Infosec & Data Protection

Welcome to the Commonplace Infosec & Data Protection Knowledge Base

We have added an abundance of information here about our policies, processes and technology, which will help you to audit Commonplace as a potential partner. You can either browse the articles or use the search below to find answers to your questions.

For a technical overview of Commonplace features: commonplace.is/technical-overview

Search this space

Can’t find what you’re looking for? Let us know here.

Overview

Commonplace is a digital engagement tool, online consultation platform and data driven insight solution designed for cities and places.

It is a SaaS platform for gathering feedback from the general public.
Residents and others are made aware of the Commonplace website and invited to view it and respond to questions.
Data may also be inputted through face-to-face interviews and workshops using a built-in Survey Mode, and via paper forms, which use identical data formats to the online survey.
Respondent comments are visible on the open website, but are anonymous and subject to Commonplace's Terms and Conditions, which include removal of threatening or offensive comments (this is extremely rare).
Assigned administrators have access to a data dashboard where they can see data on engagement and an aggregated demographic profile of participants. Raw data can be downloaded in CSV format but is redacted to ensure GDPR compliance.

Information pages

Explore more information by browsing these pages, but we recommend using the search bar above. Scroll up ⬆️

Space Index

0-9 ... 1	A ... 18	B ... 7	C ... 17	D ... 12	E ... 10
F ... 7	G ... 2	H ... 3	I ... 16	J ... 0	K ... 0
L ... 5	M ... 3	N ... 4	O ... 2	P ... 26	Q ... 0
R ... 11	S ... 29	T ... 8	U ... 6	V ... 2	W ... 2
X ... 0	Y ... 0	Z ... 0	!@#$ ... 0

0-9

Page: 24/7 Security

Are all of your organisation's physical premises manned 24/7 by a security team or reception team? Data centres have security teams: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not

A

Page: Acceptable Use Policy

Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information? Yes, our Asset Management Policy contains this information and is available on request from customers@commo

Page: Access Company Data or Services

Does your organisation allow employees to access company data or services through mobile phones or tablets? Our Mobile & Teleworking Policy provides base level requirements for devices to access our systems. Company owned iPads are used to access our syst

Page: Access Control Policy

Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed? Yes, you may request a copy of our Access Control Policy from customers@commonplace.is mailto:customers@commonplace.is We conduct access

Page: Access Control System

Does your organisation use an access control system on its premises entry and exit points that includes logging of access? Data centres have access control systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance

Page: Account Recovery and Lock Out

How is account recovery and lock out managed for Commonplace users? Passwords can be reset via email. Users who have made attempts to login with the wrong password multiple times within a given time period, will be blocked from retrying for a given time.

Page: Activities Might Be Hazardous to Environment

Does your organisation conduct any activities that might be deemed as hazardous to the environment? No, we are an entirely desk-based organisation offering a digital service.

Page: Annual Independent Information Security

Does your organisation conduct an annual independent information security review and act upon the findings? Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.

Page: Anti-Bribery Policy and Corruption (AB&C)

Does your organisation have a documented set of policies and procedures for managing compliance with all applicable anti-bribery and corruption (AB&C) legislation or regulations in the jurisdictions in which you operate? Yes, a copy of our anti-bribery po

Page: Anti-Malware Controls

Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure? Due to the nature of the service architecture (use of AWS, etc) we operate a hybri

Page: Application Accessibility

Is the application fully accessible? Further detail on how we comply with WCAG 2.1 AA and UK Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 can be found in the Accessibility Policy on the footer of any active Common

Page: Application Support Browsers

Which browsers does your application support? Edge, Firefox, Chrome, Safari or Opera.

Page: Application Users Install

Is there an application that users install to use your service? No.

Page: Appropriate Control/Protocol

Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation? Yes. Within Commonplace: Data in transit within the Commonplace

Page: Appropriate Logging & Monitoring

Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops? Yes, logging, monitoring and alerting is in place across the database, application and infrastructure.

Page: Appropriate Security Testing

Does your organisation conduct appropriate security testing as part of your development lifecycle? We use a range of monitoring tools to ensure that the Commonplace platform remains secure during the development lifecycle. These include: AWS CloudWatch fo

Page: Arrangements for Alternate Resource

Does your organisation have arrangements in place to provide an alternate resource when a member of staff is not available for an extended period of time? We've doubled the size of our workforce in the last few years and we have robust recruitment and onb

Page: Audit Employee Access Rights

Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)? Yes. Each service is on an automated schedule for access rights reviews. Depending on the level of risk associated with each service

Page: Audit Trail of User Activity

Does the system keep an audit trail of user activity? Yes. We keep an audit trail of all key activities, as follows: Admin or comms manager user added / removed Survey user added / removed User log in / log out Create project - retains a record of when a

B

Page: Back up of Digital Production Data

Does your organisation take regular backups of its digital production data in line with current best practise guidelines? Commonplace performs regular backups of all our data, and therefore if the worst happened and all of our data were lost, the worst ca

Page: Background Checks on Staff & Contractors

Does your organisation perform background checks on staff and contractors? Yes. All Commonplace employees are screened to ensure entitlement to work in the UK, with proof of ID required. References are checked. Privileged access is reviewed as part of our

Page: Backup Policy

Does your organisation have a documented Backup Policy? Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from customers@commonplace.is mailto:customers@commonplace.is

Page: Browsers That Can Be Accessed

Is your service accessed through a browser? Yes. With any of Edge, Firefox, Chrome, Safari or Opera.

Page: Business Continuity Plan

Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster? Yes, a copy of the Business Continuity Plan is available upon request from customers@commonplace.is mailto:customers@commonplace.is

Page: Business Impact Assessment

Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating? Yes.

Page: Business Resilience

https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/3VDbCHtp https://commonp

C

Page: Certifications or Audit Reports

Does your organisation have any certifications or audit reports that cover environmental, social or governance issues (such as ISO 14001, ISO 45001 or B Corporation certification)? Yes, we are half way through applying to be a B Corporation.

Page: Clear Desk & Screen Policy

Does your organisation enforce a Clear Desk and Screen Policy? Yes, you may request a copy of our Clear Screen & Desk Policy from customers@commonplace.is mailto:customers@commonplace.is

Page: Client Contract Terminated

Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data? Yes. Two years after the license ends at the latest, each project is archived and the responses are ps

Page: Code of Business Ethics

Does your organisation work to a committed code of business ethics which includes ethical labour practices? Yes, we do not use zero hours contract, and we pay minimum London Living Wage.

Page: Commonplace application

https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/mfX1xgxH https://commonp

Page: Company Owned Laptop

Are all company owned laptop hard drives encrypted? Yes.

Page: Components of the System

Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party? Yes. Sites are cloud hosted by Commonplace. Our service is hosted with Amazon Web Services (AWS) located in London, UK. Cloudinary for i

Page: Confidential Method for Employees

Does your organisation provide a confidential method (also known as a whistleblowing procedure) for employees and contract staff to freely report any perceived issues that might impact your clients or their customers? Yes, this is documented in our Compan

Page: Confidential Paper Waste

Does your organisation ensure confidential paper waste is disposed of securely? We are a paperless business.

Page: Control Installation on User Endpoint System

Does your organisation have procedures in place to control the installation of software on user endpoint systems? Yes, via our Mobile Device Management solution JamfPro.

Page: Cookie Policy

Does your organisation have a published cookie policy? Yes, our cookie policy is available on all Commonplaces, via a link in the footer (example: https://haringeywalkingcycling.commonplace.is/cookies https://haringeywalkingcycling.commonplace.is/cookies)

Page: Countries to Store or Transfer Personal Data

Where / which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI outside of the UK? Our application and data is hosted in AWS in London, UK. Sub-processors operate data in the following: United Kingdom of Gr

Page: Cryptographic Keys

Does your organisation manage and control the use of, and access to, any cryptographic keys? Yes, our Cryptographic Controls Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is

Page: Cyber Essentials Certificate

Page: Cyber Essentials Certified

Is your organisation Cyber Essentials (Cyberessentials) certified? Yes, with the certificate https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1992228865 expiring on 9 Nov 2024, we have been continuously certified since 2020.

Page: Cyber Incident Response and Forensic

Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)? Yes, a copy of our cyber and data insurance certificate is available on request from customers@commonplace.is

Page: Cyber Insurance

Does your organisation have cyber insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £1m.

D

Page: Data Collected via Commonplace

Who owns the data collected via Commonplace? The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers. Further det

Page: Data Inputs and Outputs

Does your organisation validate all data inputs and outputs to and from its applications? Yes, in majority of cases. We have some free text inputs which do not require validation. There is a profanity / abuse / personal information checker on free text in

Page: Data Protection

https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/cWvQfw1h https://commonp

Page: Data Protection Impact Assessment (DPIA)

Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals? As part of ISO27001 certified ISMS we have a documented Change Management Policy and procedure that incorp

Page: Data Protection Officer (DPO)

Does your organisation have a nominated Data Protection Officer (DPO)? We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.

Page: Default Credentials

Do all systems (such as network devices) have their default credentials changed on installation or provision? Yes. This is managed by external third parties who take care of our office network and cloud hosting.

Page: Designed to Work on Mobile Devices

Has your service been designed to work on mobile devices? Yes. The respondent parts of our platform are designed and built for mobile first. The editor provides a mobile preview to help our customers optimise their content for mobile users, which make up

Page: Digital Media Disposed

Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained? Media storage devices used to store customer data are classified by AWS as critical and treated acc

Page: Disabled Auto-Run

Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems? We do not use Windows devices, we only use Apple Macs / iPads.

Page: Diversity and Inclusion Policy

Does your organisation have a documented diversity and inclusion policy? Yes, a copy of our Diversity & Inclusion Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is

Page: Documented ISMS

Do you have a formally documented information security management system (ISMS)? Yes, we operate a ISO 27001 certified information security management system.

Page: Dummy Test Data

Does your organisation use dummy test data when undergoing testing of systems (and not live production data)? Dummy data is used in develop and staging. Redacted data is used in pre-production.

E

Page: Editing or Removing Employee Access

Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation? Yes. We have an offboarding process for all leavers which inclu

Page: Employer's Liability Insurance

Does your organisation have employer’s liability insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £5m.

Page: Encrypt Customer Data

Does your organisation encrypt customer data on its IT systems? Yes. The Commonplace platform is hosted in AWS. The database is MongoDB Atlas, also hosted in AWS. In both cases, this is within the AWS London, UK region. AWS facilities comply with ISO 9001

Page: End Of Consultation

At the end of your consultation, you may choose to set your Commonplace as either ‘completed’ or ‘closed’. Two years after after any expiration of your licence, your Commonplaces will be set to ‘archived’. More information on each status is detailed below

Page: Enforceable Password Policy

Does your organisation have an enforceable password policy? Yes. In accordance with Cyber Essentials we have a password policy for our internal team users when using our various cloud services. This includes definitions around the generation and storing o

Page: Enforced TLS

Has your organisation configured its email services to use enforced TLS? We utilise Google Workspace for email which will always attempt to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and

Page: Environmental Management Policy

Does your organisation have a documented environmental management policy? Yes, a copy of our Environment Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is

Page: Environmental, Social & Corporate Governance (ESG)

Does your organisation publicly share metrics related to your Environmental, Social & Corporate Governance? Yes, we are in the process of publishing our first Annual Impact Report.

Page: Environmental, Social & Governance

https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/G2NxspNU https://commonp

Page: External Automated Vulnerability Scans

Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings? Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. Th

F

Page: Financial risk

https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/qnTnckCT https://commonp

Page: Formal Change Management Process

Does your organisation have a formal change management process that gives consideration to information security? As part of ISO 27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection e

Page: Formal Confidentiality

Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties? Yes.

Page: Formal Disciplinary Process for Employees

Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)? Yes, this is covered by our Disciplinary Policy.

Page: Formal Policy for Remote Working

Does your organisation have a formal policy for remote working that includes security? Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is mailto:customers@commonplace.is

Page: Formal Policy of Mobile

Does your organisation have a formal policy on the use of mobile devices? Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is mailto:customers@commonplace.is

Page: Formal Process to Return all IT Assets

Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation? Yes. We have an offboarding process for all leavers which includes the return of all IT assets.

G

Page: GDPR Compliance Statement

Page: Grievance Mechanism

Does your organisation provide a grievance mechanism for workers to raise workplace concerns? Yes, this is documented in our Company Handbook.

H

Page: Health & Safety Policy

Does your organisation have a documented Health & Safety Policy? Yes, a copy of our Health & Safety Responsibilities document is available on request from customers@commonplace.is mailto:customers@commonplace.is

Page: Health & Safety Programme

Does your organisation you have a senior manager or board member who is responsible for your Health & Safety Programme? Yes, this is managed by our People Lead.

Page: Human Resources Security

https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/K1td2jW3 https://commonp

I

Page: I can't find the answer to my question

Please complete this quick form. We expect to get back to you within 2 working days. https://forms.gle/WShCBo83kUfoEniX9 https://forms.gle/WShCBo83kUfoEniX9

Page: Incidences of Modern Slavery

Have any incidences of modern slavery been recorded or uncovered within your organisation or supply chains in the past 12 months? No.

Page: Incident Response Plan

Does your organisation have a documented Incident Response Plan? We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incident learning This includes recording of incidents in

Page: Individual's Data Privacy Rights

Can your organisation facilitate an individual's data privacy rights? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wi

Page: Information Classification Policy

Does your organisation have a documented Information Classification Policy? Yes, as part of our ISMS we have a fully documented information classification policy. This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable In

Page: Information Commissioner's Office Registration

Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes? Yes. Further information is available in our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999549/Data+Protect

Page: Information Security

Does your organisation have an appointed person responsible for information security, such as a CISO? An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Leigh Gordine (Informat

Page: Information Security Policy

Page: Information Security Requirements

Does your organisation have an internal audit function that ensures information security requirements are being met by the business? Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO270

Page: Information Security Responsibilities

Do employment contracts include consenting to all information security responsibilities inline with organisational policies and procedures? Yes. An example employment contract is available on request from customers@commonplace.is mailto:customers@commonpl

Home page: Infosec & Data Protection

Welcome to the Commonplace Infosec & Data Protection Knowledge Base We have added an abundance of information here about our policies, processes and technology, which will help you to audit Commonplace as a potential partner. You can either browse the art

Page: Inventory of all Data Repositories

Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners? Yes.

Page: Inventory of all IT Assets

Does your organisation keep an up-to-date inventory of all IT assets with assigned owners? Yes, we hold a device register for all assets.

Page: ISO27001 Certificate

Page: ISO27001:2013 Certified

Is your organisation ISO27001:2013 certified? Yes, with the certificate expiring on 21 Jun 2024.

Page: IT Operations

https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/TkH6cH18 https://commonp

J

K

L

Page: Legal Mechanisms

Do you use appropriate legal mechanisms for all international transfers of personal data? We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which in

Page: Legally Registered Entity

Is your organisation a legally registered entity? Yes, we are registered as a United Kingdom limited company. Company number: 08575062 Incorporation certificate attached

Page: Local Administrator Rights

Has your organisation removed local administrator rights on all end point devices for all employees that do not require it? Yes. This is managed and enforced via Mobile Device Management, JamfPro.

Page: Local Health & Safety Laws & Industry

Does your organisation have an established and consistent framework for Health and Safety which includes provisions to ensure a safe and hygienic working environment for all of your personnel, in accordance with local health and safety laws and industry b

Page: Logs Stored on a Secure/Hardened Server

Are all logs stored on a secure/hardened server that is logically separate from the systems being logged? Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log i

M

Page: Media Coverage, Legal Action, Penalties or Sanctions

Has your organisation received any adverse media coverage, legal action, penalties or sanctions for environmental reasons? No.

Page: Monitor Entry & Exit Points

Does your organisation use CCTV to monitor entry and exit points of all premises? Yes. Data centres have CCTV: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have acces

Page: Multi-Factor Authentication (MFA)

Does your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)? Where available, MFA is i

N

Page: Net Zero Carbon Emissions

Is your organisation working towards a net zero carbon emissions target? Yes, we are aiming to minimise our environmental impact and achieve net zero by 2028.

Page: Network & Cloud Security

https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/VurA6Lg2 https://commonp

Page: Network or Cloud Monitoring Controls

Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems? AWS hosting comes with built in IPS and

Page: Notifying Relevant Authority & Parties

Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs? Yes. As part of our ISO 27001 certified ISMS, we have documented Incident Management Procedures that include

O

Page: Operating System Use

Which operating systems (OS) does your service work with? Windows, MacOS, Windows Phone, Android, iOS, Linux / Unix

Page: Our Privacy Policy

Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing? Yes, see our privacy policy: https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy

P

Page: Password Manager

Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once? 1password is used by all employees and contractors. It provides a place for users to store various passwords, software licenses,

Page: Password Policy

Does your organisation have a Password Policy that is technically enforced throughout its IT estate? Yes, for both employees and users, in accordance with Cyber Essentials

Page: Patch Deployment Cycles & Maintenance Windows

What are your ‘patch deployment cycles’ and maintenance windows? We deploy code multiple times per day using Continuous Integration and Continuous Deployment. We have never required any planned downtime and do not expect to do so. Should this change, we w

Page: PCI DSS

Is your organisation PCI DSS compliant? No, we do not process card payments.

Page: Penetration Tests

Does your organisation conduct regular penetration tests of its public facing IT infrastructure? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Common

Page: Penetration Tests Internal Systems

Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)? We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or

Page: Personal Data Access Requests

Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months? No. Our local government customers are data controllers and so have access to their own data. We have not had personal dat

Page: Personal Data Collection & Processing Activities Record

Does your organisation maintain a record of all personal data collection & processing activities? Yes, we maintain an audit of key events around personal data collection and processing.

Page: Physical Premises Secured

Are all of your organisation's physical premises secured with an alarm? Data centres have alarm systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have access to t

Page: Physical Security

https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/18H6ntV4 https://commonp

Page: Planning & Delivery of Projects

Does your organisation include information security during the planning and delivery of projects? Yes, Jira tickets require a security risk level

Page: Prevention of Modern Slavery

Does your organisation have policies and procedures in place that ensure the prevention of modern slavery? Yes, this is documented in our Company Handbook.

Page: Principle of Least Privilege

Does your organisation restrict employee access to business information based upon the principle of least privilege? Yes. Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated

Page: Privileged Access Management Controls

Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration? Only IT admins have administrative access on employee machines. Employees may sometimes be granted permission to

Page: Privileged And Sensitive Accounts

Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned? For employees, all access requests require approval before account creation, which also applies to

Page: Procedures to Control Installation of Software

Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)? Due to the nature of the service architecture (use of AWS, etc), parts of this are managed by third parties: Hosting of Com

Page: Process for Provisioning User Accounts

Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs? We have an access control procedure that requires all req

Page: Process Personal Data on Behalf

Does your organisation process personal data on behalf of another organisation? Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commo

Page: Professional Indemnity Insurance

Does your organisation have professional indemnity insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £10m.

Page: Program Source Code

Does your organisation control access to program source code in a secure manner? Yes, we use GitHub.

Page: Protect Against Denial of Service

Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial o

Page: Protect Sensitive Equipment

Does your organisation protect sensitive equipment from power failures? Data centres have uninterruptible power supplies and redundant power systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/co

Page: Protected by Firewalls

Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls? Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AW

Page: Provide External Services

What integrations to external services do you provide? Salesforce CRM Hubspot CRM ESRI mapping Zoom webinars

Page: Publicly Liability Insurance

Does your organisation have public liability insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £10m.

Page: Published Annual Accounts

Does your organisation have 3 years (or more) of published annual accounts? Yes. Published accounts can be requested from customers@commonplace.is mailto:customers@commonplace.is upon provision of appropriate justification for this request.

Q

R

Page: Record & Store Logs

Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service pr

Page: Record & Store User Activity Logs

Does your organisation record and store user activity logs for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinit

Page: Records Retention Policy

Does your organisation have a Records Retention Policy? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wiki/spaces/IDP/

Page: Regular Penetration Tests

Does your organisation conduct regular penetration tests of any applications or systems that it develops? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of t

Page: Regular Security Patches

Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches? Yes, this is automated, wherever possible.

Page: Remotely Wipe Company Data

Can your organisation remotely wipe company data on laptop devices? Yes.

Page: Remotely Wipe Company Data Employee/Contractor

Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets? Yes. We are able to delete all connectivity to our company Google Workspace. Our mobile & teleworking policy prohibits employees from storing dat

Page: Reported Information of Security Incidents

Does your organisation conduct a root cause analysis for all information security incidents that are reported? Yes. We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incide

Page: Reporting Information Security Breaches

Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner? Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and i

Page: Reviewed & Actioned Security Alerts

Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary? Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained

Page: Robust Detection, Investigation & Reporting Procedures

Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches? We log every data breach or suspected data breach. We track the date, s

S

Page: Secure & Encrypt Remote Connections

Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)? Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum o

Page: Secure Configuration Process

Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment? Yes, we use Infrastructure-as-Code to minim

Page: Secure Physical Perimeter

Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)? Yes. Our data centres are managed by AWS, who were selected for their data centre security and accreditations. Please see this

Page: Secure Remote Access to Network or Cloud

Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)? Yes, via multi-factor authentication or SSH key pairing via VPN.

Page: Security and Data Protection Training Programme

Do employees receive an information security and data protection training programme? All employees receive information security and data protection training on an ongoing basis. This starts as part of their induction process with further training delivere

Page: Security Best Practice

Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)? There are a number of strands to the Secure Development Methodology within Commonplace: Secure Development

Page: Security Breaches and Weaknesses

Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses? We log every data breach or suspected data breach. We track the date, severity and resolution. Upon

Page: Security Certifications

https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/C1ev4MdL https://commonp

Page: Security Governance

https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/u8vA3JXN https://commonp

Page: Security Incident

Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months? No.

Page: Security Patches

Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications? Yes. We use a number of automated security testing

Page: Security Policies Accessible

Are your organisation's information security policies accessible to all employees? Yes, available via our intranet.

Page: Security Policies Reviewed & Approved

Are your organisation's information security policies reviewed and approved by senior management at least annually? Yes.

Page: Security Risk Assessments

Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into accou

Page: Security Updates

Does your organisation run any applications or systems that are no longer supported and no longer receive security updates? No.

Page: Segmentation or Segregation

Has your organisation implemented segmentation or segregation in your networks and/or cloud environments? Yes. We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access. We

Page: Senior Management Roles & Responsibilities

Has your organisation documented senior management roles and responsibilities for security within your organisation? Yes. An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Lei

Page: Service Report Any Outages

How does your service report any outages? Via email and where possible / relevant via a banner on the platform.

Page: Software Development

https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/nxSagP0o https://commonp

Page: Software Development Life-Cycle (SDLC)

Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input? Yes, in summary the stages are: Planning -> Defining -> Designing -> Building -> Testing -> Deployment. Security input exist

Page: SPF, DMARC and DKIM

Has your organisation implemented SPF, DMARC, and DKIM for all of its email services? Yes, this is implemented with Sendgrid and AWS Route53.

Page: Supplier Assurance Activities

Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements? Yes, all suppliers are reviewed annually and on demand if there is a breach or other significant disruption.

Page: Supplier Security Clauses

Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies? Yes.

Page: Supplier Security Due Diligence

Does your organisation conduct security due diligence against suppliers before entering into a contract? Yes.

Page: Supplier Security Policy

Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet? Yes. We have a documented Supplier Security Policy that details the requirements that must be in place when selecting

Page: Supply Chain Management

https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/bAZjm30T https://commonp

Page: Supporting Services

Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party? Yes, we use a suite of SaaS solutions, which all must comply with our supplier security policy. Our list of sub-p

Page: Systems Lock

Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)? Not all systems do this. However critical systems such as AWS and Google Workspace do. The Commonplace platform does not currently do

Page: Systems Processing Client Information

Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load? Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scalin

T

Page: Technical Support and Incident Response

Does your organisation offer technical support and incident response for its customers? Customers can get in touch with Commonplace Support vie email or phone between the hours of 8.00am and 6.00pm Monday to Friday (excl UK public holidays) by emailing cu

Page: Testing or Development Environments

Does your organisation segregate its production environment from any testing or development environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perfo

Page: Testing or Production Environments

Does your organisation segregate development environments from any testing or production environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform

Page: Testing Process to Test Business Critical Applications

Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security? Snyk is run with each deployment, automated end-to-end, integration and unit tes

Page: Third Party Use Of Data

Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation? Yes. Commonplace operates a documented Supplier Security Policy that ensures

Page: Threat Intelligence

Does your organisation use threat intelligence to inform decisions about information security? Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our

Page: Threat Modelling

Does your organisation conduct threat modelling during the design phase of an application or system build? We maintain a security risk level indicator in all Jira tickets around data protection and info security from the point the Jira ticket is created.

Page: Triage and Remediate Identified Vulnerabilities

Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows? Yes. We have procedures in place to manage vulnerabilities for different areas of the company. For Product and

U

Page: Unauthorised Disclosure

Does your organisation segregate duties to prevent unauthorised disclosure or access to information? Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are stri

Page: Unauthorised Transfer of Data

Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms? We have rules internally about how information should be transferred. As a small team, we have not implemented technical controls

Page: Up-To-Date Data Protection Policy

Does your organisation have an up-to-date Data Protection Policy? Yes. Our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999564 details how we comply with GDPR and is available on request from customers@commonplace.

Page: Use Laptop Devices

Does your organisation use laptop devices? Yes, each employee is given a company owned Mac Book, provisioned via Apple Business Manager and monitored via JamfPro.

Page: Use of Removable Media

Does your organisation prevent the use of removable media, and is this enforced technically? Yes, enforced via mobile device management software.

Page: User Roles Available

What are the user roles available? The following roles are available for customer users, who access the platform with a username and password: Admin: Can add, edit and revoke user accesses Have access to all communications and all data Can edit the projec

V

Page: Visitor Log Books

Does your organisation use visitor log books (or the digital equivalent) to record visitors at all premises? Data centres have visitor procedures: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/contr

Page: Visitors ID Check

Does your organisation require visitors to undergo an ID check on arrival at all premises? Data centres have visitor procedures: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not con

W

Page: Web Application Firewalls (WAFs)

Does your organisation have web application firewalls (WAFs) implemented to protect web applications? Yes, we use AWS WAF. We review the rules as required, at lease annually, and tailor them to Commonplace’s needs.

Page: Whistleblowing Procedure

Does your organisation clearly inform employees and contract staff how to access and utilise the whistleblowing procedure to confidentially report any issues? Yes, this is documented in our Company Handbook, which is available on the every employee’s defa