Welcome to our Trust Centre

Auditee helps B2B companies to simplify and automate security reviews, streamline vendor assessments and build trust with customers and leads. We take security and transparency very seriously. All of our documentation and policies can be accessed here in our Trust Centre.

security@auditee.io

Controls

Access Management

  • How often are Access Reviews carried out?

    Access reviews are carried out on a quarterly basis. This is to ensure any changes or redactions of access are thoroughly checked.

  • What level of employee authentication is required to access sensitive information?

    For systems that contain sensitive or personal data, the company utilises protocols such as Single-Sign On (SSO) and Two Factor Authentication (2FA).

  • Is access to tools and data restricted on a need-to-know basis?

    Access to any high impact or live environments or anywhere that holds PII are provided on least privilege access. A very limited number of employees have access.

  • Are audit logs kept for any changes made by admins?

    Comprehensive audit logs are kept within tools used, for changes made by administrators. They provide records including type, action, performer and timestamp that it was executed.

  • Do you ensure employees use a password manager?

    As part of our internal password policy, the company requires all employees to use an approved password manager. Where necessary, the password manager alerts users to any potential password risks to maintain high-level security at all levels.

  • Is there a secure password policy in-place?

    The company has an internal password policy and all passwords used are strong, kept in a secure location, regularly changed and not re-used.

  • Are there methods and processes in place to control access to sensitive information?

    Only certain people within the organization are given access to sensitive information on a need-to-know basis to enable employees to perform their job to the best of their abilities.

Availability & Security Incidents

  • Are there procedures and policies in place for responding and communicating security incidents?

    The company has established procedures and policies with regards to responding and communicating about security incidents from our Security Team. The level of the security incident will dictate how we communicate and respond to our customers. If a security incident does occur, you will be kept updated via our support team.

  • Do you have a dedicated security response team?

    The company monitors it's cloud service 24/7 and has a response team on call 24/7 to respond to security incidents. Our hosting provider, also provides 24/7 global monitoring and support for the data centers that are used.

  • Do you have any uptime SLAs?

    Uptime SLAs are either part of the plan customers have purchased or part of a separate agreement.

Data & Privacy

  • Are backups conducted for production and customer data?

    Periodic backups are performed for production and customer data. The data is backed up to a separate location.

  • Do you have a viewable cookie policy?

    Yes, a cookie policy is publically available to view. It outlines any methods the company uses cookies for collection, tracking and marketing.

  • What data and information is collected?

    Collection of data and information is in accordance to laws and regulations.

  • Is data securely deleted upon customers request?

    Customers data is securely deleted immediately from our data centers and stores upon request, in accordance with applicable laws and regulations.

  • Do you perform Data Protection Impact Assessments on tools and transfers?

    A Data Protection Impact Assessment (DPIA) is performed for any new tool, transfers or change in circumstances, regulations or location. To ensure it is compliant with laws, regulations and the company's policies.

  • How often do employees undergo privacy and security training?

    All employees and contractors undergo security awareness training within the first week of employment as part of onboarding, and then continued at least annually.

  • Is there a publically available privacy policy?

    The company has an established privacy policy that is publically available to view. The policy is reviewed as and when required, to maintain compiiance with laws and regulations.

  • Is hardware, no longer in use, securely disposed of?

    Any hardware no longer in use is fully wiped and disposed of using regulated disposal service in accordance with ISO 27001 standard compliance.

Disaster Recovery

  • Does the company have a Business Continuity Plan in place?

    A Business Continuity (BC) plan is in place and outlines the processes to follow for the company to continue to provide the service to customers.

  • Does the company have Cybersecurity Insurance?

    The company maintains cybersecurity insurance up to date, this is to help mitigate any potential financial impact from disruptions to the business.

  • How often do you test your Disaster and Recovery Plan? How is it tested?

    The Disaster Recovery (DR) plan is tested, checked and updated at least annually for its continued applicability and suitability.

  • Do you have a disaster recovery plan in place?

    A Disaster Recovery (DR) plan is in place and outlines the processes to follow, in the event of unplanned incidents, to return data and infrastructure.

HR Security

  • Are background checks performed on new employees?

    The company performs background checks on all new employees as part of the pre-employment screening process.

  • Do employees and contractors sign confidentiality agreements?

    All new hires are screened during the hiring process, and on commencement of employment, are required to sign a Non-Disclosure and Confidentiality agreement. This is also an up-held post-employment contract.

  • Are there processes in-place for employee onboarding and offboarding?

    The company has processes in place for both onboarding new employees, as well as offboarding outgoing employees. They ensure the correct access and training are provisioned.

  • Do employees undergo security awareness training?

    All employees and contractors undergo security awareness training within the first week of employment as part of onboarding, and then continued at least annually.

  • Are internal policies signed by employees and contractors?

    All internal policies are agreed to and signed by employees during their onboarding. These policies are reviewed at least annually.

Network Security

  • Do you have an architecture diagram?

    An architecture diagram is available to request on the Trust Center.

  • Is there anything in place to protect from DDoS attacks?

    External tools are used to mitage Distributed Denial-of-Service (DDoS) attacks and to check logs for anomalies.

  • Do you have a dedicated security team?

    The company's Security Team provide 24/7 monitoring and response to security incidents.

  • Is access to the firewall restricted?

    The company's public-facing network is protected by a firewall which acts to filter all incoming traffic from the internet.

  • Do you regularly scan for vulnerabilities across the network?

    The company regularly runs vulnerability scans across the network, to allow the security team to identify and review any potentially vulnerable systems.

Organizational Security

  • Do employees and contractors sign confidentiality agreements?

    All new hires are screened during the hiring process, and on commencement of employment, are required to sign a Non-Disclosure and Confidentiality agreement. This is also an up-held post-employment contract.

  • Do you utilise a mobile device management system to centrally manage mobile devices?

    Mobile devices that are used or owned by the company, are part of a mobile device management system.

  • Are workstations set-up and configured to comply with all security policies?

    As part of onboarding a new employee, their workstation is set-up and configured to a high level and to comply with all of our security policies.

Physical Security

  • Are your data center facilities secure?

    The company's cloud service data-center provider operates state-of-the-art, ISO27001, PCI DSS Level 1, HIPAA, EU-US Privacy Shield & SOC 2 Type II compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas, constructed to N+1 redundancy standards.

  • Are the data center premesis securely monitored?

    Each data centers have a controlled Perimeter Layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.

  • Where are the data center servers located?

    The location of data centers cover the following:

  • Does the data center have 24/7 on-site security and processes?

    The data center facilities used by the company have 24/7 on-site staff, physical access points to server rooms covered by CCTV, biometric security procedures, and round-the-clock surveillance monitoring to maintain protection against unauthorized entry and physical security breaches.

  • Are the data centers monitored 24/7?

    The company's data center conducts 24/7 monitoring of access activities, with electronic intrusion detection systems installed in the data layer. Systems constantly monitored by the company.

  • Does the data center have backup power fallback options?

    Each data center facility is equipped with an uninterruptible power supply (UPS) and backup generators, in case of power disruption.