Security at Enterpert
Enterpret is committed to delivering forward-thinking technology while honouring the responsibility to safeguard the data customers share with us. We have taken a multi-tiered security approach in the design of our application and maintain that standard through secure development practices combined with a number of third-party assessments. Our focus remains on releasing product features that empower workplaces without sacrificing security.
We know that entrusting us with your internal corporate data is an important decision. Therefore we have taken numerous steps to create a strong security program to provide you with the reassurance you need. We ensure that each customer’s data is kept safe and separate from other customer’s data, and we also limit the same principles of access with our own staff’s capabilities. Enterpret doesn’t view your data unless you’re aware, and we will never create any sort of meta-reporting that can be resold later. Our business is focused on delivering the value we promise and nothing else.
People, processes and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we engaged an independent auditor to assess our compliance with a framework that is specifically designed for software-as-a-service (SaaS) providers.
Enterpret currently holds a SOC 2 Type 2 report on compliance with the SOC 2 SSAE 18 standard, which outlines our philosophy and approach for information security management, risk assessment, board oversight, and third-party risks, among other principles.
We complement our own compliance achievements by hosting our services in Amazon Web Services, which is a state-of-the-art data center utilizing innovative architectural and modern engineering approaches. Amazon’s data centers have been validated for compliance against a number of strict standards, regulations and assorted frameworks. To learn more about Amazon’s Compliance, you can learn more here: https://aws.amazon.com/compliance.
For inquiries regarding our information security practices, to provide feedback, suggestions to our team, or to report an identified security vulnerability in our application, please email us at email@example.com.
We may update this section as the global regulations emerge or are updated and if any additional information is required.
The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law that took effect on May 25, 2018.
Under GDPR, Enterpret is a data processor; therefore, we provide support to data controllers in order to enable them to fulfill their obligations under GDPR, and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.
Enterpret has taken various steps to give customers assurance that the use of Enterpret’s products and services is consistent with the GDPR:
- Data Protection Agreements are established with relevant customers and third parties to ensure appropriate processing and safeguards are in place for EU personal data.
- We have standardized processes and technical capabilities in order to help our customers respond to data subject requests for access, rectification or erasure of personal data maintained by Enterpret.
- We apply a risk-based approach in the selection and monitoring of all third-party vendor relationships.
Subprocessors: Enterpret uses third-party services for business & operational efficiency. These subprocessors have limited access to requisite customer data in order to provide specific functionality within our service. We establish data protection agreements that require third-party services to adhere to confidentiality and privacy commitments that we have made to our customers. For a list of current subprocessors, please contact us via email at firstname.lastname@example.org.
Enterpret is a service provider, as defined by the California Consumer Privacy Act of 2018 (“CCPA”) which is a California state law that went into effect on January 1, 2020. CCPA gives California consumers new privacy rights and creates new obligations for businesses that are covered by the law.
- The rights for California consumers include:
- The right to know what personal information a business is collecting and how that information is being used and shared;
- The right to a copy of the personal information a business holds about a consumer;
- The right to delete personal information a business holds about a consumer;
- The right to stop the sale of personal information by a business; and
- The right to have equal service and price, even if a consumer exercises their privacy rights.
Our business has processes in place in order to respond to consumer requests related to the CCPA.
If you would like to request a copy of our Data Protection Agreement or if you have any other privacy-related questions, please email us at email@example.com.
Information Security Program
Enterpret maintains a formal information security program that is supported by written information security policies, approved by management, published and communicated to staff.
Security Leadership Committee
The security leadership committee provides executive-level oversight and approval for security and compliance initiatives and planning through various actions.
Application & Product Security
- Users can authenticate via SSO using a G-Suite identity.
- User passwords are protected by the latest recommendations for strong encryption and hashing (i.e. AES-256 and bcrypt).
- Enterpret APIs only communicate over encrypted channels and are only accessible to verified users.
- Our system has a multitenant architecture that logically separates customer data through access control that is based on company, users, and roles. Our application has extensive access control lists, authentication, and authorization mechanisms that allow data access for authorized users only.
- All customer accounts are assigned a unique GUID which will allow access to only services and data consistent with the privileges assigned.
Resilient & Secure Architecture
Redundant and Scalable Infrastructure
- Enterpret data and services are deployed across geographically distributed availability zones in the United States maintained by an industry-leading service provider (Amazon Web Services).
- Scalable infrastructure is used to distribute application load across resources and support high availability.
- Properly isolated network resources restrict inbound traffic from untrusted zones.
- Capacity thresholds are defined to automatically provision additional resources to meet spikes in application demand.
- We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocol, and SHA2 signatures for data travelling between clients and Enterpret service; and between Enterpret services over public networks.
- AES-256 bit encryption is utilized to protect application and customer data at rest.
- We observe a strict key management policy that includes a key rotation procedure and minimum entropy requirements with access restricted to delegated key custodians.
- Technology and tooling are in place to detect and alert on suspected network intrusion, command and control attempts or potential system compromise.
- We have a documented security incident response process that includes appropriate escalation procedures, root cause analysis, impact assessment, and containment.
- External communications can be made in a timely manner to impacted customers, third parties and authorities.
- Data is replicated across multiple availability zones to support continuity in the event of a regional outage.
- Complete data backups are performed daily, with proactive retention periods observed.
- Backup restoration procedures are documented, and tested regularly to confirm the efficacy of our processes.
- Our disaster recovery strategy is documented, with appointed responsible personnel and supported through regular review with our security team.
Design & Build Practices:
- A Software Development Lifecycle (SDLC) policy is documented to guide engineers on appropriate development practices and change control.
- Code is evaluated for design, functionality, and expected security exposures.
- Changes to the source code are governed by a standardized change management process.
- In addition to automated and manual testing, our code is peer-reviewed prior to being deployed to production.
- We engage third-party security experts to perform comprehensive penetration tests on an annual basis.
Recruitment & Selection Practices:
- We rely on comprehensive background verification and employment history when selecting candidates for employment opportunities with Enterpret.
- Employees are required to sign non-disclosure and confidentiality agreements upon joining Enterpret.
- Only authorized employees are granted access to production systems for fulfilling their job responsibilities.
- Access is regularly reviewed for business justification.
If you have questions about Enterpret’s security practices or you believe a security incident has occurred, please contact firstname.lastname@example.org.