| Expand | ||
|---|---|---|
| ||
leAre all ingress and egress points for traffic through your network or cloud environment protected by firewalls? Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AWS provided services to assist in securing this access point including Firewalls, Load Balancers and VPC. Regular penetration testing is undertaken to ensure that exposed interfaces remain secure. More information: https://commonplace.atlassian.net/l/cp/4ARsdztu |
| Expand | |||
|---|---|---|---|
| |||
Yes, we use AWS WAF. We review the rules as required, at lease annually, and tailor them to Commonplace’s needs. More information: https://commonplace.atlassian.net/l/cp/16HZsusv |
| Expand | ||
|---|---|---|
| ||
Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)? Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum of TLS v1.2. More information: https://commonplace.atlassian.net/l/cp/VurA6Lg2 |
| Expand | ||
|---|---|---|
| ||
Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)? Yes, via multi-factor authentication or SSH key pairing via VPN. More information: https://commonplace.atlassian.net/l/cp/XBZNHq9f |
| Expand | ||
|---|---|---|
| ||
Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems? AWS hosting comes with built in IPS and IDS. We utilise a range of additional tools here including AWS Cloudwatch, AWS Guarduty, Sentry, Snyk and others. More information: https://commonplace.atlassian.net/l/cp/Uf7k3An5 |
| Expand | ||
|---|---|---|
| ||
Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary? Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained in a dedicated inbox. More information: https://commonplace.atlassian.net/l/cp/ZzWrKAz3 |
| Expand | ||
|---|---|---|
| ||
Has your organisation implemented segmentation or segregation in your networks and/or cloud environments? Yes. We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access. We implement segregation between customer accounts. The product is one system shared between customers with security policies in place to only enable access to customer relevant data. Data is segregated from other customers through the use of dedicated subdomains, user credentials authentication, and organisational identifiers within the product. More information: https://commonplace.atlassian.net/l/cp/EQk0vYN6 |
| Expand | |||||
|---|---|---|---|---|---|
| |||||
APIs: Data in transit between Commonplace services and External APIs is protected using HTTPS at a minimum of TLS v1.2. More information: https://commonplace.atlassian.net/l/cp/sgAi9fua |
| Expand | ||
|---|---|---|
| ||
Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service DDOS) attacks? Yes, we use AWS Route53 inbuilt DDOS mitigation and protection tools in combination with AWS WAF. More information: https://commonplace.atlassian.net/l/cp/Tcz9zLEX |
| Expand | ||
|---|---|---|
| ||
Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings? Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. These tools check things like the code we have written, third-party software and libraries in use and provide real-time feedback when any issues are detected. In addition to this we also run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates. More information: https://commonplace.atlassian.net/l/cp/D1kyCKhp |
| Expand | ||
|---|---|---|
| ||
Does your organisation conduct regular penetration tests of its public facing IT infrastructure? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Commonplace platform and then fixes incorporated into our development lifecycle as required. More information: https://commonplace.atlassian.net/l/cp/bTBxZX9K |
| Expand | |||||
|---|---|---|---|---|---|
| We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates along with automated unit tests and other measures to identify internal vulnerabilities.|||||
More information: https://commonplace.atlassian.net/l/cp/m3HC3Sm9 |
| Expand | ||
|---|---|---|
| ||
Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows? Yes. XXXXX More information: https://commonplace.atlassian.net/l/cp/03Wv3WMg |
| Expand | ||
|---|---|---|
| ||
Does your organisation record and store user activity logs for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinitely in our own database. More information: https://commonplace.atlassian.net/l/cp/1czdtH1x |
| Expand | ||||
|---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/Pdp5zza5 |
| Expand | ||
|---|---|---|
| ||
Are all logs stored on a secure/hardened server that is logically separate from the systems being logged? Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log information out to separate platforms such as papertrail or internal databases. More information: https://commonplace.atlassian.net/l/cp/2juZouPF |
| Expand | |||
|---|---|---|---|
| |||
Snyk is run with each deployment, automated end-to-end, integration and unit testing on each deployment, manual code review and QA on each deployment. More information: https://commonplace.atlassian.net/l/cp/MA7p0RGm |
| Expand | |||
|---|---|---|---|
| |||
Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform their duties. More information: https://commonplace.atlassian.net/l/cp/KZj451B2 |
| Expand | ||
|---|---|---|
| ||
Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load? Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scaling with Mongo Atlas.https://commonplace.atlassian.net/l/cp/AZYJZhGW |
| Expand | ||
|---|---|---|
| ||
Does your organisation manage and control the use of, and access to, any cryptographic keys? Yes, our Cryptographic Controls Policy is available on request from customers@commonplace.ishttps://commonplace.atlassian.net/l/cp/3ZJet0uM |