At Whatfix security is imbibed in its DNA and remains a top priority throughout product cycle. Whatfix has incorporated Industry best practices/systems in security for both its Architecture and Development to Deployment processes.
Physical and environmental
Whatfix Digital adoption platform is hosted in “Digital Ocean” a leading cloud provider which is SOC2 Type II, ISO 27001: 2013 and PCI DSS 3.2.1 (applicable controls) certified.
- Access to sensitive areas/Data center cages is restricted to authorised individuals and requires Multi-Factor Authentication.
- A minimum of N+1 redundancy for all critical components.
- Intrusion alarms along with Round the clock monitoring of the Data center.
- Surveillance cameras placed at strategic locations including Entry/Exit of Data centers and key areas.
Logical Infrastructure Security and Operational Controls
- Whatfix DAP employs Defense in Depth strategy at both infrastructural as well as Application level.
- WAFs, Firewalls, Intrusion Detection Systems are deployed to strengthen the perimeter security.
- Host based IDS and Firewall allows us to further augment the same.
- Whatfix production and Development infrastructure are both logically and physically segregated.
- All changes to production and UAT (including release pushes) are only carried out post explicit approvals from the Devops and Security teams.
- Access to Production Management plane
- is centrally managed and is restricted to Devops team only
- is restricted and whitelisted to specific IP addresses
- requires Multi factor Authentication and secure tunnelling.
- All connection to servers are through Bastion Host/ Jump Box
- Periodic User reviews and certifications to validate only approved personnel have access
- Malware Protection to detect latest threat signatures and perform real time scanning and security
- Every release goes through elaborate security reviews and tests against OWASP standards and other industry best practices:
- Automated Code Review,
- Manual Peer Review,
- Image certification/Validation
- Whitebox Security Testing by the Blue team
- Post Release/Deployment Infra and Application assessment.
- Every developer undergoes a mandatory Security in Coding Training annually
- FIPS 140-2 compliant TLS 1.2 encryption (with strong ciphers) for data in transit.
- AES 256 bit encryption with 1,024 bit key-strength for data at Rest
- Access to the encryption keys are limited to authorised individuals.
- Keys are rotated periodically and upon exit of individuals who had knowledge of the keys
Logging and Monitoring:
- Whatfix log management systems ensure that all critical events generated from Systems, Firewalls, IDS, WAF are all logged and monitored round the clock.
- SOC Runbooks are updated periodically to ensure that remedial actions and escalations are carried out at the earliest and in parallel.
- Incident response plans and processes are tested periodically to validate their effectiveness and adequacy.
Red Teaming and 3rd party Penetration Tests:
- Whatfix partners with Bugcrowd a leading Crowdsourced cybersecurity platform to play the role of Red Team.
- Bugcrowd researchers and testers are provided with relevant access to Whatfix Platform to test the security of both application and infrastructure.
- These exercises are carried out across the year and all issues identified are reviewed, prioritised and addressed accordingly.
- At least once Annually a reputed third party is engaged for carrying out Infrastructure and Application Penetration test.
Whatfix product is built on the principle of avoiding a disaster
- Our infrastructure is built on the principle of high availability and resiliency through Service clustering and redundancies to avoid single point of failures.
- Whatfix Business continuity program ensures that our Plans are tested at least once annually and upon significant change in infrastructure.
- Security starts with the people we employ/engage. Our on-boarding process for employees and contractors includes the following
- Mandatory training on Whatfix’s Security and compliance practices and policies and acknowledgement
- Non Disclosure, Confidentiality agreements and Acceptable Use Policy
- Background checks on all candidates for Whatfix both employees and contractors.
- Our contracts with all third party service providers include requirement of Background checks as well as mandatory training and acknowledgement on Information security policies and practices.
Third Party Security Management:
- Whatfix’s policies mandate that prior to engaging any third parties, mandatory due diligence be carried out. These due diligences may include and not limited to
- Compliance Risk assessments
- Security Risk Assessments
- Vulnerability and Penetration tests
- All third parties must sign Confidentiality agreements and other appropriate Security and Compliance clauses based on the criticality of their services to Whatfix.
- Periodic audits/ assessments are carried out to validate their compliance to their obligations set forth in their Contracts with Whatfix
Product security features
Whatfix platform allows seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options.
More details on Product security features can be found here
Compliance and Security Certifications and Attestations:
Whatfix complies with all applicable regulations and legislations of Geographies and business verticals it operates and provides services to. Over the past few years Whatfix has achieved and maintains security certifications for its products and services with industry organizations, frameworks, and standards bodies—creating assurances and safeguards that support customer requirements. Our certifications include:
SSAE 18 SOC2:
Whatfix is SOC 2 Type II compliant. SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA’s Trust Services Principles criteria. Whatfix undergoes this attestation annually. A copy of the report may be made available upon request.
is one of the most recognised independent international security standards. This certificate is awarded to organisations that comply with ISO’s high global standards pertaining to Security Management Systems. Whatfix has achieved ISO/IEC 27001:2013 certification for Applications, Systems, People, Technology, and Processes.
CSA Star Level 2:
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Whatfix is certified by BSI
HIPAA via Business Associate Agreement (BAA)
Whatfix executes BAAs with HIPAA-covered entities to certify PHI protections.
For information on how Whatfix complies with GDPR and CCPA please visit our Privacy page.