WHATFIX

Technical and Organizational measures

Whatfix maintains a formal information security program and information security team focused on protecting the information assets of our Customers.

The following provides a high-level overview of the measures Whatfix uses to provide a level of security appropriate to the risk of processing the Personal Data in connection with our services.

Category

Security Measures

Information security policies and framework, compliances

Whatfix is an ISO 27001:2013, ISO 27701:2019, ISO 27017:2015, ISO 27018: 2019, CSA STAR certified organization and has SOC2 Type 2 Attestations. Whatfix maintains compliance to GDPR, CCPA and other applicable Regulations.

Whatfix shall maintain and shall continue to maintain a written information security program that includes policies, procedures, and controls governing the Processing of Customer Content and data through Whatfix’s solution (the “Information Security Program”).

The Information Security Program is designed to protect the confidentiality, integrity, and availability of Customer Content by using a multi-tiered technical, procedural, and people-related control approach in accordance with industry best practices and applicable laws and regulations.

Physical and environmental security

Whatfix stores your data with the cloud platform of Microsoft Azure, which may store this data on their servers located outside of India.

Microsoft Azure security measures can be found at https://docs.microsoft.com/en-us/azure/security/

Whatfix shall maintain appropriate physical security measures designed to protect the tangible items, such as physical computer systems, networks, servers, and devices, that Process Customer Content. Whatfix shall utilize commercial grade security software and hardware to protect the Whatfix’s service and the Production Environment.

Whatfix shall ensure that:

  1. Access to Whatfix’s corporate facilities is tightly controlled;

  2. All visitors to its corporate facilities sign in, agree to confidentiality obligations, and be escorted by Personnel while on premises at all times; and

  3. Visitor logs are reviewed by Whatfix’s security team on a regular basis.

  4. Personnel’s physical access to Whatfix’s corporate facilities upon termination of employment.

  5. Its commercial-grade data center service providers used in the provision of Whatfix’s solution maintain an on-site security operation that is responsible for all physical data center security functions and formal physical access procedures in accordance with SOC1 and SOC2, or equivalent, standards.

  6. The Data center provider has a SOC2 or equivalent certification/attestation for their scope of services toWhatfix.

Permitted Use of Customer Content

Whatfix will not access Customer Content in any manner except for what has been mutually agreed between Customer and Whatfix.

Acknowledgement of Shared Responsibilities

The security of data and information that is accessed, stored, shared, or otherwise Processed via a multi-tenant cloud service are shared responsibilities between a cloud service provider and Whatfix.

As such, Whatfix is responsible for the implementation and operation of the Information Security Program and the protection measures described in the Agreement

Maintenance of Information Security Program

Whatfix shall take and implement appropriate technical and organizational measures to protect Customer Content located in Whatfix’s system and shall maintain the Information Security Program in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001.

Whatfix shall update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of Whatfix’s service.

Asset management

Whatfix maintains the assets in its cloud infrastructure, which are managed, and monitored by an internal cloud operations team.

Our Asset management policies are in line with the controls of ISO 27001.

Human resource security

  1. All employees working on the Whatfix Platform are subject to background verification and are bound by contractual obligations of confidentiality prior to being assigned to positions in which they will, or Whatfix reasonably expects them to, have access to Customer Content.

  2. Employees go through various training sessions necessary to perform their duties, including training regarding information security.

  3. Whatfix shall conduct a mandatory security awareness training to inform its Personnel on procedures and policies relevant to the Information Security Program and of the consequences of violating such procedures and policies.

Access Control Policy

Whatfix limits access to areas where customer data is processed and maintains audit logs of access and has implemented a strict role-based access control policy.

Access Credentials Mechanism is as follows:

All employees who have access to or maintain Controller data:

  • Have named access to the application/infrastructure
  • Do not share user id/account with other users
  • Administrative Access to Systems is limited to only the cloud infrastructure (responsible for application upgrades and maintenance).
  • Portal administration access is limited to members from the Customer Success team associated with the Client Authorized personnel
  • Other employees DO NOT have access to Customer Content.

User accounts are required to:

  • Have passwords expire at least every 90 days
  • Set to remember and not allow the use of at least the last 4 passwords
  • Where passwords are used, the Processor requires the use of complex (upper/ lowercase alpha, special character, and a number) passwords.

Whatfix shall maintain a formal access control policy and shall control Personnel access to the Production Environment.

  1. Whatfix shall maintain an associated access control process for reviewing and implementing Personnel access requests.

  2. Whatfix shall regularly review the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, remove or modify such access rights as appropriate.

  3. Whatfix shall monitor and assess the efficacy of access restrictions applicable to the control of Whatfix’s system administrators in the Production Environment, which will entail generating system individual administrator activity information and retaining such information for a period of at least 12 months.

BCP and DR
    • Whatfix has in place a documented Business Continuity/ Disaster Recovery Plan, the Plan has been tested, reviewed, and updated annually.
    • Regular Backups are performed and stored in a secure location and are encrypted.
    • Whatfix shall maintain a written business continuity and disaster recovery plan that addresses the availability of Whatfix’s solution (“Continuity Plan”).
    • The Continuity Plan shall include elements such as:
      • crisis management plan and team activation,
      • event and communication process documentation; business recovery,
      • alternative site locations,
      • call tree testing;
      • and (c) infrastructure,
      • technology, system(s) details,
      • recovery activities,
      • and identification of the Personnel and teams required for such recovery.

      Whatfix shall, at a minimum, conduct a test of the Continuity Plan on an annual basis.

Whatfix shall ensure that:

  • Infrastructure systems for Whatfix’s solution have been designed to eliminate single points of failure and to minimize the impact of anticipated environmental risks;
  • Each data center supporting Whatfix’s solution must include full redundancy and fault tolerance infrastructure for electrical, cooling, and network systems.

Security Incident communication management
  • Whatfix will notify the customer in case of violation or breach of security resulting in a loss or unauthorized disclosure of customer data within 72 hours of breach identification.
  • A formal information security incident management process is followed.
  • Incidents are reported by an observer or internal teams monitoring activities and are acted upon immediately.
  • The incident is contained first, to minimize impact, and then resolved.
  • A root cause analysis is then performed and documented. Mitigation or resolution actions are performed and documented. Internal escalations are performed as needed.
  • The entire incident is documented for generating a knowledge base.

Data Security andPrivacy
  • Whatfix treats data provided by Customer to the Platform as confidential.
  • Whatfix shall not use/process Customer personal information for any purposes other than listed in Whatfix Privacy Policy and/or Whatfix service agreement with the customer.
  • Whatfix shall ensure that the personal data is not excessive for the stated legitimate business purposes in the Whatfix service agreement with the customer.
  • Whatfix shall not share Customer’s personal information with any third party other than listed in Whatfix Privacy Policy and/or Whatfix service agreement with the customer.
  • Whatfix shall ensure the Customer data retention and disposition as per Whatfix Privacy policy and/or Whatfix service agreement with customer. Customer data must only be retained:
    • For as long as it is necessary to serve the relevant legitimate business purposes
    • To the extent necessary to comply with applicable law
    • To protect the right of data subject
  • Whatfix shall implement technical and organizational measures to protect the customer data, including PII and has encrypted the customer data in transit and at rest.
  • Whatfix shall ensure proper contractual safeguards (inline with GDPR) implemented in the event of personal data needs to be processed by, transferred by, gathered by or exchanged with any third party.

Risk Management
  • Whatfix has identified and classified assets based on its criticality.
  • Security risks related to the internal personnel, assets, and external parties (such as contractors, customers, and vendors) are identified and addressed via the ISO 27001: 2013 framework and applicable controls.
  • Risk management is a continuous process adapted at Whatfix.

Personnel Policies and Procedures
  • Whatfix has standard hiring and termination policies and procedures.
  • The procedures include screening potential employees through an interview process, reference checks, formal offer letters, and new employee training.
  • Employee disciplinary procedure and Human Resource Policy have been implemented.
  • Upon hiring, employees are required to acknowledge that they understand the policies and procedures of the company by signing a ‘Statement of Acceptance’.
  • Whatfix also has developed a Non-Disclosure Agreement. Employees are required to sign the Non-Disclosure Agreement, acknowledging that they will adhere to the company’s policies and procedures.
  • Policies relating to information security before hiring, during employment and on termination have been implemented as part of the Information Security Management System.

Network Security
  • Whatfix shall maintain a defense-in-depth approach to hardening the Production Environment against exposure and attack.
  • Whatfix shall maintain an isolated Production Environment that includes commercial grade network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections.
  • Whatfix shall complement its Production Environment architecture with prevention and detection technologies that monitor all activity generated and send risk-based alerts to the relevant security groups.

Malicious Code Protection

Whatfix shall ensure that:

  • Its information systems and file transfer operations have effective and operational anti-virus software;
  • All anti-virus software shall configured for deployment and automatic update; and
  • Applicable anti-virus software shall integrate with processes and shall automatically generate alerts to Whatfix’s Cyber Incident Response Team if potentially harmful code is detected for their investigation and analysis.

Code Reviews
  • Whatfix shall maintain a formal software development life cycle that includes secure coding practices against OWASP and related standards and shall perform both manual and automated code reviews.
  • Whatfix’s engineering, product development, and product operations management teams shall review changes included in production releases to verify that developers have performed automated and manual code reviews designed to minimize associated risks.
  • In the event that a significant issue is identified in a code review, such issue shall be brought to Whatfix senior management’s attention and shall be closely monitored until resolution prior to release into the Production Environment.

Vulnerability Scans and Penetration Tests
  • Whatfix shall perform both internal and external vulnerability scanning and application scanning.
  • External scans and penetration tests against Whatfix’s solution and the Production Environment shall be conducted by both Internal teams as well as external qualified, credentialed, and industry recognized organizations.
  • Whatfix shall remedy vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and time frame based on severity.
  • Upon Customer’s reasonable written request, Whatfix shall provide attestations resulting from vulnerability scans and penetration tests per independent external audit reports.
  • Upon prior notification, Customer is permitted to conduct any vulnerability scans or penetration testing against the Pre-Production Environment.

Separation

Whatfix shall separate Customer Content located in the Production Environment from other Whatfix customer data.

Encryption Technologies
  • Whatfix shall encrypt Customer Content in accordance with industry best practice standards.
  • All access and transfer of data to and from Whatfix’s solution shall be via HTTPS with minimum TLS 1.2 and Whatfix shall only support industry recognized and best practice cipher suites.
  • Whatfix shall encrypt all data persisted on the Production Environment with an AES 256-bit, or equivalent, encryption key.

Audit for Data Breach
  • Whatfix shall use independent external auditors to verify the adequacy of its Information Security Program.
  • Upon Customer’s reasonable written request, Whatfix will provide Customer with third party attestations, certifications, and reports relevant to the establishment, implementation, and control of the Information Security Program, including Whatfix’s ISO 27001 certification and Service Organization Controls (SOC) reports.
  • Following a Data Breach, Whatfix shall, upon Customer’s written request, promptly engage a third party independent auditor, selected by Whatfix and at Whatfix’s expense, to conduct an on-site audit of Whatfix’s Information Security Program, including Whatfix’s data centers and corporate facilities relevant to the security of Customer Data.
  • Whatfix shall promptly provide the Customer with the report of such an audit.