Q: What technologies and processes are in place to monitor security audit data such that security events and incidents are handled expediently? What controls are in place to prevent, detect, and react to breaches?
A: AskCody performs intensive logging and monitoring of all services and production environment. We have alerts and “on-call” personnel within the product team to ensure we react to incidents when they occur.
Q: How will Customer be notified if a breach occurs? What are your breach notification practices and how are customers notified in the event of a security breach?
A: In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, the AskCody will without undue delay but no later than in 24 hours after becoming aware of it notify the Data Controller in writing and additionally in any other reasonable and prompt manner (e.g. by phone).
In the event of a security breach, our team will promptly notify you of unauthorized access to your data. Service availability incidents are published to our status page at http://status.onaskcody.com with additional information.
Should your security team need additional logs for their investigation of an incident determined to affect your organization, our security team will coordinate responsibly provide access as needed.
The Breach notification will contain at least the following:
- a description of the nature of the Breach including, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned
- the name and contact details of the person responsible for AskCody’s data protection matters
- a description of likely consequences and/or realized consequences of the Breach
- a description of the measures taken to address the Breach and to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.
AskCody takes all the necessary steps to protect the Data after having become aware of the Breach. After having notified the Customer in accordance with above, AskCody will, in consultation with the Customer, take appropriate measures to secure the Data and limit any possible detrimental effect to the Data Subjects. AskCody will cooperate with the Customer, and with any third parties designated by the Customer, to respond to the Breach. The objective of the Breach response will be to restore the confidentiality, integrity, and availability of the Services, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to Data Subjects or the Customer.
Q: Do you use web application firewalls?
A: Web Application Firewalls are built-in to AskCody’s Cloud Provider Microsoft Azure as well as DDOS protection.
Q: How will AskCody manage and continue the service in the event of physical damage to the data center, DDoS attack, server or network device disturbances. Can AskCody confirm that it performs business continuity planning and have response plans to serious disturbances?
A: AskCody comes as a Software as a Service is built on Microsoft Azure and hosted in the Microsoft Azure cloud. Azure operates in multiple geographies around the world. An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is an area within a geography, containing one or more data centers. In Europe, we utilize the North Europe (Primary) and West Europe (Secondary) Azure regions. (Please see infrastructure document for details - https://www.goaskcody.com/askcody-on-azure.) The service is fully managed by us. Maintenance and updates are included in your subscription. In North America, we utilize East US (Primary) and West US (Secondary). Learn more about regions here - http://azuredatacentermap.azurewebsites.net/
Each Azure region is paired with another region within the same geography, together making a regional pair.
The AskCody platform is built so that we replicate workloads across regional pairs to benefit from Azure’s isolation and availability policies. For example, planned Azure system updates are deployed sequentially (not at the same time) across paired regions. That means that even in the rare event of a faulty update, both regions will not be affected simultaneously. Furthermore, in the unlikely event of a broad outage, recovery of at least one region out of every pair is prioritized.
To see an example of a hypothetical application which uses the regional pair for disaster recovery please go to https://docs.microsoft.com/en-us/azure/best-practices-availability-paired-regions
Q: Do AskCody have physical security practices in place to protect against physical attacks?
A: Access to AskCody Facilities is restricted to authorized co-workers, and external visitors, customers etc. must register and sign the AskCody NDA. Guests have restricted entrance to the physical sites, and entrance is only allowed/authorized by AskCody co-workers.
Q: What controls are in place to compartmentalize administrators' job responsibilities to protect against insider threats?
A: All co-workers and third-party users have signed a confidentiality agreement as part of their contractual obligation towards AskCody. This can either be a separate confidentiality agreement or be part of an employment contract or third-party contract.
Q: What are your procedures for vetting privileged users?
A: AskCody makes two background checks for new co-workers. To confirm a person´s character and employment history. These, combined with senior level and that employee access follows a principle of least access are factors in vetting privileged users.
Q: What authentication and access control mechanisms do you support? What type of authentication is supported (i.e. strong, two-factor, etc.)?
A: 2-factor authentication with a minimum password standard on 64 characters using 1Password
Q: Do you allow remote administrative access to the cloud infrastructure?
A: Yes, using 2-factor authentication for remote network access and disallowing shared accounts or group accounts
Q: Upon authentication through Customer identity management, can the user access the cloud service without further authentication?
A: Yes, using single sign-on.
Q: Will Customer have access to all of our information upon demand? In what format?
A: AskCody comes as a generic Software as a Service with built-in ability to extract relevant content and usage data in CSV format. The customer can’t require a custom specification for data export or extraction about system data.