1. For data in transit, do you leverage encryption to protect data during transport across and between network instances including services like SSH, HTTPS, etc.?

Ans - Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards.

2. Do you encrypt data at rest?

Ans - All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

3. Do you segregate multi-tenant data using encryption?

Ans - Yes, the data is segregated with a client-specific key for proper handling and representation.

4. Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?

Ans - Yes, there's a native encryption capability when it comes to sensitive data fields. As each field is equally intricate, there are no limits to such fields.

5. Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?

Ans - User IDs and passwords must transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards.

6. Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?

Ans – Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end.

7. Are Industry standard technologies used to transfer personal data? (Other than e-mail)

Ans - Yes, personal data is to be transmitted using firmly approved encrypted systems and in no way is to be transmitted via email.

8. Are virtual images hardened by default to protect them from unauthorized access?

Ans - Yes, the hardened images are secure from any malicious leak or unauthorized access. These hardened images do not contain any authentication credentials.

9. Do you support end-to-end encryption of tenant's data in transit across all security zones?

Ans - Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.

1. Are policies and procedures established for labeling, handling, and the security of data and objects that contain data?

Ans - Yes, there are established policies and procedures for labeling, handling, storing, transmitting, retention/disposal, and security of client's data and objects which contain data, per the Xoxoday Information Classification Standard and Protection Measures.

2. Do you adhere to the tenant's retention policy?

Ans - Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and a smooth user experience with products and services.

3. Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Ans - Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leaks can be prevented, in transit as well as at rest.

4. Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Ans - Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of a user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

5. Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Ans - Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC). All software development procedures are supervised and monitored by so that they include:

6. Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Ans - Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

7. Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Ans - Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

8. Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Ans - Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC) security standard.

9. Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Ans - Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

10. Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

Ans - We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g., fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.)

11. Do you provide tenants with geographically resilient hosting options?

Ans - Our hosting options are limited to 's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

12. Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?

Ans - Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

13. Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Ans - Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliance with policies, procedures, and standards, we stick to the best standards.

14. Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Ans - Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.

15. Do you perform annual audits (internal and external) and are the results available to tenants upon request?

Ans - Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

16. Are the results of the penetration tests available to tenants at their request?

Ans - Yes, the tenants can request penetration testing results and get the reports from our end.

17. Are you storing, transmitting, and/or processing payment card data on behalf of our organization?

Ans - No, we do not process your payment card data for any reason other than billing purposes.

18. Can you prove that you are compliant with Indian IT Act 2000?

Ans - Yes, we are compliant with the Indian IT Act of 2000.

19. Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?

Ans - We conduct regular audits to ensure the safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

20. Do you have a dedicated information/cybersecurity team responsible for information security governance across the organization?

Ans - information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

21. Have you defined the information security roles and responsibilities?

Ans - Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

22. Do you have an acceptable usage policy that is signed/agreed by all employees on an annual basis?

Ans - Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

23. Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenants?

Ans - Our environment has all the capabilities to be SOC-2 Type-II compliant, but the certification is yet to come through. It shall be updated soon.

24. Is your environment CSA-certified for the scope of the service being offered to tenants?

Ans – Yes. Our environment is not CSA START Level 1 certified.

25. Are all relevant legislative, statutory, regulatory, and contractual security requirements identified, documented, and tracked?

Ans – We track all security requirements with respect to legislation, statutes, and contracts. They are documented in all steps.

26. Are appropriate procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary software products?

Ans - We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and the use of proprietary software.

27. Have you identified legislative, regulatory, contractual, and business requirements related to record management?

Ans - Our record management criteria check all boxes of legislative, regulatory, contractual, and business requirements.

28. Do you monitor the effectiveness of cybersecurity controls through regular metrics?

Ans - With different metrics tracking cyber-security measures, keeps the effectiveness in check with regular monitoring.

29. Do you have an approved HR Policy document?

Ans – Human Resource operation procedure takes all measures of employee confidentiality into consideration.

30. Are your employees screened before joining the organization? Are they bound to keep the security of information intact even after their employment contract has ended?

Ans - Yes, we perform a thorough background check on every employee before they get onboard. The Non-Disclosure Agreement ensures that the information is secure even after the contract is terminated.

31. Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?

Ans - No, the third parties and vendors we deal with are confidential too. Hence, this list cannot be shared.

32. Do you regularly monitor the third party's compliance with security obligations?

Ans - Yes, our third-party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

33. Is there a process to address any risk that may occur due to the change of services being provided to the tenant?

Ans - Yes, we have a detailed risk management procedure in place to address situational issues like the change of services being provided to tenants.

34. Do you permit the use of contractors in roles supporting customer operations?

Ans - No, our customer requests are addressed by the customer support team for maximum efficiency.

35. Do you have a subscription to brand protection services?

Ans - Yes, 's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

36. Do you monitor media platforms as well for brand protection?

Ans - Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

37. Do you have the capability to detect/prevent unauthorized or anomalous behaviour based on network traffic and host activity?

Ans - Yes, in the event of a rapid spike/slump in network traffic or host activity, analyses the traffic to detect and prevent unauthorized or erratic behaviour.

38. Do you have mandatory and regular privacy training and awareness modules?

Ans - Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

39. What is CSA?

Ans - The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

40. What are the important features of CSA STAR LEVEL – 1?

Ans - Important features of CSA STAR LEVEL – 1 are listed below

41. Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?

Ans - Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.

42. Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?

Ans - Yes, we comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.

43. Do you use Production data in a non-production environment?

Ans - Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

44. Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?

Ans - We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises

1. Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?

Ans - Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.

2. Do you retain logs for all login attempts for a given time period or as required by the tenant?

Ans - Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

3. Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?

Ans - Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

4. Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?

Ans - Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use 's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.

5. Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Ans - Yes, our identity federation standards include SAML 2.0

6. What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?

Ans - We isolate our machines, network, and storage with respect to the AWS Standards in order to keep it safe and secure.

7. Do you allow tenants to use third-party identity assurance services?

Ans - No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.

8. Do you support the tenant's access review policy?

Ans - Yes, we do support our clients' and tenants' access review policies.

9. Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?

Ans - Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.

10. Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

Ans - No. As 's products use single sign on (SSO), the users can login via their suite email and credentials.

11. Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

Ans - Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

12. Is the option of physical and logical user audit log access restricted to authorized personnel only?

Ans - Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.

13. Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?

Ans - No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can share when asked for by the clients.

14. Are audit logs centrally stored and retained?

Ans - Yes, regular audit logs are stored with and retained for future references.

15. Describe how event logs are protected from alteration including how access to these logs is controlled?

Ans - The event logs are stored in a bucket wherein nobody can access them without an approval from the high authorities i.e., the Chief Technical Officer.

16. Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Ans - Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidents are analyzed with network intrusion detection (IDS) tools.

17. Do your logging and monitoring framework allow isolation of an incident to specific tenants?

Ans - Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

18. Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?

Ans - Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".

19. Is there an approval process for access requests to systems handling personal data?

Ans - Yes, with access control limit, General Admins, Managers can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.

20. Is access to systems containing personal data granted using a role-based criteria?

Ans - Yes, the role of "admin" holds the high regards, and these roles can process the personal data of users as per their choice with the access control limit capability.

21. Is all Personal Data registered in a standard repository?

Ans - Yes, personal data is stored in registered databases that comply with all necessary inputs of a standard inventory repository.

22. Are credentials stored in a centralized system that is as per the Industry standard?

Ans - Yes, all the given credentials are safely stored in a secure storage such as Secret manager as per the Industry standard.

23. Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Ans - Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.

24. Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Ans - Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.

25. Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?

Ans - Yes, we do support measures to enforce strong multi factor authentication when it comes to accessing highly restricted data.

26. Do you support access to tenant sensitive data by only tenant's managed devices?

Ans - No, the data can be accessed by authorized personnel to serve you better with maximum security.

1. Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?

Ans - Yes, our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network.

2. Do you logically and/or physically separate tenant systems from corporate systems?

Ans - Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security.

3. Are information system documents (e.g., administrator and User guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation, and operation of the information system?

Ans - Yes, all the resources that are needed for configuration, installation, and operation of information systems are made available to the authorized personnel for their perusal.

4. Do you provide the logical segregation of tenant data and the application?

Ans - Yes, we logically segregate the tenant's data and the application.

5. Do you logically and physically segregate production and non-production environments?

Ans - Yes, physical segregation is done for production and non-production environments.

1.Have you suffered any security breach in the last 5 years?

Ans - Our security systems are airtight and so far, we haven't suffered any security breaches.

2. Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?

Ans - Yes, we have a repository of security incident information if needed for all the affected customers. This information can be accessed electronically.

3. Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled, and isolated from data storage and process?

Ans - Yes, only the authorized personnel are allowed in points of ingress and egress in order to isolate access of data storage and process.

4. What are the data backup and data archiving procedures? Is it secured?

Ans - Data backups are done daily and in a secured way in AWS

5. Is there a provision for customer definable backup and Retention Periods of data?

Ans - No, the backup and retention of data lies in the hands of. Data is stored in the event that a future need arises for looking into the database.

6. Is the data stored in the database and is transit scrambled?

Ans - Yes, the data is stored in our secure database and is transit scrambled for maximum security.

7. Is the client data used for testing purposes?

Ans - Our tenants' data is excruciatingly confidential and is never used for testing or staging purposes.

8. Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?

Ans - Yes, please go through our "Information Security Management System Manual" for a complete understanding.

9. Do you review your Information Security Management Program (ISMP) at least once a year?

Ans - Our ISMP is annually reviewed and updated if required.

10. Do you ensure your providers adhere to your information security and privacy policies?

Ans - Yes, it's crucial for our providers to adhere with the Information Security & Privacy Policy of the organization.

11. Do you follow OWASP (Open Web Application Security Project) guidelines for application development?

Ans - Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

12. Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

Ans - Yes, we remediate and address all requirements with respect to security, contracts, and regulative purposes for customer access to data and information systems.

13. Is MFA (Multi-Factor Authentication) provided as an option?

Ans - No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

14. Does the product's architecture support continuous operation during upgrades and maintenance windows?

Ans - Yes, Compass's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

15. Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Ans - Yes, our event management systems merge the data sources to maintain log data within the SIEM. This helps in proper analysis and driving out alerts if needed in case of contingency.

16. Do you have a documented security incident response plan?

Ans - Yes, our documented security incident response plan logs, monitors, and collects relevant security event data for the purpose of investigation.

17. Do you monitor and quantify the types, volumes, and impacts on all information security incidents?

Ans - Yes, information security incidents, if any, shall be quantified in type, volume, and the impact of such incidents.

18. Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Ans - Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

19. Do you use file integrity (host) and network intrusion detection (IDS) tools for your SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Ans - Yes, with host and network intrusion detection tools, we ensure timely detection and investigation in a prompt manner.

20. Do you monitor cyber threats internally or have taken services from any third party?

Ans - Cyber threats, if any, are managed internally by the tech team.

21. Do you assess the identified threat for applicability and exposure to your environment?

Ans - Yes, we have a regular audit on threats for applicability and exposure to our environment.

22. Do you update your cyber security program based on proactive or reactive threat intelligence feeds?

Ans - Yes, we update your cyber security program based on proactive or reactive threat intelligence feeds

23. Does your threat feed rely on input from multiple sources?

Ans - Compass's holistic presence keeps our tech team updated with the latest news from multiple sources when it comes to any technological developments or threats.

24. Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Ans - Yes, physical segregation is done for production and non-production environments.

1. Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?

Ans - Yes, our personnel - both full-time and on-contract are bound by an agreement of non-disclosure and a confidentiality agreement as a condition of employment to protect the customers and tenant's information.

2. Do you specifically train your employees, contractors, third-party users regarding their specific role and the information security controls they must fulfil?

Ans - Yes, all the employees and personnel pass-through induction and job training, along with contractors and third-party users for their share of information security controls.

3. Are personnel trained and provided with awareness programs at least once a year?

Ans - Yes, all personnel are well trained with awareness programs annually.

1. Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

Ans - Yes, policies and procedures are established, and mechanisms are implemented to detect, address, and stabilize vulnerabilities in a timeframe that matches the Security Patch Management Standards.

2. Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?

Ans - Yes, Compass's products are supported by leading anti-malware programs. These are connected with our cloud service offerings and are a part of all our systems.

3. Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?

Ans - Yes, we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.

4. Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?

Ans - Yes, we ensure that there is no breach in network layers with vulnerability scans as per the industrial standards.

5. Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?

Ans - Yes, to check the hygiene of the application layer, our vulnerability scans are done as prescribed by the industrial standard.

6. Will you make the results of vulnerability scans available to tenants at their request?

Ans - Yes, tenants can request for vulnerability scan reports.

7. Do you have controls and processes in place to perform host/file integrity monitoring for all systems storing and transmitting sensitive data?

Ans - Yes, in order to detect any unauthorized changes in the data or system configuration, we have a procedure in place for host/file integrity monitoring.

8. Do you conduct daily vulnerability scans at the operating system layer?

Ans - No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the operating system layer.

9. Do you conduct daily vulnerability scans at the database layer?

Ans - No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.

10. Do you conduct daily vulnerability scans at the application layer?

Ans - No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the application layer.

11. Do you have external third-party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

Ans - Yes, vulnerability scans and penetration tests are conducted periodically by third parties and external services to test our security measures.

Security Operations & Technical Capabilities and Support

12. Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Ans - Yes, we have proper forensic procedures in place that include chain-of-custody management processes and controls.

13. What controls are used to mitigate DDoS (distributed denial–of-service) attacks?

Ans - As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

14. Is there a cloud audit program to address the client's audit and assessment requirements?

Ans - Yes, in our cloud audit program, we analyse and address all the requirements put forth by the tenant to ensure maximum satisfaction.

15. Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?

Ans- Yes, we have proper forensic procedures for data collection and analysis for incident responses.

16. Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?

Ans - Yes, we can freeze data from a specific time without freezing other data if need be.

17. Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

Ans - Yes. Tenant data is enforced and attested in case it comes to light in legal subpoenas.

18. Give details of the platform on which the application is developed?

Ans - The Compass Platform is developed on microservices architecture because the applications are independent applications and deployed on the AWS virtual platform cloud.

19. Does your product provide/support mobility through native mobile apps etc.?

Ans - Yes, our product is supported by a comprehensive web and mobile application that can be accessed via desktop and mobile devices.

20. Do you offer configurability in your SaaS solution? Give the options if available?

Ans - Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

21. Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?

Ans - Yes, Compass comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

22. Do you offer configurability in your SaaS solution? Give the options if available

Ans - Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

23. What types of Advisory and technical support are provided?

Ans - Compass's customer support team is available at all times to address any queries and support with respect to advisory and technical operations.

24. How does the Cloud Service Provider protect keys, and what security controls are in place to affect that?

Ans - Each tenant data is uniquely encrypted using a client specific key. We use AES 256-bit encryption for data at rest to ensure maximum security measures.

25. Are hardware security modules used to protect such keys? Who has access to such keys?

Ans - Yes, hardware security modules are used to protect these keys, and the key access lies with the Chief Technical Office.

26. What procedures are in place to manage and recover from the compromise of keys?

Ans - We use the Key Management Service by AWS to manage all the keys. In the event that keys get compromised, they can be recovered through the Key Management Service.

27. If an advanced warning is given for service interruption, will it count as downtime?

Ans - Yes, in the event of service interruption, the prior notification will count for the downtime.

28. What is the SLA (Time) for different levels of support for different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less

Ans - The time of support ranges between six to forty-eight hours. This depends on the level of service and the gravity of incidents.

29. Do you have penalty clauses in the event of performance failure?

Ans - No, there is no penalty clause attached in the event of a performance failure.

30. Does the application have robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and test results? Is it Active-active?

Ans - Since we are a SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi-AZ deployment with periodic backup for our DR. BCP, DR is active-passive.

31. How is data isolated between customers? Is the data in non-prod instances refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?

Ans - We use logical data isolation with the help of company specific encryption keys. Data in a non-production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256.

32. How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc

Ans - We are a SAAS solution, and hosting is handled by us. No instances needed from the client. We use public cloud for hosting.

33. What is the RTO and RPO? Can you share the latest DR strategy test results?

Ans - 6 Hours RTO and 6 Hours RPO, yes upon request we can share latest DR strategy test results.

34. What are WCAG Guidelines?

Ans - Web Content Accessibility Guidelines (WCAG) defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.

35. Do you comply with WCAG Guidelines?

Ans - Yes. We always give our best to make sure that our applications are developed as per WCAG guidelines and help differently abled people across the globe.

36. Can people with disabilities use your website and application without barriers?

Ans - Yes. We ensure that people with disabilities can use our websites and applications without any difficulties. Our website and products are having very simple options with very good visibility of the content.

37. Do you consider WCAG guidelines during product development?

Ans - Yes. We always consider the WCAG guidelines for helping differently abled people.

38. Do you conduct any periodical review and improve the website or applications?

Ans - Yes. We periodically review and do all the necessary changes to our website and applications as per the guidelines.

1. How do you protect digital identities and credentials and use them in cloud applications?

Ans - We use AES 256-bit encryption for data at rest for securing digital identities.

2. What data do you collect about the tenant (logs, etc.)? How is it stored? How is the data used? How long will it be stored?

Ans - The only user data stored within the system is their personal information - names, emails, and contact numbers. This data is not put to any use by Compass and resides within the system. The data can be deleted upon the tenant's request.

3. Under what conditions might third parties, including government agencies, have access to my data?

Ans - Your data is completely secure. Third parties have no access to the given data.

4. Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about tenants?

Ans - Yes, as stated above, your data is completely encrypted and secure, hence no critical information shall be revealed to the third parties.

5. Do you have data-integrity monitoring / change-detection software?

Ans - Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.

6. Do you have data loss prevention (DLP) solutions implemented for web, email, and end-point getaway?

Ans - Yes, our web assets, email records, and endpoints are sealed with data loss prevention techniques.

7. Do you have technical controls capable of enforcing customer data retention policies?

Ans - Yes, our technicalities are built in tandem with the customer data retention policies.

8. Can you provide details about policies and procedures for backup? this should include procedures for the management of removable media and methods for securely destroying media no longer required.

Ans - The Compass platform operates on the cloud, which means there are no removable storage devices in question.

9. Can you specify the steps taken to ensure that data which has been deleted is completely wiped and cannot be accessed by other service users?

Ans - Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places.

10. What checks are made on the identity of users with privileged access?

Ans - There are user roles available for privileged and authorized members, access to which is provided via oAuth-2.0.

11. What processes are in place for de-provisioning privileged credentials?

Ans - A support ticket has to be raised to the customer support team, after which the de-provisioning of privileged credentials will be taken care of in the back end.

12. How are the accounts with the highest level of privilege authenticated and managed ?

Ans - The accounts with highest privilege are authenticated and managed via oAuth-2.0, which can be used to implement secure access to confidential data.

13. How do you allow for extraordinary, privileged access in the event of an emergency?

Ans - In case of an emergency, tenants can raise a request to the customer support personnel or the key account manager. The privileged access shall be given from the back end promptly.

14. How are privileged actions monitored and logged? Is there a way to check and protect the integrity of such audit logs?

Ans - Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long-term cloud storage.

15. Is there mutual authentication? How could strong authentication be used? For example, RSA SecurID? Is there any limitation?

Ans - Yes, mutual authentication exists for strong authentication via AES 256-bit encryption.

16. Please provide detail about what information is recorded within audit logs?

Ans –

17. Is the data segmented within audit logs so they can be made available to tenants without compromising other customers?

Ans - No. Since we are a multi-tenant system, our logs contain information of all the tenants. We cannot isolate a single customer's information from our logs.

18. How are audit logs reviewed? What recorded events result in action being taken?

Ans - Administrative logs are part of Cloud Dashboard and are regularly reviewed.

19. Do you use multiple ISPs?

Ans - Yes, we have multiple internet service providers for uninterrupted coverage and maximum uptime.

20. Do you have DDoS protection, and if so, how?

Ans - There are gateways in place to defer DDoS attacks.

21. What is your downtime plan (e.g., service upgrade, patch, etc.)?

Ans - We don't face any downtime and keep our service uninterrupted even in the events of upgrades and patches.

22. Can you accommodate timely forensic investigation (e.g., eDiscovery)?

Ans - Yes, in case there's a need for a forensic investigation, we can accommodate time and make it happen.

23. Do you follow Data input and output integrity routines (i.e., reconciliation and edit checks) for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

Ans - Yes. We comply with this requirement; we follow multi-layer application architecture to isolate database access.

24. Do you follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services?

Ans - Yes. We follow a defined quality change control and testing as per the Organization's policies and procedures.

25. Do you assign Data and objects data by the data owner based on data type, value, sensitivity, and criticality to the organization?

Ans - Yes. We follow a data classification policy and access control policy to provide access to the individuals based on data type, value, sensitivity, and criticality to the organization.

26. Do you follow Data Security & Information Lifecycle Management Ownership / Stewardship?

Ans - Yes, we comply with this requirement. All data has been designated with stewardship, with assigned responsibilities defined, documented, and communicated as per the compliance requirements.

27. Do you make sure that Each operating system has been hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.

Ans - Yes. We make sure that we follow access control policy and data protection policy to make sure that only authorized individual has access to the required data. And we have controls such as antivirus, file integrity monitoring, and log monitoring as per the compliance requirements.

1. Does Compass follow GDPR?

Ans – Compass is GDPR Compliant. We ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security.

2. Does Compass have an information security policy and is it communicated and published to all employees, suppliers, and other relevant external parties?

Ans - Compass has an information security policy that is published and communicated to all suppliers and employees (including contractors and other relevant external parties).

Compass has ensured that the Information security policies have established the direction of the organization and align to best leading practices (e.g., ISO-27001, ISO-22307, CoBIT), regulatory, federal/state, and international laws where applicable.

3. Does Compass have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?

Ans - Yes, at Compass, we have a formal disciplinary or sanction policy established for employees who have violated security policies and controls. Employees are made aware of what action might be taken in the event of a violation and stated as such in the policies and controls. A detailed disciplinary process and policy are also in place.

4. Does Compass ensure that all projects go through some form of information security assessment?

Ans - At Compass, we use JIRA for Project Management, and abiding by the Information security policy is mandatory and has been followed in all the projects.

Every code change is reviewed by the tech lead or architect responsible for the project.

During the review process, the reviewer is responsible for identifying possible security issues.

5. Does Compass have a mobile device policy?

Ans - Yes, Compass has a Mobile device policy. At Compass, the mobile device policy takes into account the risks of working with mobile devices in unprotected environments and the controls to be implemented for preventing data transmitted/stored in the mobile device, and much more.

6. Does Compass have a policy governing information classification and is there a process by which all information can be appropriately classified?

Ans - Yes, Compass does have an 'Information Security Policy' in place.

Information Classification is included in the organization's processes and be consistent and coherent across the organization. Results of classification indicate the value of assets depending on their sensitivity and criticality to the organization, e.g., in terms of confidentiality, integrity, and availability. Results of classification are updated in accordance with changes in their value, sensitivity, and criticality through their life cycle.

Formal procedures for the secure disposal of media are also established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

7. Does Compass have a formal procedure governing how removable media is disposed of?

Ans - Yes, we do have an 'Information Security Policy' in place and formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

8. Does Compass have a process to access the information and application system functions restricted in line with the access control policy?

Ans - Our application has role-based access controls and the menu's screens are made accessible accordingly.

9. What kind of Encryption and Hashing is used at Compass?

Ans- AES 256-bit encryption for PI data. SHA256 with unique salt for hashing passwords.

10. Does Compass have a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If yes, kindly mention the location where the data would be stored?

Ans - Yes, Compass does have tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), the data would be stored at AWS USA (Oregon).

11. Is there a process for reporting identified information security weaknesses at Compass and Is this process widely communicated?

Ans - During security audit/VAPT review, these incidents are identified. Yes, this process is widely communicated to all the employees and stakeholders.

12. Are there policies mandating the implementation and assessment of security controls at Compass?

Ans - Yes, at Compass, we perform quarterly VAPT and have static code analysis via SonarQube.

13. Do contracts with external parties and agreements within the organization detail the requirements for securing business information in a transfer?

Ans - Policies, procedures, and standards have been established and maintained to protect information and physical media in transit and are referenced in such transfer agreements.

Also, there is a clause on securing business information and protection of confidential information in the NDA's signed by the external parties.

14. Are IS Systems subject to audit at Compass and does the audit process ensure business disruption is minimized?

Ans - As part of the ISO audit, IS Systems audit is also covered and yes, the audit process ensures business disruption is minimized.

15. Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Compass?

Ans - We have a quarterly VAPT performed on the entire application by a third-party security auditor.

16. How secure is Compass?

Ans - At Compass, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA). All the personal data is encrypted on Compass. We take data and security very seriously. We are ISO 27001, GDPR, and SOC compliant.

17. How does Compass use my information?

Ans - We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways: