Table of Content:
Introduction
At CHEQ, we are committed to protecting the privacy and security of our users and customers' data. This document outlines our security and privacy posture, as well as the measures we take to ensure the confidentiality, integrity, and availability of our users and customers' data.
Information Security Program
At cheq.ai, we take information security seriously and strive to ensure the highest level of protection for your personal data. Our Information Security Program follows industry best practices, policies, and procedures to guard against unauthorized access and protect your information.
To maintain the integrity of our security program, we conduct regular reviews and enhancements to comply with the latest industry standards and regulations. Additionally, we utilize a range of security controls, including:
- Endpoint detection and response (XDR) for endpoint users
- Endpoint Mobile Device Management (MDM)
- Cloud security posture management (CSPM) and cloud workload protection (CWP) for cloud security
- Vulnerability monitoring (OWASP 10, SAST, CAST, IAC)
- Vendor risk management platforms
- Data loss prevention (DLP) tools
- Web application firewall (WAF)
- Log management
- Security information and event management (SIEM) for log monitoring
- Moreover, we operate with a security operations center (SOC) that operates 24/7 to quickly identify and respond to potential security threats.
Our comprehensive security measures ensure that we can safeguard against potential security threats and keep your data safe.
We are committed to maintaining the highest level of information security and protecting your data. If you have any questions or concerns about our Information Security Program, please don't hesitate to reach out to us at: cirt@cheq.ai.
Network Security
We use firewalls, intrusion detection and prevention systems, and other network security measures to protect our systems from unauthorized access and attacks. We regularly monitor our network for anomalies and suspicious activity and have a response plan in place to address any potential security incidents.
System Security
We follow industry-standard security best practices to secure our systems and infrastructure. This includes regular patching and updates, vulnerability scanning and remediation, and system hardening. We also use endpoint protection and other security tools to protect our systems from malware and other threats.
Security Operations
We have a dedicated security operations team that is responsible for monitoring and responding to security incidents. Our security operations team uses industry-standard tools and techniques to detect and respond to potential threats and works closely with other teams to ensure a coordinated response.
Restricted Access
We limit access to our systems and data to authorized personnel only. We use RBAC and two-factor authentication (2FA) to ensure that users are granted appropriate access and that their identities are verified. We also use VPNs, the Zero Trust approach, and other security measures to secure remote access.
Penetration Testing
We regularly conduct penetration testing and vulnerability assessments to identify potential security vulnerabilities in our systems and infrastructure. We work with third-party security experts to conduct these tests and use the results to improve our security posture.
Logging
We maintain detailed logs of system activity to help us detect potential security incidents, enable rapid detection, and investigate any issues. Our logs are protected and stored securely and are regularly reviewed to ensure their effectiveness. Our logging system includes appropriate access controls and audit trails to ensure the integrity of our logs.
Application-Level Security
We implement a security-oriented design in multiple layers, one of which is the application layer. The CHEQ application is developed according to the OWASP Top 10 framework and all code is peer-reviewed prior to deployment to production.
Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, and unit testing which addresses authorization aspects, and more. CHEQ developers go through periodic security training to keep them up-to-date with secure development best practices.
We also use web application firewalls and other security measures such as Cloud Security Posture Management (CSPM) to protect our applications and APIs from attacks.
Data Protection, Continuity, and Retention
We follow industry-standard best practices to protect our users' data. This includes data encryption at rest and in transit, regular backups, and disaster recovery and business continuity plans. We also have retention policies in place to ensure that data is retained for only as long as necessary.
Internal IT Security
We follow industry-standard best practices to ensure the security of our internal systems and infrastructure. This includes regular patching and updates, endpoint protection, Mobile Device Management (MDM), and other security measures to protect against potential threats.
Change Management
We follow a rigorous change management process to ensure that changes to our systems and infrastructure are properly tested and validated before being implemented in production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.
Vulnerability Management
Our vulnerability management program promptly detects and resolves security vulnerabilities using industry best practices, including regular scanning and testing aligned with OWASP and NIST standards. Our testing covers both application and infrastructure with a combination of manual and automatic tools. We prioritize high-risk vulnerabilities and conduct retesting after fixing them. Our aim is to continuously improve and stay current with the latest practices to provide top-notch security for our customers.
Encryption
We use encryption to protect data at rest and in transit. This includes using HTTPS for web traffic, encrypting sensitive data using industry-standard algorithms, and encrypting backups and other stored data. All transmitted data between the end user and CHEQ is encrypted via SSL. Data is encrypted by AWS-managed KMS service.
Highly Available
We use multiple AWS & Azure reigns and redundant systems to ensure high availability and minimize downtime. Our systems are designed to be highly available to ensure that our users can access our services and their data when they need it. This includes using redundant hardware, and network, and implementing appropriate failover and disaster recovery measures.
Security Incident Management
We have a security incident management process in place to ensure that potential security incidents are identified, contained, and remediated in a timely manner. Our security incident management process includes a defined response plan, communication protocols, and regular training for our security operations team.
Resilience and Service Continuity
We have a disaster recovery and business continuity plan in place to ensure that our service remains available in the event of a major disruption. This includes regular testing of our disaster recovery plan and backup systems, and a process for prioritizing and restoring critical systems during an outage.
Backups and Recovery
We maintain regular backups of our systems and data to ensure that we can quickly recover from a major disruption. Our backup systems are securely stored and regularly tested to ensure their effectiveness.
Monitor and Resilient
We have implemented appropriate 24/7 monitoring and resilience measures to ensure that our systems and services are functioning properly and that potential disruptions are promptly identified and remediated. This includes implementing appropriate monitoring and alerting tools and techniques, and regularly testing our resilience measures.
Access Controls
We use RBAC, 2FA, SSO, and other access control measures to ensure that only authorized personnel have access to our systems and data. We also regularly review and update our access control policies to ensure their effectiveness, we conduct a user access review on all company applications, systems, and tools.
Password Controls
We follow industry-standard password policies to ensure the security of our users' accounts. This includes requiring strong passwords, enforcing regular password changes, and using other password protection measures.
Security Organization and Program
We have a dedicated security team responsible for ensuring ongoing security and compliance of our systems and services. Our security team works closely with other teams to ensure a coordinated response to potential threats, and regularly reviews and updates our security program to address new risks and vulnerabilities and update our security posture.
Confidentiality
We maintain strict confidentiality controls to protect our users' data and other sensitive information. This includes restricting access to sensitive information, using encryption and other security measures to protect data in transit and at rest, and following appropriate retention and deletion policies.
People Security
We conduct regular security awareness training for our employees to ensure that they understand and follow our security policies and procedures. We also conduct other security checks on new employees to ensure their trustworthiness.
Third-Party Vendor Management
We have a vendor management program in place to ensure that third-party vendors that have access to our systems and data follow appropriate security and privacy controls. We conduct regular security assessments and due diligence on our vendors to ensure their security posture. This includes implementing appropriate vendor security assessments, contracts, and controls, and regularly reviewing and updating our third-party vendor management policies and procedures.
Security by Design
We follow a security-by-design approach to ensure that security is built into our systems and infrastructure from the ground up. This includes using industry-standard security frameworks, conducting regular security reviews, following secure coding practices, implementing appropriate security controls and policies at every stage of the development lifecycle, and regularly reviewing and updating our security by design practices and procedures.
Secure Development Practice
We follow secure development practices to ensure our applications are designed and developed with security in mind. This includes conducting regular application security testing, using secure coding practices, and following secure development methodologies.
Staged Releases
We follow a staged release process to ensure that new features and updates are properly tested and validated before being released to production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.
Architecture and Data Segregation
We follow a multi-layered security architecture and data segregation techniques to ensure that our users' data is appropriately segmented and isolated. This includes using appropriate network and data segmentation techniques and implementing appropriate access control measures.
Physical Security
We follow industry-standard physical security measures to ensure the security of our facilities. This includes using access controls, surveillance, and other measures to prevent unauthorized access and protect our systems and assets.
SOC 2 Type 2
We are SOC 2 Type 2 certified. We follow industry-standard security and privacy controls and have been audited by a third-party auditor to ensure our compliance with the SOC 2 framework.
ISO 27001
We are also ISO 27001 certified, a globally recognized standard for information security management systems (ISMS). Our ISO 27001 certification demonstrates our commitment to maintaining the highest levels of security and compliance.
GDPR Ready
We comply with the EU's General Data Protection Regulation (GDPR) to ensure that our users' personal data is processed lawfully, fairly, and transparently. We have implemented appropriate technical and organizational measures to protect our users' data and to facilitate data subject rights.
CCPA Ready
We also comply with the California Consumer Privacy Act (CCPA) to ensure that our users' personal data is protected and that they have control over their data. We have implemented appropriate privacy controls and policies to comply with the CCPA.