Versions Compared

Version Old Version 5 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleDoes your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Yes. Commonplace operates a documented Supplier Security Policy that ensures providers are using appropriate controls are in place within their organisation. Terms of service / contracts are checked and reviews completed in a standard template to confirm all necessary clauses relating to information security and data protection with appropriate mechanisms for reporting, including Data Processing Agreements (DPAs), and Standard Contractual Clauses (where applicable).

Customer information while residing on third party services (AWS, MongoDB, Sendgrid) is not accessible to the providers and in all cases is transferred using secure mechanisms such as https.

Critical suppliers are reviewed annually to verify the maintenance of certifications (such as ISO 27001, etc) and continued resilience (any incidents, failures, etc). Where an incident affecting Commonplace services or customer information, immediate reviews of provision are undertaken.

As a small company, we have a limited ability to influence the contracts and operations of large scale suppliers. Therefore, the approach is to ensure that supplier agreements contain all the necessary provisions to meet our information security requirements.

More information:https://commonplace.atlassian.net/l/cp/F2MhByNv

Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

Yes.
Expand
titleDoes your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

More information: https://commonplace.atlassian.net/l/cp/2wB50ptH

Expand
titleDoes your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?

Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?

Yes.

More information: https://commonplace.atlassian.net/l/cp/bAZjm30T

Expand
titleDoes your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?

Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?

Yes. We have a documented Supplier Security Policy that details the requirements that must be in place when selecting service providers. This includes checklists for security clauses in contracts, and due diligence checklists to ensure appropriate controls. Suppliers are also reviewed at least annually to ensure performance.https://commonplace.atlassian.net/l/cp/dYwGfumV

Expand
titleDoes your organisation conduct security due diligence against suppliers before entering into a contract?

Does your organisation conduct security due diligence against suppliers before entering into a contract?

Yes.https://commonplace.atlassian.net/l/cp/3xN53DTG

Expand
title Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?

Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?

Yes, all suppliers are reviewed annually and on demand if there is a breach or other significant disruptionhttps://commonplace.atlassian.net/l/cp/x6YnKA0S