitor/report ESG matters to the board.

We have a genuine interest in protecting the integrity of our workplace, but this is only achievable if employees speak up when our integrity might be compromised. Employees are expected to know and comply with our policies and to use their best judgment when reporting any form of fraud (or misconduct). If there is a reasonable basis to believe an employee (or another person related to Thoropass) has violated the law (or organizational policy) or has contributed to unethical behavior, then we strongly encourage employees to speak up.

If an employee is ever told to “keep quiet” about a suspected violation, then it is the employee’s responsibility to report the suspected violation to a ‘Speak Up’ representative and to explicitly include in the report ‘the employee has been asked to keep quiet about the matter’.

If one employee approaches another about potential fraud or non-compliance, that person should be encouraged to use the Speak Up Policy to report their concerns. In case the employee accused of misconduct is in a senior position (or is a reporting staff member), the employee should report the issue to the Data Protection Officer/CISO.

Employees only need to Speak Up and we will investigate for them. Employees do not need to have proof and can be mistaken. By simply holding others accountable within Thoropass, we can avoid financial (or reputational risk) resulting from unreported harmful activity.  By choosing to Speak Up, employees directly contribute to making our workplace more honest, fair, and safe for everyone.

COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, web beacons, and similar technologies to operate our Service and to help collect data, including usage data, identifiers, and device information.

What are cookies and similar technologies?

Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server.

Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our Site (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We may also include web beacons in email messages to tell us if you open and act on them.

How do we and our partners use cookies and similar technologies?

We, and our analytics and advertising partners, use these technologies on our Service to collect information (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use the Service. This information is used to store your preferences and settings, enable you to sign-in, analyze how our Service performs, track your interaction with the Service, develop inferences, show you advertising about the Service after you visit our Website, combat fraud, and fulfill other legitimate purposes.

What controls are available?

ADVERTISING CONTROLS.  Our advertising partners may participate in associations that provide simple ways to opt out of ad targeting, which you can access at:

• United States: Network Advertising Initiative (NAI)(HTTP://optout.networkadvertising.org) and Digital Advertising Alliance (DAA) (HTTP://optout.aboutads.info/)
• Canada: Digital Advertising  Alliance of Canada (HTTPS://youradchoices.ca/)
• Europe: European Digital Advertising Alliance (HTTP://www.youronlinechoices.com/)

These choices are specific to the browser you are using. If you access the Service from other devices or browsers, take these actions from those systems to ensure your choices apply to the data collected when you use those systems.

• BROWSER COOKIE CONTROLS.  Most web browsers are set to accept cookies by default.  If you prefer, you can go to your browser settings to learn how to delete or reject cookies.  If you choose to delete or reject cookies, this could affect certain features or services of our website.  If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
• EMAIL WEB BEACONS.  Most email clients have settings which allow you to prevent the automatic downloading of images, including Web Beacons, which prevents the automatic connection to the web servers that host those images.
• DO NOT TRACK.  Some browsers have incorporated “Do Not Track”  (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked.  Because there is not a common understanding of how to interpret the DNT signal, our Service does not currently respond to browser DNT signals.  Instead, you can use a range of other tools to control data collection and use, including the cookie controls and advertising controls described above.

We will make data breach notifications to impacted customers for any breach of customer information according to regulatory requirements and contractual obligations.

COLLECTION OF PERSONAL INFORMATION

The personal data we collect depends on how you interact with us, the services you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly. We collect personal data you provide to us. For example:

• CONTACT INFORMATION. We collect name, username or alias, email address, postal address, phone number, fax number.
• DEMOGRAPHIC AND PREFERENCE DATA. In some cases, such as when you register or participate in surveys, we request that you provide details on your interests, preferences, or other demographic information.
• PAYMENT INFORMATION. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
• CONTENT AND FILES. We collect documents or other files you upload to the Service or otherwise provide to us; and if you send us email messages or other communications, we collect and retain those communications.

Information we collect automatically. When you use our services, we collect some information automatically. For example:

• IDENTIFIERS AND DEVICE INFORMATION. When you access the Service, our web servers automatically log your internet protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookie section, our Service stores and retrieves cookie identifiers and other data.
• GEOLOCATION DATA. Depending on your device and browser settings, we collect geolocation data when you use the Service.
• USAGE DATA. We automatically log your activity on the Service, including the URL of the website from which you came to the Service, pages you viewed, how long you spent on a page, cursor movements, text input, access times, and other details about your use of and actions on the Service.

INFORMATION WE OBTAIN FROM THIRD-PARTY SOURCES. We may receive personal information about you from data brokers, partners, service providers, social networks, including publicly available sources. We may combine this information with other personal information we maintain about you.

When you are asked to provide personal information, you may decline and you may use web browser or operating system controls to prevent certain types of automatic data collection, but if you choose not to provide or allow information that is necessary for the Service, the Service or certain aspects of it may not be available or fully functional.

USE OF PERSONAL INFORMATION

We use the personal data we collect for purposes described here or otherwise disclosed to you. For example, we use each of the categories of personal information for the following purposes:

• PRODUCT AND SERVICE DELIVERY. To provide and deliver our Service, including troubleshooting, improving, and personalizing the services.
• BUSINESS OPERATIONS. To operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.
• PERSONALIZATION. To understand you and your preferences to enhance your experience and enjoyment using the Service.
• CUSTOMER SUPPORT. To provide customer support and respond to your questions.
• COMMUNICATIONS. To send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
• MARKETING. To communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our Services and those of our selected partners.
• ADVERTISING. To display advertising to you.

DISCLOSURE OF PERSONAL INFORMATION

We will disclose your personal information to third parties with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. For example, when you provide payment data to make a purchase, we will share that data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services. In addition, we share each of the categories of personal data described above for the following business purposes:

We may disclose personal information to third-party service providers (e.g., data storage and processing facilities, third-party vendors, consultants) that assist us in our work. We limit the personal information provided to these service providers to that which is reasonably necessary for them to perform their functions.

We may also disclose personal information, including to law enforcement or other government agencies, if we believe that doing so is legally required or is in our interest to protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.

In addition, we may disclose personal information about our users as part of any merger, acquisition, debt financing, sale of company assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which personal information could be transferred to third parties as one of our business assets.

Third-party analytics and advertising companies, acting on our behalf as our service providers, also collect personal information through our Service as described in the Cookies section. For example, we use an analytics tool from FullStory to help us better understand how our Service is used. Likewise, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at: (HTTPS://www.google.com/policies/privacy/partners.)

Finally, we may share de-identified information in accordance with applicable law.

Please note that the Service may contain links to other Websites, products, or services that we do not own or operate. If you choose to visit or use any third-party products or services, please be aware that this Policy will not apply to your activities or any information you disclose while using third-party products or services or otherwise interacting with third parties.

CHOICE & CONTROL OF PERSONAL INFORMATION

ACCESS, CORRECTION, AND DELETION.  You can access, correct, or delete certain personal information you have provided logging into the Service with your account. If you are unable to access certain personal information via your account, you can request access by contacting us [email protected]; however, to the extent permitted by applicable law, we reserve the right to decline requests that are unreasonable or excessive, where providing the data would be prohibited by law or could adversely affect the privacy or other rights of another person, where deleting data would interfere with a legal or business obligation that requires retention of the data, or where we are unable to authenticate you as the person to whom the data relates.

COMMUNICATIONS PREFERENCES.  If you receive commercial email from us, you may unsubscribe at any time by following the instructions contained within the email. You may also opt-out from receiving commercial email from us by sending us an email or by writing to us at [email protected].

CHOICES FOR COOKIES AND SIMILAR TECHNOLOGIES. See the Cookies section for choices about cookies and other analytics and advertising controls.

We have a formally assigned Data Protection Officer (DPO).  The DPO can be contacted at [email protected].

The Data Protection Officer is assigned the following responsibilities:

• developing and implementing our data protection program
• informing and advising us, and our employees who carry out data processing operations, about their obligations under the GDPR and any applicable data protection legal framework or law
• monitoring compliance with the GDPR and any other applicable data protection provisions
• monitoring our strategies for the protection of personal data, including the allocation of responsibilities, awareness-raising, and training of staff involved in the processing operations, and related verifications
• advising with the data protection impact assessment and implementations thereof, pursuant to Art. 35 GDPR
• cooperating with the supervisory authorities and legal services
• acting as a contact point for the supervisory authority on issues related to data processing, including prior consultation on the data protection impact assessment pursuant to Article 36 GDPR and, where appropriate, advising on all other issues
• acting as a contact point for the exercise of data subjects’ rights under articles 12-23 GDPR, and processing their inquiries related to data processing activities
• developing our vDPO services for our customers
• providing data protection training internally and externally (including training materials)
• participating in data protection activities (i.e., work groups, webinars, blogs, etc.)
• advising our customers on any data protection issues

All employees and contracting staff are required to take security awareness and privacy related training during onboarding and annually thereafter.  Additional role based related security and privacy training is provided for employees based on their job duties and responsibilities.

We maintain formal asset management practices to include maintaining a comprehensive asset inventory.

We maintain an asset inventory accurately reflecting our systems used to process our customers’ data to include information systems, cloud services, and relevant infrastructure.  We maintain an accounting of assets when an asset is installed, removed, or updated.

We use Google Workspace with an integrated email gateway to filter out suspicious emails.

All of our employees are provided and must sign for an Employee Handbook providing information on their job expectations.

We have a comprehensive employee training program including in-person training, video training, and a dedicated security portal.  All employees must complete security awareness and privacy training during onboarding and annually thereafter.  Role-based training is provided based on employees’ job responsibilities/duties.

We maintain an awareness and training program for our representatives who may have access to our customers’ data.  This training incorporates and reflects requirements of Data Privacy Laws as well as information security industry standards and best practices (to include, but not limited to:  phishing; social engineering; strong passwords; removable media; and emerging threats/trends).

We maintain human resource security through our human resources department and coordination with security/privacy resources.

We maintain and follow screening procedures and industry standard employment verification requirements for all new employees and contractors hired, including conducting background checks (such as criminal background checks) to the extent permitted by local laws and proof of identity validation, and additional checks deemed necessary.   We periodically validate these requirements and perform rechecks as deemed necessary. We ensure our representatives authorized to process our customer data have committed in writing to maintaining the confidentiality of this data or are under an appropriate statutory obligation of confidentiality.

We have a dedicated incidence response team and plan. More information is available in our Incident Response Policy.

We maintain an insider threat program to help ensure employees are not abusing their access to sensitive data.  We monitor sensitive data activity and train our employees on ‘red flags’ of insider threats. Anyone identifying a violation (or suspected violation) of policies/procedures are required to notify the Data Protection Officer/CISO (or immediate manager).

We perform annual internal assessments to include compliance, risk, and penetration testing activities.  We also have independent auditors perform assessments of our security and privacy processes.

We require employees to use SSO to login into all company resources.

We perform an annual penetration test.  See Penetration Test Report for more information.

We terminate access to any systems (and data) within twenty-four (24) hours of employees leaving the organization.  We require any company issued assets to be returned and notify employees of their obligations to maintain confidentially under their non-disclosure/confidentiality agreements.

We utilize native AWS and Orca Security solutions to provide us Security Operations Center (SOC) capabilities such as alerting, analysis of nefarious behaviors, and ability to block/restrict access.

We maintain a program to ensure any third parties having any access to our systems/data must abide by our security/privacy policies.

We maintain a formal Acceptable Use Policy.  All employees must sign and adhere to the Acceptable Use Policy prior to obtaining access to our information systems and data assets.

We maintain a formal Access Control Policy.  We implement role-based access restrictions on all information systems and data assets.

We maintain a formal Anti-Malicious Software Policy.  All our issued corporate laptops are installed with anti-malicious software (such as Bitdefender), which is monitored and can’t be disabled by the end-user.  Our application utilizes solutions to continuously scan documents and alerts are made if a vulnerability is detected.

We maintain Asset Authorization and Monitoring Policy describing how we authorize and monitor the use of company assets.

We maintain an Asset Management Policy.  We maintain an updated inventory of all assets.

We maintain an Audit and Accountability Policy describing how we maintain audit logs and reviews them for security incidents.

We maintain a Security Awareness Training Policy describing how we educate employees on security best practices.  Our training program also includes privacy, AI, and quality content to name a few additional topic areas covered.

We maintain a Backup Policy.  We synchronize customer data across multiple regions to ensure redundancy and to meet service level agreements.

We maintain a Bring Your Own Device (BYOD) policy describing how employees are restricted from using non-company owned mobile devices to access company data.

We maintain a Business Continuity and Disaster Recovery Policy.  We maintain, document, approve, and review policies and procedures for business continuity and disaster recovery annually.  The business continuity plan ensures the availability and prompt restoration of our customers’ data to include appropriate security measures for backups and networks.

We perform annual Business Continuity and Disaster Recovery testing and mitigate any deficiencies identified.

We maintain a Configuration Management Policy describing how we manage the configurations of company assets.

We maintain a Contingency Planning Policy describing how we plan for and respond to incidents disrupting business operations.

We maintain a Data Sanitization Policy.  We wipe data from storage media when no longer needed or required per regulations (or contractual obligations).

We maintain a Data Security Policy.  See Data Security Card for additional information.

We maintain an Encryption Policy.  We encrypt data at rest and in transit.  See Data Security Card for additional information.

We maintain an Identification and Authentication Policy describing how we verify the identity of users and grant them access to company assets.

We maintain an Incident Response Policy.  Incident Response includes identifying, containing, eradicating, recovering, reporting, performing root cause analysis, and notification as necessary.

We maintain a security incident response plan including mitigation, remediation, customer communication, and a post-incident review in the event of an actual (or suspected) data breach (or other significant security incident).

We utilize our own Thoropass platform as an Integrated Management System (IMS) and compliance solution to organize our compliance as well as demonstrate accountability activities.

We maintain an Information Security Policy.  The Information Security Policy is separated into several specific policies as noted.

We have implemented various methods of internal communication to help employees understand their individual roles/responsibilities and communicate significant events in a timely manner.  We rely on Slack channels to communicate changes or issues with system availability or security.

We communicate with customers and third parties through various web-based conferencing platforms such as Zoom and Microsoft teams.  Communication is conducted on an ‘as needed’ basis based on customer or third-party requests.  Any incidents impacting the security, confidentiality, or privacy of customers’ information are communicated to appropriate third parties in a timely manner.

We maintain a Maintenance Policy describing how we maintain company assets, such as software updates and hardware maintenance.

We maintain a Media Protection Policy describing how we protect company media such as hard drives or USB drives.

We maintain a Network Security Policy.  Our Network Security Policy describes our network security controls used to protect the network, such as hardware firewalls, DNS filtering, and intrusion detection systems.

We maintain a Trade and Sanction Compliance Program Policy available upon request.

We maintain a Password Policy. See https://app.safebase.io/portal?itemUid=af119565-5dc2-4aec-bab6-21f9cf5ae315&source=click for additional information.

We maintain a Personnel Security Policy describing how we screen, train, and manage employees to reduce the risk of insider threats.

We maintain a Physical Security policy.  Physical security controls are in place at our office.

We maintain a Privacy Policy describing how we process personally identifiable information (PII) in compliance with privacy regulations such as the GDPR and CCPA.

We maintain a Planning Policy describing how we plan for security incidents and implement security controls. Request access to our private documents to access our System Security Plan (SSP)

We maintain a Program Management Policy describing how we manage our security program, such as assigning roles and responsibilities.

We maintain a Risk Management Policy.

Security and Risk Governance is led by the Chief Information Security Officer (CISO) and Privacy Risk Governance is the responsibility of the Data Protection Officer (DPO) or representative delegates.

We perform risk assessments and maintain risks on a continuous basis.  We conduct quarterly risk meetings to discuss new risks identified and the status of mitigation activities for current risks.

We maintain a Software Development Lifecycle Policy.  See App Security for additional information.

We maintain a Third Party Risk Management Policy describing how we assess and manage risks associated with third-party vendors.

We maintain a System and Communications Protection Policy describing how we protect our systems and communications from unauthorized access.

We maintain a System and Information Integrity Policy describing how we maintain the integrity of our systems and information.

We maintain a Third Party Personnel Policy.  We perform comprehensive vendor due diligence reviews to include several areas such as OFAC, security, privacy, reputation, and others.

We maintain a compliance program to conduct due diligence and monitor the security and processing activities of sub-processors or subcontractors.  We require sub-processors to implement and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of any customers’ data the sub-processor may process in the course of providing services to us.  We ensure security and data privacy requirements are included in third party contracts and these commitments are reasonably monitored throughout the term of services provided.

We maintain a Vulnerability Management Policy.  See App Security for additional information.

We manage access logs as a critical part of our security program in order to provide a record of who accessed what and when.  Our access logs assist us in compliance, incident response, and general security monitoring

We manage automated account management, where possible, through our SSO solutions to help ensure employees have the right access to the right resources at the right time.

We maintain a Bring Your Own Device (BYOD) policy describing how employees are restricted from using non-company owned mobile devices to access company data.

We will not process any customer personal data without authorization.  Our employees are obligated to maintain the confidentiality of any of our customers’ personal data and this obligation continues even after their engagement with us ends.

We strictly monitor access to customer data and only permit it on an as-needed basis.   We employ least privilege access through various mechanisms, whether group or individual entitlement to systems or data stores.

We ensure we have access controls designed to limit access to our customer’s data to our representatives on a need-to-know basis and only as necessary for the performance of the services under our agreements.  We remove or revoke access within twenty-four (24) hours after the termination of employment, termination (or expiration) of services, or reassignment of duties.  We perform quarterly access reviews for privileged and other accounts having access to our customers’ data or to our systems.

We maintain device locks as a critical feature to ensure devices are secure in the event they are lost or stolen.  When a session is inactive for ten (10) minutes, the device lock will automatically initiate, requiring a user to authenticate themselves in order to access a device (such as a laptop).

We utilize a Single Sign-On (SSO) solution to enable a user to authenticate once and gain access to resources of multiple software systems for internal employees.

We abide by the principle of least privilege limiting user access rights to only what are strictly required to do the user’s job.

We keep detailed logs of all activities on company resources and review logs to identify irregularities as needed.  We utilize tools such as Datadog for logging and to monitor for performance.

We maintain a mobile device management (MDM) solution to manage access to mobile devices.

We utilize a password manager solution to store and manage passwords where applicable.  The solution can help users generate strong passwords and store them securely.

We enforce stringent password security policies and Single Sign-On (SSO) based access for all our employees and users for the platform utilizing a SSO solution.  Multi-Factor Authentication (MFA) is available through integrations with customer owned MFA solutions.

We maintain password management measures requiring, at a minimum, reasonable password complexity and account lockouts after periods of inactivity as well as multiple unsuccessful attempts for all users.  We require all third party-supplied default passwords and other security parameters on any of our systems (or third-party software) be replaced with a unique password prior to processing our customers’ data.

Our password policy is as follows:

Minimum Length: Eight (8) characters for MFA users; Twelve (12) characters for non-MFA users

Complexity: All require lower, upper, number, and symbols.  Passwords can not contain part of username, first name, or last name.

Password Age:  For MFA users, the last four (4) previous passwords can not be used and a password must be used for at least three (3) hours before changing.  For non-MFA, the last fifteen (15) passwords can not be used and a password must be used for at least three (3) hours before changing.  Passwords expire after ninety (90) days (except for accounts with MFA enabled, passwords will expire after one hundred eighty (180) days).

Lockout:  Passwords will lock after ten (10) unsuccessful attempts and accounts will remain locked for sixty (60) minutes.  Lockouts are logged.

Inactivity Session TimeOut: The application maintains an application session time-out of sixty (60) minutes of inactivity for customers utilizing Okta and twenty-four (24) hours for customers using Cognito.  MFA code is required every twenty-four (24) hours within the application, except for users with limited/restricted viewer roles (i.e. view policies/procedures and training content only).

We abide by best practices for privilege escalation in order for users to gain more access to a system than they were initially granted.  We manage this through establishing separate normal user accounts and privilege user accounts, where applicable.  Our MDM solution also requires users to request escalation of their privileges if they are performing an elevated activity on their laptops.

We are a remote first company and provide secure access for remote users to utilize approved resources.

We maintain separation of duties as best security practices distributing tasks and privileges for specific processes among multiple people (or systems) to prevent fraud (or errors).

We maintain session terminations to automatically log a user out of a system after a certain period of inactivity.

We maintain system use notification, where applicable, alerting users when someone logs into their account from a new device (or location).

We maintain status monitoring and notify customers of any issues our platform is encountering.

We host our applications and data on Amazon Web Services (East US Region).

All services in our cloud platform run in a least privileged state and compliance is validated by various tools within the cloud providers platform.  Should a service fall out of compliance, it is immediately alerted for an engineer to review and resolve.

We utilize an anti-DDOS system to provide guaranteed up time for our product.

We perform daily backups on the application’s database and replicate critical data to another AWS Region.

We have a tested and detailed business continuity and disaster recovery plan in the event of a major disruption to one of our key service providers.

We monitor our systems to ensure appropriate capacity is available and leverage the scalability of our AWS environment as needed.

Our platform leverages AWS.  See our sub-processor list for additional information, visit Subprocessors. 

We maintain separate production, release candidate, and development environments within our platform.

We maintain a zero-trust policy architecture.  Access is provided through a single sign-on and multi-factor authentication solution, Okta.

We ensure a secure baseline configuration is established, maintained, and reviewed periodically for all of our systems used to provide secure products (or services) to our customers.

All of our endpoints are centrally managed, including disk encryption, idle session time-out, firewall enabled, USB write blocking and anti-virus / anti-malware is installed.  Our devices are subject to centralized patching.

Our platform leverages AWS Fargate to manage operating systems and hosts.  AWS Fargate utilizes a network time protocol (NTP) server managed by AWS through the AWS shared security model.

https://aws.amazon.com/about-aws/whats-new/2021/09/monitoring-clock-aws-fargate-amazon-ecs/

We maintain completely separate production and development environments to ensure product stability.

Our platform leverages AWS Fargate to manage operating systems and hosts.  AWS Fargate utilizes a network time protocol (NTP) server managed by AWS through the AWS shared security model.

https://aws.amazon.com/about-aws/whats-new/2021/09/monitoring-clock-aws-fargate-amazon-ecs/

We utilize anti-malware solutions (such as BitDefender) to protect computers from malware and other threats.

We use FileVault and BitLocker (as applicable) to encrypt the data on our corporate laptops.

We have implemented a DNS Filtering solution to block access to known malicious websites.  This solution provides automated content filtering and threat detection.

We utilize endpoint detection and response solutions.

We utilize mobile device management (MDM) solutions such as Rippling across Windows and Mac company owned devices, as applicable.

We do not use mobile devices, tablets, personal laptops, or other mobile computing devices (i.e. Mobile Devices) to process our customers’ data without our customers’ prior written consent.  In the event our customer provides consent, we will ensure safeguards are implemented and Mobile Devices will utilize:

• Whole-disk encryption using an industry standard method;
• Automatic locking of the Mobile Device after a period of inactivity of ten (10) minutes or less;
• Password login using at least a six (6)-digit numeric password; and
• Remote-wipe capability in the event of a loss or theft of the Mobile Device.

We restrict the use of portable storage devices.

We leverage integrated software firewalls within mobile devices to monitor and control incoming/outgoing network traffic.

We utilize native AWS solutions, Orca Security, and DNSFilter to provide the ability to detect threats including Advanced Persistent Threats (APTs).

We have a mobile device management (MDM) solution in place to restrict the use of portable storage devices and enforce standard access rights for users on local systems (as opposed to admin rights) if not exempted by the user’s roles/requirements.  We maintain strict policies restricting the sharing or divulging of sensitive or confidential information.  We also implemented a content-filtering and web threat detection solution to prevent the unauthorized use, access, disclosure (or loss) of our customers’ data by email and other means.

We leverage DDoS protection provided by AWS.

We maintain an Amazon Web Services (AWS) Web Application Firewall (WAF) to protect our application platform.

We currently leverage native AWS intrusion detection solution (IDS) and intrusion prevention solution (IPS) and utilize Orca Security to enhance our ability to identify inbound and outbound traffic, which may be of a malicious nature.  Our systems protect our critical infrastructure, data, and vulnerable applications in real-time from known, undisclosed, and unknown vulnerabilities without adversely affecting network performance.

We utilize DataDog and Orca Security as our security information and event management (SIEM) tool to monitor for security events in our infrastructure.

We leverage spoofing protection services offered through Google Workspace.

We control traffic in and out of our AWS environment as well as utilize content filtering solutions on mobile devices through an agent and existing firewall settings.  User traffic is funneled through a managed DNS gateway utilizing a roaming client.

We utilize a private virtual cloud to ensure that all of our computer needs are done in a secured environment, separate from other public cloud tenants.

We mostly operate a remote workforce utilizing cloud based services.  Although we maintain a physical office space, we don’t operate a local network and wireless access is provided to the Internet.  Our wireless access points utilize WPA2 wireless authentication.

We have built out a zero-trust architecture and utilize zero-trust solutions for access to our application.

We classify impact levels based on data classification levels of the data involved in the incident.

We maintain continuous risk management utilizing a baseline risk assessment and performing risk assessments on an ongoing basis.  Risks are reported to the Risk, Quality, and Oversight committee on at least a quarterly basis.

All third-parties are reviewed and approved according to pre-defined criteria to include business justification, security, privacy, quality, AI, and other requirements based on the criticality of the third-party.  Vendor risks are managed according to our risk management processes.

All third-parties are reviewed and approved according to pre-defined criteria to include business justification, security, privacy, quality, AI, and other requirements based on the criticality of the third-party.  Vendor risks are managed according to our risk management processes.

We utilize automated asset inventory solutions where possible.  Where automated solutions aren’t possible, we maintain a written account of hardware and software assets.

We track assets (such as laptops) through automated solutions where possible.  We leverage solutions provided by cloud service providers (such as AWS) to track assets.

We utilize automated asset detection provided by cloud service providers where available.

We map data processed by assets and classify both the assets (and data) based on our classification methodology.

We maintain an IT Asset Management program through our mobile device management (MDM) solution provided by our human resource information system (HRIS).

We securely dispose of assets according to our disposal policy and/or rely on third party providers (such as AWS) to dispose of their managed assets according to their service level agreements.

We designate responsible personnel to handle incident response and maintain an incident response team.

We retain forensic experts as necessary and maintain a forensic retainer with a vetted third party.

We maintain incident reporting procedures and responses as part of its incident response plans.

We maintain a solution to contact employees in an emergency situation or as needed pending certain events occurring.

We rely on the high-availability and redundancy offered by AWS (and other cloud service providers).

We maintain business continuity management policies and procedures.  We rely on the high-availability and redundancy offered by AWS (and other cloud service providers).

We develop and maintain a business continuity plan according to several different standards.

We perform annual contingency plan tests (i.e. tabletop exercises) and implement improvements identified in the after action reports.

We provide and conduct formal contingency training as well as perform annual tabletop exercises.

We maintain continuity and contingency operations plans as part of our business continuity/disaster recovery plans.

We identify critical assets prior to a disaster and address these critical assets through a business impact assessment as part of our business continuity/disaster recovery plans.

We perform data backups according to our data backup schedules.

We develop and maintain a disaster recovery plan, which is exercised at least annually according to standards.

We rely on the high-availability and redundancy offered by AWS (and other cloud service providers).

We conduct annual tabletop exercises.

We maintain a change management program to manage changes to systems.  System changes must be approved prior to deploying into production environments.

All changes must be approved prior to deploying into production environments.

Notifications are made to stakeholders as necessary for changes being implemented into production.

Configuration management processes are implemented to ensure any configuration changes are approved and changes do not impact production environments.

We utilize QA processes as well as automated tools to scan program releases in order to ensure integrity of code.

We perform impact analysis on material changes to our environment including system impact, data impact, privacy impact, and AI impact assessments.

We abide by the principle of least privilege and least functionality where applicable.

We maintain separation of duties between implementers, reviewers/approvers, and auditors.

We maintain a list of approved and unapproved applications and restrict installation to only approved software.

We leverage system hardened images according to standards.

We require employees to complete privacy training within sixty (60) days of hire and annually thereafter.

We perform phishing training as part of security awareness training along with performing routine phishing campaigns.

We provide role-based training to appropriate personnel.

We provide secure development and coding training primarily related to the OWASP top 10.

We require employees to complete security training within sixty (60) days of hire and annually thereafter.

We provide social engineering training as part of our security awareness training.

We maintain a training program to include security, privacy, quality, AI, trade/sanction, secure coding, third party risk management, incident response, and other role-based training topics.

We maintain records of training for all personnel within its learning management solution (LMS).

We are a cloud and remote first company; however, we permit only authorized individuals within leased office spaces.  Access is maintained and monitored. We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company; however, we rely on alarms and surveillance provided by management of space we lease.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company.  Our employees can work wherever access to the Internet is provided.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

Any delivery and loading zones are secured and managed by the building management of the spaces we lease.

Emergency power and lighting is provided by the management of the spaces we lease. We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company; however, we rely on facility component security provided by management of space we lease.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

Our leased facilities maintain fire protection according to local fire codes. We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company; however, we permit only authorized individuals within leased office spaces.  Physical access security is maintained and monitored.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company; however, we rely on power equipment and cabling provided by management of our leased space.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We are a cloud and remote first company; however, we permit only authorized individuals within leased office spaces.  Visitor control is maintained and monitored.  We do NOT manage any data centers or maintain any data of customers within leased office spaces.

We maintain automated alert responses within our environment triggered according to certain criteria.

We utilize our own Thoropass platform to assist in automated compliance monitoring.  We also utilize tooling provided by cloud service offerings (such as AWS) and other SIEM/compliance tools.

We are researching data loss prevention (DLP) systems commensurate with our risk profile.

Thoropass utilizes event and audit log management solutions within its environment.

We utilize file integrity monitoring (FIM) solutions within our environment.

We leverage an Intrusion detection system (IDS) providing alerting capabilities on detected anomalies within our environment.

We continuously review and update monitoring tools to ensure they are effective and up-to-date.

We implement a security information and event management solution (SIEM) within our cloud environment.

We are a cloud and remote first employer; however, we do provide our own wireless access points within our leased office space.  Users must have credentials to access this wireless access network providing Internet access only.  Our wireless system can identify and detect unauthorized devices.

Thoropass.com (A)

https://www.ssllabs.com/ssltest/analyze.html?d=thoropass.com

App.Thoropass.com (A+)

https://www.ssllabs.com/ssltest/analyze.html?d=app.thoropass.com 

Thoropass.com (A)

https://securityheaders.com/?q=thoropass.com&hide=on&followRedirects=on 

App.Thoropass.com (A)

https://securityheaders.com/?q=app.thoropass.com&hide=on&followRedirects=on