By providing you access to our all security and privacy practices on this pages and on our Trust Center, we think you have all the information necessary to choose, if yasoon apps are a good fit for your company.
...
| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Customer Access Requirements/Questions for Login/Account management
Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
...
In general not really applicable: We do not have an own account management. We're using Microsoft and Atlassian accounts and inherit all security settings from Atlassian/ Microsoft.
Network
Do you operate a VPN that allows remote access to your network?
...
Yes, we have comprehensive logging, including security events, for all relevant services.
Server/Infrastructure
Operating system that are currently in use on your Server:
...
We keep the root password in a secure location (e.g., in an envelope in a safe). It is retrieved only when absolutely necessary. Processes are in place to ensure accountability, and the password is changed after every use.
Backups
Do you sync data to a different site in near real time?
...
We shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Client Workstations
Do you have operating system hardening and/or build standards for client systems?
...
No, all Operating System versions are supported.
Data Management
Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?
...
| Expand | ||
|---|---|---|
| ||
There are data that are business data, but not used immediately. |
Technical security testing (3rd party penetration tests)
Does an independent third party regularly perform penetration tests on all systems used to provide services to customers?
Yes. We run a Bug-Bounty-Programm on bugcrowd to encourage security researches looking for vulnerabilities and claim their bug bounties. We run pen-tests multiple times per year.
Are you willing to share a management summary of the most recent penetration testing reports?
...
What industry-recognised qualifications and experience are held by the people who undertake your security testing?
Software engineer.
Security at the Office
Are all facilities used exclusively by your company, or are some shared?
...
Staffed reception desk
Guards (shared by entire building)
Motion detectors, Alarms
Electronic access control (e.g., swipe cards)
...
Do you have an auditable process in place for granting and revoking physical access to office facilities? Are physical entry logs kept for at least six months?
Yes and yes.
Do you have a clear desk policy that also requires unattended equipment to be appropriately locked down e.g. Screen Lock, securing laptops with a cable etc.?
...
All of these are well protected and locked away. Only a few IT employees have physical access to networking equipment.
Asset Management
Are all IT assets recorded in an up-to-date inventory? Please describe how IT assets are recorded. (e.g. a central database, excel spreadsheets etc.)
...
Do all assets maintained in the inventory have a designated business owner?
Yes.
Personell Security
Do you have written job descriptions for employees with access to confidential or sensitive information?
Yes
Do you have processes in place to ensure that access to data is granted solely on a "need-to-know" basis, in accordance with the job descriptions and responsibilities of users? Do these processes also revoke access when the need no longer exists?
...
Are the roles defined in a way that ensures segregation of duties? e.g. ensuring someone raising a change cannot also approve it.
Yes.
Security Controls
Select the controls you currently maintain as elements of your information security and privacy program:
An external policy or notice to the public, users, or customers, describing how you protect the security and privacy of data
Written internal policies, guidelines, and documented practices for the safe handling and protection of data
Internal audits of the security and privacy program
Third-party audits of the security and privacy program
A risk assessment and risk management process to regularly review the threats your company is exposed to
A program to ensure security in your human resources processes
A process to ensure that your service providers and subcontractors are capable of taking appropriate steps to protect sensitive data and systems
Processes and procedures to ensure that security incidents are discovered in a timely manner and dealt with effectively
A change management process to ensure that all changes to networks, systems, and processes are appropriately reviewed
Audits
How often are internal information security and privacy audits performed?
Quarterly or more often.
Does the scope of your internal assessment include the entire security and privacy program, as well as all operations, services, and systems that involve access to the customer data or systems that are used in this project?
Yes.
How often does an independent third party perform audits of your security and privacy program? (Note: this should not include penetration tests or other technical assessments; rather, it refers to security reviews of your organizational processes, procedures, and policies.)
...