TestGorilla Information Security Measures
Version v1 – August 2022
Taking into account the nature, scope, context, and purposes of processing, the state of the art, the costs of implementation, as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, this document describes the technical and organizational measures that Company has in place and that will be implemented to secure Personal Data, End User Data, and Systems Data (collectively, “Data”) by any Company Product (“Measures”).
“Agreement” means any underlying Company’ End User Agreement, Master Services Agreement, Engagement Letter, Statements of Work, or other legally entered and binding written, or electronic agreement entered into between Company and Customer that governs the provision of Products by Company.
“End User Data” means data that is provided by or on behalf of Customer to Company during the relationship governed by the Agreement. For the avoidance of doubt, End User Data does not include Systems Data.
“Personal Data” means any information Processed on behalf of the Customer during the provision of a Product that (i) relates to an identified or identifiable natural person; or (ii) is defined as “personally identifiable information”, “personal information”, “personal data” or similar terms, as such terms are defined under Data Protection Laws, including as may be used in this DPA.
“Product” means, collectively, Hardware, Software, Subscription, or any combination thereof, regardless of whether or not the Product was procured under an Enterprise Program.
“Systems Data” means data generated and/or collected in connection with Customer’s use of the Products, such as logs, session data, telemetry data, support data, usage data, threat intelligence or actor data, statistics, aggregated data, net flow data, copies of potentially malicious files detected by the Product, and derivatives thereof.
All capitalized terms not defined in these Measures shall have the meanings set forth in the Agreement.
3. Security Management
- Security Program. Company maintains a written information security program that:
- is managed by a senior employee responsible for overseeing and implementing the program;
- includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Data, and;
- is appropriate to the nature, size, and complexity of Company’ business operations.
- Personnel Security.
- The skills and competence of employees and contractors are assessed as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews.
4. Due diligence on sub-contractors
- assess the security capabilities of any such subcontractors on a periodic basis to ensure subcontractors’ ability to comply with the Measures described in this document;
- apply written information security requirements that oblige subcontractors to adhere to Company’ key information security policies and standards consistent with and no less protective than these Measures.
5. Physical security
Company does not operate physical office or data server locations.
6. Logical security
- Systems Access Control and Network Access Control.
- Company employs access control mechanisms that are intended to: (a) prevent unauthorized access to Data; (b) limit access to users who have a need to know; (c) follow the principle of least privilege, allowing access to only the Data and resources that are necessary; and (d) have the capability of detecting, logging, and reporting access to the system and network or attempts to breach security of the system or network.
- Company users have an individual account that authenticates that individual’s access to the Data. Company does not allow sharing of accounts. Access controls including passwords are configured in accordance with industry standards and best practices.
- Company maintains a process to review/audit controls (including access controls) on a minimum annual basis for all Company systems that transmit, process, or store Data.
- Company configures remote access to all networks storing or transmitting Data to require multi-factor authentication for such access.
- Company revokes access to systems and applications that contain or process Data promptly after the cessation of the need to access the system(s) or application(s).
- Telecommunication and Network Security.
- Company deploys firewall technology in the operation of the Company’ sites. Traffic between Customer and Company will be protected and authenticated by industry standard cryptographic technologies.
- Company deploys an intrusion detection system to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
- Company implements network segmentation between the corporate enterprise network and hosting facilities for Data. Within hosting facilities, we apply separation between environments dedicated to development, staging, and production, with multiple layers of access.
- Malicious Code Protection.
- Excepting specific servers dedicated to the analysis of compromised End User Data, Company workstations and servers run the current version of industry standard antivirus/anti-malware software with the most recent updates available on each workstation or server. Virus definitions are updated within twenty-four (24) hours of release by the software vendor. Company has anti-virus/anti-malware software configured to run real-time scanning of machines and a full system scan on regularly scheduled intervals.
- Company scans incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.
- Data Loss Prevention. Company employs a comprehensive system to prevent the inadvertent or intentional compromise of Data.
7. Software development and maintenance
- Open Source. Company evaluates and tracks vulnerabilities of open-source software (OSS) and other 3rd party libraries that are incorporated into the Products; Company performs static code analysis and manual code review, as required by risk. Security verifications, including penetration testing and multiple dynamic analysis tools, are conducted by third-party firms, red teams, and threat researchers.
- Change Management. Company employs a documented change management program with respect to the Products as an integral part of its security profile. This includes logically or physically separate environments from production for all development and testing.
- Vulnerability Management and Application Security Assessments.
- Company utilizes a qualified third party to conduct the application security assessments. Company may conduct the security assessment review directly, following industry standard best practices.
8. Storage, handling and disposal
- Data Segregation. Company physically or logically separates and segregates Personal Data and End User Data from its other customers’ data.
- Encryption of Electronic Form Data. Company utilizes strong industry standard encryption algorithms and key strengths (i.e., AES 256-bit at rest, TLS v1.2 in transit) to encrypt all Personal Data and End User Data in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks.
9. Business continuity and disaster recovery
- Company develops, implements, and maintains a business continuity management program to address the needs of the business and Products provided to the Customer. To that end, Company completes a minimum level of business impact analysis, crisis management, business continuity, and disaster recovery planning:
- Company’ Business Impact Analysis Plan includes, but is not limited to, a systematic review of business functions and their associated processes that identifies dependencies, evaluates potential impact from disruptions; defines recovery time objectives, and improves process understanding improvement, performed annually.
- Company’ Crisis Management Plan includes, but is not limited to, elements such as event management, plan and team activation, event, and communication process documentation, exercised at least annually.
- Company’ Business Continuity Plan includes, but is not limited to, elements such location workarounds, application workarounds, vendor workarounds, and staffing workarounds, exercised at minimum annually.
9.1.4. Company’ Disaster Recovery Plan includes, but is not limited to, infrastructure, technology, and system(s) details, recovery activities, and identifies the people/teams required for such recovery, exercised at least annually.
- Plan Content. Company’ plan documentation under 9.1 addresses actions that Company will take in the event of an extended outage of service. Company ensures that its plans address the actions and resources required to provide for (i) the continuous operation of Company, and (ii) in the event of an interruption, the recovery of the functions required to enable Company to provide the Products, including required systems, hardware, software, resources, personnel, and data supporting these functions.