Security & Compliance

1. People Security

• All employees have security training, password manager, 20 security policies aligned to SOC 2.
• Access to customer information is granted based on the least privilege principle, and limited sensitive data is processed. For more information, check out Software Secured’s privacy policy.
• Secure access to the office.
• Background checks are conducted on all employees.

2. Access and Identity

Permissions and authentication
Software Secured aligns policies, processes, and internal security controls to ensure that only those who need access to critical services have access to them. Software Secured has complex password requirements and leverage OAuth for customer authentication.

Access Tracking
Software Secured aligns to least privilege for access controls and conduct Annual Access Reviews.

3. Product Security

• Customer data is physically separated, each customer has their own separate database.
• Software Secured encrypts customer data at rest using rotating key schedule.
• Software Secured uses RBAC to ensure important information is seen by the appropriate people.
• Portal session timeout after 30 mins of idle, reducing risk of attackers hijacking the session as per OWASP recommendation.
• All code is peer reviewed before pushed to development.
• Software Secured encrypts all communication between applications and services in transit and at rest.
• Software Secured has physical and logical separation of prod, staging, dev; each environment uses different servers.
• Developers don't have access to production environments.
• Software Secured uses a VPN for staging environment.
• Databases are backed up offsite in an encrypted format.
• Client data is maintained for 2 yrs unless otherwise requested.

4. Vulnerability Management

• Software Secured runs static code analysis tools on code continuously + software composition analysis (checking for vulnerable libraries)
• Software Secured conducts quarterly pentesting, and any potential vulnerabilities found are remediated within our vulnerability management SLAs and retested.
• Regular security code reviews in place.
• Anti virus protection is in place.
• WAF in place.
• Intrusion detection and firewall in place.
• View our Portal Secure Engineering Policy.

5. Risk Management

• Software Secured ensures vendors have appropriate security controls in place to handle customer and organization data, reviewing thorough security questionnaires and reports.
• View Portal Terms and Conditions for Portal vendors.
• Cloud security monitoring (IDS) is in place.
• Incident response plan is simulated annually.
• Risk management plan mapped to SOC 2 controls.
• Software Secured conducts an annual business continuity plan in addition to a disaster recovery plan.
• Responsible ethical disclosure policies in place and available on our website.
• View Portal Privacy Policy.

6. Compliance

SOC 2 Compliance
Software Secured recently issued our SOC 2 Type 1 Report which provides an external audit that demonstrates we are meeting the security commitments we have made to our customers.

Last Updated: Nov 21, 2023