Information Security and Privacy Overview

As the premier Supply Chain Risk and Performance Network, confidentiality, integrity, and availability of your data is of utmost importance. We help you stay ahead of risk. We help your business run more safely and effectively. We optimize performance. And we do it better than anyone else in the world.

Last updated: November 2021

Introduction

Veriforce is committed to ensuring the confidentiality, integrity, and availability of your data. We have implemented international standards such as ISO 27001 and SOC2 to demonstrate that commitment. These standards require regular auditing from third parties to ensure we remain compliant. Our dedicated Compliance & Risk-, Engineering- and HR teams ensure compliance with the security and privacy programmes.

Terms and Definitions

ISMS - Information Security Management System
ISO - International Organization for Standardization
SOC - Service and Organization Controls

Cloud Datacenter Security

Veriforce’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider, located in Canada.

Physical Security

All physical office spaces require badge access and are located in buildings with dedicated security services, including camera surveillance. Additional security controls are in place for server and networking areas. Badge issuing and returns are managed by our HR department.

All visitors are signed in and out by their host and are always accompanied by a company representative. Visitors are only allowed at the shared areas such as boardrooms and meeting rooms. Physical access logs are reviewed every 90 days.

Data Protection

Data is encrypted both at rest and in transit using industry-leading encryption standards. Encryption keys for web applications are managed by AWS and locally managed for databases and local networks. Encryption key lifecycle management processes exist and keys are rotated at a minimum of every two years.

Endpoint Security

All employees are required to use company-issued laptops. Laptops are encrypted and equipped with antivirus solutions. Technical controls prevent tampering with security software and removable media drives are disabled. No unauthorised software may be installed and employees do not have the admin rights to change security settings on company devices. Password complexity and max validity period protocols are in place.

Network Security

All network gateways are protected by firewalls and WAFS. Network Intrusion Detection System and Intrusion Prevention Systems (IDS/IPS) monitor all traffic for signs of intrusion, malicious software, and network abuse. Logging and monitoring of activity takes place with the assistance of expert 24/7 third party Managed Security Provider, and event escalation protocols are in place.

Vulnerability scanning is performed on a continuous basis and penetration testing is performed annually by a qualified third party. Security concerns identified in scans and testing are resolved and patches are applied monthly. Wifi networks (including employee home networks) use WAP2 encryption.

Email

Veriforce has adopted industry best practice in email security management via a cloud based solution that scans and monitors emails for threats and malware. All employees are trained on email security when onboarding and regular security refresher training is provided. Regular simulated phishing campaigns are conducted and additional training provided to any employees who fail the test. Employees may only use work email for work related matters. A bounty system with a reward programme is implemented for employees reporting suspect emails.

Access Management

All employees are required to undergo background checks prior to onboarding. As part of onboarding employees are required to agree to the company code-of-conduct and confidentiality agreements. Employees also complete information security awareness training and data privacy training within 30 days of hire. Additional mandatory security awareness training courses are assigned each month and tracked to completion.

Veriforce follows a strict provisioning- and deprovisioning process that enforces segregation of access requests, modifications, and termination. All requests are tracked to completion and all termination requests are completed within 24-hours.

Employee physical and network access are monitored and access logs are reviewed quarterly. Regular access reviews are conducted by managers to ensure all employees operate on least privileged user roles. Veriforce has a hybrid work schedule allowing all employees to work remotely part time and designated employees to work remotely full time. A Work from Home Policy has been established ensuring all staff abide with certain minimum criteria to ensure security and data protection are in place.

Software Development - Secure Lifecycle

The Veriforce Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platforms’s planning, development, and release processes. We are externally audited, annually, against the SOC2 standard and the resulting SOC2 Type II audit reports are available.

Incident Response Management

Veriforce has an Incident Response Procedure that addresses different types of incidents. The Incident response plan is updated and tested regularly. Veriforce has access to an expert Forensics and Legal team to assist with incident management and resolution. Incident response roles and responsibilities are clearly defined. All incidents are logged and tracked to completion. Incident response includes root cause analysis for all incidents and notification procedures to alert affected customers in the instance of a breach.

Business Continuity and Disaster Recovery

Veriforce has formal Business Continuity and Disaster Recovery procedures that are updated regularly. Disaster recovery procedures include a range of scenarios including natural disasters and pandemics. Business Continuity and Disaster Recovery testing are conducted annually.

Backup and Restore Capabilities

Veriforce has a formal backup schedule, including daily incremental backups and full backups performed weekly. Backups are encrypted and stored off site to ensure availability and security. Backups are also regularly tested to ensure integrity.

Cyber Insurance

Veriforce is adequately insured to mitigate Cyber Security incidents and closely work with insurance carriers to meet their pre-conditions and requirements for providing cover.

Vendor Management

Veriforce has implemented a Vendor Management Procedure and performs risk assessments on all new and existing vendors to ensure the vendors meet the information security and privacy requirements of Veriforce. Contracts and DPA’s (where required) are in place. A list of all vendors and third parties that are engaged in data sub-processing is kept updated and are available to clients.

Sub processor Purpose of processing Data location
AWS Infrastructure hosting Canada
Asana Project management USA
Marker Webinar tool USA
Celeritas Tech IT support Canada
Constant Contact Marketing and communications with contractors USA
Elavon Credit card payment processing Canada and USA
Google Translate Translation of live chat communications USA
Google Workspace Data management USA
GitLab Internal communication USA
Netsuite Accounting software USA
Ring Central Call center support USA
Salesforce & Marketing Cloud Customer relationship management
(stored in Canada, accessed from Canada and USA)
Canada and USA
Slack Internal communication USA
Strikedeck Data Analytics USA
Wordpress Website customer engagement USA
Zendesk Customer support USA

Data Privacy

Veriforce is a processor and not a controller of client data. Veriforce only processes data on instruction from clients and processes the data as per contractual agreement with the client. Veriforce will never sell or distribute or make private or client data available. Veriforce has implemented a Global Data Privacy Programme that is rolled out across all operations and has been designed to comply with multiple jurisdictional requirements. A Privacy Policy sets out the rights and obligations around this matter. Veriforce is compliant with GDPR requirements and has DPA’s and standard contractual clauses in place where required. Clients own their data and the data is only kept as long as is legally or contractually required. Users and clients can request to have personal data corrected or removed at any time.

Certifications

Veriforce has embarked on obtaining relevant industry certifications and external audits:

Icon of a digital connections
SOC2 Type 2

Veriforce has been externally audited and has
SOC2 audit reports available.

Icon of three gears
ISO 27 001

Veriforce has been certified to
ISO 27 001:2013 standard by ABS

For more information please contact the Compliance and Risk department at security@veriforce.com