Information Security and Privacy Overview

Last updated: July 2022

Introduction

Veriforce is committed to ensuring the confidentiality, integrity, and availability of your data. We have implemented international standards such as ISO 27001 and SOC2 to demonstrate that commitment. These standards require regular auditing from third parties to ensure we remain compliant. Our dedicated Compliance & Risk-, Engineering- and HR teams ensure compliance with the security and privacy programmes.

Terms and Definitions

ISMS - Information Security Management System
ISO - International Organization for Standardization
SOC - Service and Organization Controls

Cloud Datacenter Security

Veriforce’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider, located in Canada.

Physical Security

All physical office spaces require badge access and are located in buildings with dedicated security services, including camera surveillance. Additional security controls are in place for server and networking areas. Badge issuing and returns are managed by our HR department.

All visitors are signed in and out by their host and are always accompanied by a company representative. Visitors are only allowed at the shared areas such as boardrooms and meeting rooms. Physical access logs are reviewed every 90 days.

Data Protection

Data is encrypted both at rest and in transit using industry-leading encryption standards. Encryption keys for web applications are managed by AWS and locally managed for databases and local networks. Encryption key lifecycle management processes exist and keys are rotated at a minimum of every two years.

Endpoint Security

All employees are required to use company-issued laptops. Laptops are encrypted and equipped with antivirus solutions. Technical controls prevent tampering with security software and removable media drives are disabled. No unauthorised software may be installed and employees do not have the admin rights to change security settings on company devices. Password complexity and max validity period protocols are in place.

Network Security

All network gateways are protected by firewalls and WAFS. Network Intrusion Detection System and Intrusion Prevention Systems (IDS/IPS) monitor all traffic for signs of intrusion, malicious software, and network abuse. Logging and monitoring of activity takes place with the assistance of expert 24/7 third party Managed Security Provider, and event escalation protocols are in place.

Vulnerability scanning is performed on a continuous basis and penetration testing is performed annually by a qualified third party. Security concerns identified in scans and testing are resolved and patches are applied monthly. Wifi networks (including employee home networks) use WAP2 encryption. MFA is enforced for all main systems.

Email

Veriforce has adopted industry best practice in email security management via a cloud based solution that scans and monitors emails for threats and malware. All employees are trained on email security when onboarding and regular security refresher training is provided. Regular simulated phishing campaigns are conducted and additional training provided to any employees who fail the test. Employees may only use work email for work related matters. A bounty system with a reward programme is implemented for employees reporting suspect emails.

Access Management

All employees are required to undergo background checks prior to onboarding. As part of onboarding employees are required to agree to the company code-of-conduct and confidentiality agreements. Employees also complete information security awareness training and data privacy training within 30 days of hire. Additional mandatory security awareness training courses are assigned each month and tracked to completion.

Veriforce follows a strict provisioning- and deprovisioning process that enforces segregation of access requests, modifications, and termination. All requests are tracked to completion and all termination requests are completed within 24-hours.

Employee physical and network access are monitored and access logs are reviewed quarterly. Regular access reviews are conducted by managers to ensure all employees operate on least privileged user roles. Veriforce has a hybrid work schedule allowing all employees to work remotely part time and designated employees to work remotely full time. A Work from Home Policy has been established ensuring all staff abide with certain minimum criteria to ensure security and data protection are in place.

Software Development - Secure Lifecycle

The Veriforce Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platforms’s planning, development, and release processes. We are externally audited, annually, against the SOC2 standard and the resulting SOC2 Type II audit reports are available.

Incident Response Management

Veriforce has an Incident Response Procedure that addresses different types of incidents. The Incident response plan is updated and tested regularly. Veriforce has access to an expert Forensics and Legal team to assist with incident management and resolution. Incident response roles and responsibilities are clearly defined. All incidents are logged and tracked to completion. Incident response includes root cause analysis for all incidents and notification procedures to alert affected customers in the instance of a breach.

Business Continuity and Disaster Recovery

Veriforce has formal Business Continuity and Disaster Recovery procedures that are updated regularly. Disaster recovery procedures include a range of scenarios including natural disasters and pandemics. Business Continuity and Disaster Recovery testing are conducted annually.

Backup and Restore Capabilities

Veriforce has a formal backup schedule, including daily incremental backups and full backups performed weekly. Backups are encrypted and stored off site to ensure availability and security. Backups are also regularly tested to ensure integrity.

Cyber Insurance

Veriforce is adequately insured to mitigate Cyber Security incidents and closely work with insurance carriers to meet their pre-conditions and requirements for providing cover.

Vendor Management

Veriforce has implemented a Vendor Management Procedure and performs risk assessments on all new and existing vendors to ensure the vendors meet the information security and privacy requirements of Veriforce. Contracts and DPA’s (where required) are in place. A list of all vendors and third parties that are engaged in data sub-processing is kept updated and are available to clients.

Sub processor	Purpose of processing	Data location
AWS	Infrastructure hosting	Canada
Asana	Project management	USA
Marker	Webinar tool	USA
Celeritas Tech	IT support	Canada
ComplyWorks South Africa	Customer support services	South Africa
Constant Contact	Marketing and communications with contractors	USA
Elavon	Credit card payment processing	Canada and USA
Google Translate	Translation of live chat communications	USA
Google Workspace	Data management	USA
GitLab	Internal communication	USA
Netsuite	Accounting software	USA
Pendo	Project management	USA
Ring Central	Call center support	USA
Salesforce & Marketing Cloud	Customer relationship management (stored in Canada, accessed from Canada and USA)	Canada and USA
Showpad	Sales Enablement Platform	Belgium
Slack	Internal communication	USA
Totango	Data Analytics	USA
Veriforce	Customer support activities	USA
Wordpress	Website customer engagement	USA
Zendesk	Customer support	USA