Are all of your organisation's physical premises manned 24/7 by a security team or reception team? Data centres have security teams: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not
Acceptable Use Policy
Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information? Yes, our Asset Management Policy contains this information and is available on request from customers@commo
Access Company Data or Services
Does your organisation allow employees to access company data or services through mobile phones or tablets? Our Mobile & Teleworking Policy provides base level requirements for devices to access our systems. Company owned iPads are used to access our syst
Access Control Policy
Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed? Yes, you may request a copy of our Access Control Policy from email@example.com mailto:firstname.lastname@example.org We conduct access
Access Control System
Does your organisation use an access control system on its premises entry and exit points that includes logging of access? Data centres have access control systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance
Account Recovery and Lock Out
How is account recovery and lock out managed for Commonplace users? Passwords can be reset via email. Users who have made attempts to login with the wrong password multiple times within a given time period, will be blocked from retrying for a given time.
Activities Might Be Hazardous to Environment
Does your organisation conduct any activities that might be deemed as hazardous to the environment? No, we are an entirely desk-based organisation offering a digital service.
Annual Independent Information Security
Does your organisation conduct an annual independent information security review and act upon the findings? Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.
Anti-Bribery Policy and Corruption (AB&C)
Does your organisation have a documented set of policies and procedures for managing compliance with all applicable anti-bribery and corruption (AB&C) legislation or regulations in the jurisdictions in which you operate? Yes, a copy of our anti-bribery po
Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure? Due to the nature of the service architecture (use of AWS, etc) we operate a hybri
Is the application fully accessible? Further detail on how we comply with WCAG 2.1 AA and UK Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 can be found in the Accessibility Policy on the footer of any active Common
Application Support Browsers
Which browsers does your application support? Edge, Firefox, Chrome, Safari or Opera.
Application Users Install
Is there an application that users install to use your service? No.
Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation? Yes. Within Commonplace: Data in transit within the Commonplace
Appropriate Logging & Monitoring
Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops? Yes, logging, monitoring and alerting is in place across the database, application and infrastructure.
Appropriate Security Testing
Does your organisation conduct appropriate security testing as part of your development lifecycle? We use a range of monitoring tools to ensure that the Commonplace platform remains secure during the development lifecycle. These include: AWS CloudWatch fo
Arrangements for Alternate Resource
Does your organisation have arrangements in place to provide an alternate resource when a member of staff is not available for an extended period of time? We've doubled the size of our workforce in the last few years and we have robust recruitment and onb
Audit Employee Access Rights
Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)? Yes. Each service is on an automated schedule for access rights reviews. Depending on the level of risk associated with each service
Audit Trail of User Activity
Does the system keep an audit trail of user activity? Yes. We keep an audit trail of all key activities, as follows: Admin or comms manager user added / removed Survey user added / removed User log in / log out Create project - retains a record of when a
Back up of Digital Production Data
Does your organisation take regular backups of its digital production data in line with current best practise guidelines? Commonplace performs regular backups of all our data, and therefore if the worst happened and all of our data were lost, the worst ca
Background Checks on Staff & Contractors
Does your organisation perform background checks on staff and contractors? Yes. All Commonplace employees are screened to ensure entitlement to work in the UK, with proof of ID required. References are checked. Privileged access is reviewed as part of our
Does your organisation have a documented Backup Policy? Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from email@example.com mailto:firstname.lastname@example.org
Browsers That Can Be Accessed
Is your service accessed through a browser? Yes. With any of Edge, Firefox, Chrome, Safari or Opera.
Business Continuity Plan
Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster? Yes, a copy of the Business Continuity Plan is available upon request from email@example.com mailto:firstname.lastname@example.org
Business Impact Assessment
Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating? Yes.
https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/3VDbCHtp https://commonp
Certifications or Audit Reports
Does your organisation have any certifications or audit reports that cover environmental, social or governance issues (such as ISO 14001, ISO 45001 or B Corporation certification)? Yes, we are half way through applying to be a B Corporation.
Clear Desk & Screen Policy
Does your organisation enforce a Clear Desk and Screen Policy? Yes, you may request a copy of our Clear Screen & Desk Policy from email@example.com mailto:firstname.lastname@example.org
Client Contract Terminated
Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data? Yes. Two years after the license ends at the latest, each project is archived and the responses are ps
Code of Business Ethics
Does your organisation work to a committed code of business ethics which includes ethical labour practices? Yes, we do not use zero hours contract, and we pay minimum London Living Wage.
https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/mfX1xgxH https://commonp
Company Owned Laptop
Are all company owned laptop hard drives encrypted? Yes.
Components of the System
Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party? Yes. Sites are cloud hosted by Commonplace. Our service is hosted with Amazon Web Services (AWS) located in London, UK. Cloudinary for i
Confidential Method for Employees
Does your organisation provide a confidential method (also known as a whistleblowing procedure) for employees and contract staff to freely report any perceived issues that might impact your clients or their customers? Yes, this is documented in our Compan
Confidential Paper Waste
Does your organisation ensure confidential paper waste is disposed of securely? We are a paperless business.
Control Installation on User Endpoint System
Does your organisation have procedures in place to control the installation of software on user endpoint systems? Yes, via our Mobile Device Management solution JamfPro.
Countries to Store or Transfer Personal Data
Where / which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI outside of the UK? Our application and data is hosted in AWS in London, UK. Sub-processors operate data in the following: United Kingdom of Gr
Does your organisation manage and control the use of, and access to, any cryptographic keys? Yes, our Cryptographic Controls Policy is available on request from email@example.com mailto:firstname.lastname@example.org
Cyber Essentials Certificate
Cyber Essentials Certified
Is your organisation Cyber Essentials (Cyberessentials) certified? Yes, with the certificate https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1992228865 expiring on 9 Nov 2024, we have been continuously certified since 2020.
Cyber Incident Response and Forensic
Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)? Yes, a copy of our cyber and data insurance certificate is available on request from email@example.com
Does your organisation have cyber insurance? Yes, a copy of the insurance certificate is available on request from firstname.lastname@example.org mailto:email@example.com The policy limit is £1m.
Data Collected via Commonplace
Who owns the data collected via Commonplace? The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers. Further det
Data Inputs and Outputs
Does your organisation validate all data inputs and outputs to and from its applications? Yes, in majority of cases. We have some free text inputs which do not require validation. There is a profanity / abuse / personal information checker on free text in
https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/cWvQfw1h https://commonp
Data Protection Impact Assessment (DPIA)
Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals? As part of ISO27001 certified ISMS we have a documented Change Management Policy and procedure that incorp
Data Protection Officer (DPO)
Does your organisation have a nominated Data Protection Officer (DPO)? We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.
Do all systems (such as network devices) have their default credentials changed on installation or provision? Yes. This is managed by external third parties who take care of our office network and cloud hosting.
Designed to Work on Mobile Devices
Has your service been designed to work on mobile devices? Yes. The respondent parts of our platform are designed and built for mobile first. The editor provides a mobile preview to help our customers optimise their content for mobile users, which make up
Digital Media Disposed
Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained? Media storage devices used to store customer data are classified by AWS as critical and treated acc
Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems? We do not use Windows devices, we only use Apple Macs / iPads.
Diversity and Inclusion Policy
Does your organisation have a documented diversity and inclusion policy? Yes, a copy of our Diversity & Inclusion Policy is available on request from firstname.lastname@example.org mailto:email@example.com
Do you have a formally documented information security management system (ISMS)? Yes, we operate a ISO 27001 certified information security management system.
Dummy Test Data
Does your organisation use dummy test data when undergoing testing of systems (and not live production data)? Dummy data is used in develop and staging. Redacted data is used in pre-production.
Editing or Removing Employee Access
Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation? Yes. We have an offboarding process for all leavers which inclu
Employer's Liability Insurance
Does your organisation have employer’s liability insurance? Yes, a copy of the insurance certificate is available on request from firstname.lastname@example.org mailto:email@example.com The policy limit is £5m.
Encrypt Customer Data
Does your organisation encrypt customer data on its IT systems? Yes. The Commonplace platform is hosted in AWS. The database is MongoDB Atlas, also hosted in AWS. In both cases, this is within the AWS London, UK region. AWS facilities comply with ISO 9001
End Of Consultation
At the end of your consultation, you may choose to set your Commonplace as either ‘completed’ or ‘closed’. Two years after after any expiration of your licence, your Commonplaces will be set to ‘archived’. More information on each status is detailed below
Enforceable Password Policy
Does your organisation have an enforceable password policy? Yes. In accordance with Cyber Essentials we have a password policy for our internal team users when using our various cloud services. This includes definitions around the generation and storing o
Has your organisation configured its email services to use enforced TLS? We utilise Google Workspace for email which will always attempt to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and
Environmental Management Policy
Does your organisation have a documented environmental management policy? Yes, a copy of our Environment Policy is available on request from firstname.lastname@example.org mailto:email@example.com
Environmental, Social & Corporate Governance (ESG)
Does your organisation publicly share metrics related to your Environmental, Social & Corporate Governance? Yes, we are in the process of publishing our first Annual Impact Report.
Environmental, Social & Governance
https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/G2NxspNU https://commonp
External Automated Vulnerability Scans
Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings? Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. Th
https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/qnTnckCT https://commonp
Formal Change Management Process
Does your organisation have a formal change management process that gives consideration to information security? As part of ISO 27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection e
Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties? Yes.
Formal Disciplinary Process for Employees
Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)? Yes, this is covered by our Disciplinary Policy.
Formal Policy for Remote Working
Does your organisation have a formal policy for remote working that includes security? Yes, you may request a copy of our Mobile & Teleworking Policy from firstname.lastname@example.org mailto:email@example.com
Formal Policy of Mobile
Does your organisation have a formal policy on the use of mobile devices? Yes, you may request a copy of our Mobile & Teleworking Policy from firstname.lastname@example.org mailto:email@example.com
Formal Process to Return all IT Assets
Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation? Yes. We have an offboarding process for all leavers which includes the return of all IT assets.
GDPR Compliance Statement
Does your organisation provide a grievance mechanism for workers to raise workplace concerns? Yes, this is documented in our Company Handbook.
Health & Safety Policy
Does your organisation have a documented Health & Safety Policy? Yes, a copy of our Health & Safety Responsibilities document is available on request from firstname.lastname@example.org mailto:email@example.com
Health & Safety Programme
Does your organisation you have a senior manager or board member who is responsible for your Health & Safety Programme? Yes, this is managed by our People Lead.
Human Resources Security
https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/K1td2jW3 https://commonp
I can't find the answer to my question
Please complete this quick form. We expect to get back to you within 2 working days. https://forms.gle/WShCBo83kUfoEniX9 https://forms.gle/WShCBo83kUfoEniX9
Incidences of Modern Slavery
Have any incidences of modern slavery been recorded or uncovered within your organisation or supply chains in the past 12 months? No.
Incident Response Plan
Does your organisation have a documented Incident Response Plan? We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incident learning This includes recording of incidents in
Individual's Data Privacy Rights
Can your organisation facilitate an individual's data privacy rights? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wi
Information Classification Policy
Does your organisation have a documented Information Classification Policy? Yes, as part of our ISMS we have a fully documented information classification policy. This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable In
Information Commissioner's Office Registration
Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes? Yes. Further information is available in our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999549/Data+Protect
Does your organisation have an appointed person responsible for information security, such as a CISO? An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Leigh Gordine (Informat
Information Security Policy
Information Security Requirements
Does your organisation have an internal audit function that ensures information security requirements are being met by the business? Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO270
Information Security Responsibilities
Do employment contracts include consenting to all information security responsibilities inline with organisational policies and procedures? Yes. An example employment contract is available on request from firstname.lastname@example.org mailto:customers@commonpl
Infosec & Data Protection
Welcome to the Commonplace Infosec & Data Protection Knowledge Base We have added an abundance of information here about our policies, processes and technology, which will help you to audit Commonplace as a potential partner. You can either browse the art
Inventory of all Data Repositories
Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners? Yes.
Inventory of all IT Assets
Does your organisation keep an up-to-date inventory of all IT assets with assigned owners? Yes, we hold a device register for all assets.
Is your organisation ISO27001:2013 certified? Yes, with the certificate expiring on 21 Jun 2024.
https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/TkH6cH18 https://commonp
Do you use appropriate legal mechanisms for all international transfers of personal data? We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which in
Legally Registered Entity
Is your organisation a legally registered entity? Yes, we are registered as a United Kingdom limited company. Company number: 08575062 Incorporation certificate attached
Local Administrator Rights
Has your organisation removed local administrator rights on all end point devices for all employees that do not require it? Yes. This is managed and enforced via Mobile Device Management, JamfPro.
Local Health & Safety Laws & Industry
Does your organisation have an established and consistent framework for Health and Safety which includes provisions to ensure a safe and hygienic working environment for all of your personnel, in accordance with local health and safety laws and industry b
Logs Stored on a Secure/Hardened Server
Are all logs stored on a secure/hardened server that is logically separate from the systems being logged? Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log i
Media Coverage, Legal Action, Penalties or Sanctions
Has your organisation received any adverse media coverage, legal action, penalties or sanctions for environmental reasons? No.
Monitor Entry & Exit Points
Does your organisation use CCTV to monitor entry and exit points of all premises? Yes. Data centres have CCTV: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have acces
Multi-Factor Authentication (MFA)
Does your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)? Where available, MFA is i
Net Zero Carbon Emissions
Is your organisation working towards a net zero carbon emissions target? Yes, we are aiming to minimise our environmental impact and achieve net zero by 2028.
Network & Cloud Security
https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/VurA6Lg2 https://commonp
Network or Cloud Monitoring Controls
Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems? AWS hosting comes with built in IPS and
Notifying Relevant Authority & Parties
Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs? Yes. As part of our ISO 27001 certified ISMS, we have documented Incident Management Procedures that include
Operating System Use
Which operating systems (OS) does your service work with? Windows, MacOS, Windows Phone, Android, iOS, Linux / Unix
Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once? 1password is used by all employees and contractors. It provides a place for users to store various passwords, software licenses,
Does your organisation have a Password Policy that is technically enforced throughout its IT estate? Yes, for both employees and users, in accordance with Cyber Essentials
Patch Deployment Cycles & Maintenance Windows
What are your ‘patch deployment cycles’ and maintenance windows? We deploy code multiple times per day using Continuous Integration and Continuous Deployment. We have never required any planned downtime and do not expect to do so. Should this change, we w
Is your organisation PCI DSS compliant? No, we do not process card payments.
Does your organisation conduct regular penetration tests of its public facing IT infrastructure? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Common
Penetration Tests Internal Systems
Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)? We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or
Personal Data Access Requests
Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months? No. Our local government customers are data controllers and so have access to their own data. We have not had personal dat
Personal Data Collection & Processing Activities Record
Does your organisation maintain a record of all personal data collection & processing activities? Yes, we maintain an audit of key events around personal data collection and processing.
Physical Premises Secured
Are all of your organisation's physical premises secured with an alarm? Data centres have alarm systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have access to t
https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/18H6ntV4 https://commonp
Planning & Delivery of Projects
Does your organisation include information security during the planning and delivery of projects? Yes, Jira tickets require a security risk level
Prevention of Modern Slavery
Does your organisation have policies and procedures in place that ensure the prevention of modern slavery? Yes, this is documented in our Company Handbook.
Principle of Least Privilege
Does your organisation restrict employee access to business information based upon the principle of least privilege? Yes. Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated
Privileged Access Management Controls
Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration? Only IT admins have administrative access on employee machines. Employees may sometimes be granted permission to
Privileged And Sensitive Accounts
Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned? For employees, all access requests require approval before account creation, which also applies to
Procedures to Control Installation of Software
Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)? Due to the nature of the service architecture (use of AWS, etc), parts of this are managed by third parties: Hosting of Com
Process for Provisioning User Accounts
Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs? We have an access control procedure that requires all req
Process Personal Data on Behalf
Does your organisation process personal data on behalf of another organisation? Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commo
Professional Indemnity Insurance
Does your organisation have professional indemnity insurance? Yes, a copy of the insurance certificate is available on request from email@example.com mailto:firstname.lastname@example.org The policy limit is £10m.
Program Source Code
Does your organisation control access to program source code in a secure manner? Yes, we use GitHub.
Protect Against Denial of Service
Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial o
Protect Sensitive Equipment
Does your organisation protect sensitive equipment from power failures? Data centres have uninterruptible power supplies and redundant power systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/co
Protected by Firewalls
Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls? Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AW
Provide External Services
What integrations to external services do you provide? Salesforce CRM Hubspot CRM ESRI mapping Zoom webinars
Publicly Liability Insurance
Does your organisation have public liability insurance? Yes, a copy of the insurance certificate is available on request from email@example.com mailto:firstname.lastname@example.org The policy limit is £10m.
Published Annual Accounts
Does your organisation have 3 years (or more) of published annual accounts? Yes. Published accounts can be requested from email@example.com mailto:firstname.lastname@example.org upon provision of appropriate justification for this request.
Record & Store Logs
Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service pr
Record & Store User Activity Logs
Does your organisation record and store user activity logs for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinit
Records Retention Policy
Does your organisation have a Records Retention Policy? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wiki/spaces/IDP/
Regular Penetration Tests
Does your organisation conduct regular penetration tests of any applications or systems that it develops? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of t
Regular Security Patches
Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches? Yes, this is automated, wherever possible.
Remotely Wipe Company Data
Can your organisation remotely wipe company data on laptop devices? Yes.
Remotely Wipe Company Data Employee/Contractor
Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets? Yes. We are able to delete all connectivity to our company Google Workspace. Our mobile & teleworking policy prohibits employees from storing dat
Reported Information of Security Incidents
Does your organisation conduct a root cause analysis for all information security incidents that are reported? Yes. We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incide
Reporting Information Security Breaches
Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner? Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and i
Reviewed & Actioned Security Alerts
Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary? Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained
Robust Detection, Investigation & Reporting Procedures
Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches? We log every data breach or suspected data breach. We track the date, s
Secure & Encrypt Remote Connections
Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)? Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum o
Secure Configuration Process
Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment? Yes, we use Infrastructure-as-Code to minim
Secure Physical Perimeter
Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)? Yes. Our data centres are managed by AWS, who were selected for their data centre security and accreditations. Please see this
Secure Remote Access to Network or Cloud
Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)? Yes, via multi-factor authentication or SSH key pairing via VPN.
Security and Data Protection Training Programme
Do employees receive an information security and data protection training programme? All employees receive information security and data protection training on an ongoing basis. This starts as part of their induction process with further training delivere
Security Best Practice
Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)? There are a number of strands to the Secure Development Methodology within Commonplace: Secure Development
Security Breaches and Weaknesses
Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses? We log every data breach or suspected data breach. We track the date, severity and resolution. Upon
https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/C1ev4MdL https://commonp
https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/u8vA3JXN https://commonp
Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months? No.
Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications? Yes. We use a number of automated security testing
Security Policies Accessible
Are your organisation's information security policies accessible to all employees? Yes, available via our intranet.
Security Policies Reviewed & Approved
Are your organisation's information security policies reviewed and approved by senior management at least annually? Yes.
Security Risk Assessments
Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into accou
Does your organisation run any applications or systems that are no longer supported and no longer receive security updates? No.
Segmentation or Segregation
Has your organisation implemented segmentation or segregation in your networks and/or cloud environments? Yes. We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access. We
Senior Management Roles & Responsibilities
Has your organisation documented senior management roles and responsibilities for security within your organisation? Yes. An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Lei
Service Report Any Outages
How does your service report any outages? Via email and where possible / relevant via a banner on the platform.
https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/nxSagP0o https://commonp
Software Development Life-Cycle (SDLC)
Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input? Yes, in summary the stages are: Planning -> Defining -> Designing -> Building -> Testing -> Deployment. Security input exist
SPF, DMARC and DKIM
Has your organisation implemented SPF, DMARC, and DKIM for all of its email services? Yes, this is implemented with Sendgrid and AWS Route53.
Supplier Assurance Activities
Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements? Yes, all suppliers are reviewed annually and on demand if there is a breach or other significant disruption.
Supplier Security Clauses
Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies? Yes.
Supplier Security Due Diligence
Does your organisation conduct security due diligence against suppliers before entering into a contract? Yes.
Supplier Security Policy
Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet? Yes. We have a documented Supplier Security Policy that details the requirements that must be in place when selecting
Supply Chain Management
https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/bAZjm30T https://commonp
Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party? Yes, we use a suite of SaaS solutions, which all must comply with our supplier security policy. Our list of sub-p
Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)? Not all systems do this. However critical systems such as AWS and Google Workspace do. The Commonplace platform does not currently do
Systems Processing Client Information
Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load? Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scalin
Technical Support and Incident Response
Does your organisation offer technical support and incident response for its customers? Customers can get in touch with Commonplace Support vie email or phone between the hours of 8.00am and 6.00pm Monday to Friday (excl UK public holidays) by emailing cu
Testing or Development Environments
Does your organisation segregate its production environment from any testing or development environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perfo
Testing or Production Environments
Does your organisation segregate development environments from any testing or production environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform
Testing Process to Test Business Critical Applications
Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security? Snyk is run with each deployment, automated end-to-end, integration and unit tes
Third Party Use Of Data
Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation? Yes. Commonplace operates a documented Supplier Security Policy that ensures
Does your organisation use threat intelligence to inform decisions about information security? Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our
Does your organisation conduct threat modelling during the design phase of an application or system build? We maintain a security risk level indicator in all Jira tickets around data protection and info security from the point the Jira ticket is created.
Triage and Remediate Identified Vulnerabilities
Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows? Yes. We have procedures in place to manage vulnerabilities for different areas of the company. For Product and
Does your organisation segregate duties to prevent unauthorised disclosure or access to information? Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are stri
Unauthorised Transfer of Data
Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms? We have rules internally about how information should be transferred. As a small team, we have not implemented technical controls
Up-To-Date Data Protection Policy
Does your organisation have an up-to-date Data Protection Policy? Yes. Our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999564 details how we comply with GDPR and is available on request from customers@commonplace.
Use Laptop Devices
Does your organisation use laptop devices? Yes, each employee is given a company owned Mac Book, provisioned via Apple Business Manager and monitored via JamfPro.
Use of Removable Media
Does your organisation prevent the use of removable media, and is this enforced technically? Yes, enforced via mobile device management software.
User Roles Available
What are the user roles available? The following roles are available for customer users, who access the platform with a username and password: Admin: Can add, edit and revoke user accesses Have access to all communications and all data Can edit the projec