Security Framework Policy

Whatfix maintains a formal information security program and information security team focused on protecting the information assets of our Customers. The following provides a high-level overview of the measures Whatfix uses to provide a level of security appropriate to the risk of processing the Personal Data in connection with our services.

Category Security Measures
Information security policies and framework, compliances Whatfix is an ISO 27001 certified organization and has SOC2 (Type 2) certifications. Whatfix has also implemented GDPR compliance.
Physical and environmental security Whatfix stores your data with the cloud platform of Amazon Web Services and Digital Ocean, which may store this data on their servers located outside of India. Amazon Web Services has security measures in place to protect the loss, misuse and alteration of the information, details of which are available at https://aws.amazon.com/. Digital Ocean has its security measures available at https://www.digitalocean.com/legal/data-security/.
Asset management Whatfix maintains the assets in its cloud infrastructure, which are managed, and monitored by an internal cloud operations team. Our Asset management policies are in line with the controls of ISO27001.
Human resource security All employees working on the Whatfix Platform are subject to background verification and are bound by contractual obligations of confidentiality. Employees go through various training sessions necessary to perform their duties, including training regarding information security.
Access Control Policy Whatfix limits access to areas where customer data is processed and maintains audit logs of access and has implemented a strict role-based access control policy.

Access Credentials Mechanism is as follows:

    1. All employees who have access to or maintain Controller data:

      1. Have named access to the application/ infrastructure
      2. Do not share user id/account with other users
      3. Access is limited to only the cloud infrastructure team (responsible for application upgrades and maintenance). Developers and other employees DO NOT have access to customer data.
    1. User accounts are required to:

      1. Have passwords expire at least every 30 days
      2. Set to remember and not allow the use of at least the last 5 passwords
      3. Where passwords are used, Processor requires the use of complex (upper/ lowercase alpha, special character, and a number) passwords.
BCP and DR Whatfix has in place a documented Business Continuity / Disaster Recovery Plan, the Plan has been tested, reviewed, and updated annually. Regular Backups are performed and stored in a secure location and are encrypted.
Security Incident communication management Whatfix will notify the customer in case of violation or breach of security resulting in a loss or unauthorized disclosure of customer data. A formal information security incident management process is followed. Incidents are reported by an observer or internal teams monitoring activities and are acted upon immediately. The incident is contained first, to minimize impact, and then resolved. A root cause analysis is then performed and documented. Mitigation or resolution actions are performed and documented. Internal escalations are performed as needed. The entire incident is documented for generating a knowledge base.
Data Security and Privacy Whatfix treats data provided by customer to the Platform as confidential. Whatfix has implemented technical and organizational measure to protect the data, including PII and has encrypted the customer data in transit and at rest.
Risk Management Whatfix has identified and classified assets based on the criticality. Security risks related to the internal personnel, assets, and external parties (such as contractors, customers, and vendors) are identified and addressed via the ISO 27001: 2013 framework and applicable controls. Risk management is a continuous process adapted at Whatfix.