In case of any queries related to our security statement below, please send us a detailed mail at firstname.lastname@example.org.
1. Our Standard
Capptions employs a cloud deployment model for its software-as-a-service (“SaaS”) solution. All software maintenance and configuration activities are conducted by Capptions employees. An intelligent tenant segregation layer allows us to safely store data of different clients (tenants) separately. Capptions employs industry standard practices for security controls such as firewalls, intrusion detection, and change management.
Capptions’ distributed architecture for data collection and processing allows it to scale horizontally as the number of clients and volume of traffic increase. Capptions uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are scaled up when predetermined capacity thresholds are reached.
3. Risk Management
Capptions has practices in place as part of its business continuity planning to assist management in identifying and managing risks that could affect the organisation’s ability to provide reliable services to its clients (as further described below). These practices are used to identify significant risks for the organisation, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.
Capptions maintains, and annually updates, a general written Information Security & Access Policy, which details employee’s responsibilities toward confidentiality of client data and acceptable use of resources. All staff must review and sign this policy during on-boarding.
5. Segregation of Duties
Only authorised personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organisation. Access to client data is restricted to legitimate business use only.
6. Employee Screening
Capptions employees are required to undergo background checks and provide specific documents verifying identity at the time of employment.
7. Terms of Employment
General information security responsibilities are documented in Capptions Information Security & Access Policy, which all employees must sign as part of their on boarding.
General information security training is provided to all new employees (both full time and temporary) as part of their on boarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. Additional security training is also provided to employees who handle client data.
9. Termination of Employment
Capptions manages a formal termination process, which includes removal of any potential access to Capptions and related data. The exit interview reminds ex-employees of their remaining employment restriction and contractual obligations.
10. Documentation and Change management
All critical and repeatable processes and security checks in Capptions production environment are either documented in procedures or implemented as automation scripts. Capptions maintains and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and documented. All relevant business owners such as Support, Engineering, and DevOps, Security are represented at regular change management meetings.
Both scheduled and emergency changes are tested in separate environments, reviewed and approved by Engineering, and Technical Support before deployment to the production environment. Testing, other than deployment validation, is prohibited in the production environment.
Capptions stores all client data in fully redundant databases. Daily and intraday data is backed up on a scheduled basis and stored in a geographically separated location.
13. Logging and Monitoring
Capptions uses an industry standard enterprise application management solution to monitor systems 24×7, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment.
14. Data protection
All traffic from, to and within Capptions services and micro-services is encrypted using the SSL/TLS protocol. Capptions enforces the usage of strong TLS cipher suites.
Automated email notifications are being sent with TLS encryption, however the responsibility of supporting this from a receiver perspective remains with the customer.
S/MIME encryption can be configured on a case-by-case basis.
15. User protection
Capptions enforces a strong password policy by default and allows for clients to choose an even stricter customised policy if necessary.
Passwords are stored hashed and salted and access to an account is logged, tracked, and audited.
16. System protection
Capptions uses an enterprise-grade automated security management solution to prevent malicious actions, malicious users, brute-force attacks, cross-site forgery, DDoS and various injection attacks (OWASP TOP 10).
- All operating systems are maintained according to best practices in the industry
- All recommended patch levels are applied
- Unnecessary users, services, and components are disabled
- All systems are constantly monitored
- Data is stored using at-rest AES-256 encryption on virtualised servers
- Database backups are stored and transmitted, encrypted at all times.
17. Development and Support Process
Capptions follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.
18. Incident Process
Capptions has developed a robust Security Incident Response Process (“SIRP”) to address events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information. Security incidents are escalated from the initial responders to the relevant Account Manager for client notification. All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process.
19. Business Continuity & Disaster Recovery
Business continuity planning (BCP) and disaster recovery (DR) activities prioritise critical functions supporting the delivery of Capptions to its clients. The development and scope of BCP and DR in each business function reflects the criticality of each function and/or facility in order to maximise the effectiveness of these efforts.
Capptions’ architecture utilises redundancy through the entire infrastructure, from load balancers, storage units and processing engines, to power and telecommunication providers. No system or device has a single point of failure. Data is always written to two separate locations when stored.
21. Data storage
For data storage, analysis, and backups, Capptions utilises the preexisting Amazon AWS cloud infrastructure and therefore shares several AWS standards and accreditations. All virtualised servers are run in the EU region Dublin, Ireland.
Among others, Amazon AWS is certified by the following security compliance standards:
- ISO 27001, 27017, 27018
- FIPS 140-2
- PCI-DSS Level 1
- EU Data Protection Directive (95/46/EG)
22. Data access
Capptions does not share customer data with third parties.
Administrative access to customer data is restricted to a small number of closely managed Capptions administrators.
Access to production systems and data follows the security standard of Least Privilege.
For debugging purposes, access to affected data can be granted in accordance with the respective customer.