Certifications

  • NowForce is ISO 9001 certified
  • NowForce is ISO27001 and ISO 27799 certified
  • NowForce is one of few vendors registered on the FedRamp Marketplace (authorization in process)

Policy & Training

  • Developers are trained in Secure Web Development methodologies
  • Development follows OWASP best practices for mobile and web development
  • Annual Privacy training
  • Security and Privacy policies are in place

Background Checks

  • ​NowForce personnel passed criminal background checks (relevant employees)


AWS Compliance
NowForce servers are running on AWS infrastructure that is in compliance with:

  • HIPAA
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
  • SOC 2
  • SOC 3
  • PCI DSS Level 1
  • ISO 27001
  • FedRAMP(SM)
  • DIACAP and FISMA
  • ITAR
  • FIPS 140-2
  • CSA
  • MPAA

AWS GovCloud

  • NowForce is certified to run it’s servers on AWS GovCloud, an isolated AWS Region designed to allow US government agencies to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements
  • Can be accessed only by NowForce’s US Citizens personnel

HTTPS
NowForce system uses SSL/TLS encryption 1.2 for all communications

Access Control

  • Access to Dispatcher user interface can be limited to specific IP ranges per organization - optional configuration
  • Single device login (preventing multiple logins from the same account) - optional configuration
  • Unique IDs are assigned to each mobile device allowing the blocking/disabling of unauthorized users even if the application is already installed on their device
  • Access to cloud infrastructure uses 2-factor authentication
  • Access to NowForce API using OAuth2

Passwords

  • Passwords stored in the database are hashed
  • CJIS compliance elements:
  • Password renewal policy
  • Strong Passwords enforcement
  • Password expires after X days
  • Force user to change password on first entry
  • Prevent reuse of last X passwords
  • Automatic lock of user after X failed attempts

Information Control

  • Passive / Active users – ability to control which type of users are sending location information at any given time
  • Auto delete – ability to define amount of time that the system will store information such as location and incident related details with option to export the data to local protected files

Additional Options

  • Customer can connect to cloud using VPN
  • Deployment over dedicated instance
  • On site installation using customer’s security controls


Penetration Testing

  • On-going automatic scanning - no vulnerabilities found
  • 3rd party Penetration Testing report  is available - no critical vulnerabilities found
  • Latest PenTest performed November 2016
Did this answer your question?