Infosec & Data Protection

Welcome to the Commonplace Infosec & Data Protection Knowledge Base

We have added an abundance of information here about our policies, processes and technology, which will help you to audit Commonplace as a potential partner. You can either browse the articles or use the search below to find answers to your questions.

For a technical overview of Commonplace features: commonplace.is/technical-overview

Search this space

Search

Can’t find what you’re looking for? Let us know here.

Change log

In order to keep up to date with changes to this knowledge base, check out the change log.

Overview

Commonplace is a digital engagement tool, online consultation platform and data driven insight solution designed for cities and places.

  • It is a SaaS platform for gathering feedback from the general public.

  • Residents and others are made aware of the Commonplace website and invited to view it and respond to questions.

  • Data may also be inputted through face-to-face interviews and workshops using a built-in Survey Mode, and via paper forms, which use identical data formats to the online survey.

  • Respondent comments are visible on the open website, but are anonymous and subject to Commonplace's Terms and Conditions, which include removal of threatening or offensive comments (this is extremely rare).

  • Assigned administrators have access to a data dashboard where they can see data on engagement and an aggregated demographic profile of participants. Raw data can be downloaded in CSV format but is redacted to ensure GDPR compliance.

Information pages

Explore more information by browsing these pages, but we recommend using the search bar above. Scroll up ⬆️

Space Index

0-9 ... 1 A ... 18 B ... 7 C ... 17 D ... 12 E ... 10
F ... 7 G ... 2 H ... 3 I ... 17 J ... 0 K ... 0
L ... 5 M ... 3 N ... 4 O ... 2 P ... 26 Q ... 0
R ... 11 S ... 30 T ... 8 U ... 6 V ... 2 W ... 2
X ... 0 Y ... 0 Z ... 0 !@#$ ... 0    

0-9

Page: 24/7 Security
Are all of your organisation's physical premises manned 24/7 by a security team or reception team? Data centres have security teams: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not

A

Page: Acceptable Use Policy
Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information? Yes, our Asset Management Policy contains this information and is available on request from customers@commo
Page: Access Company Data or Services
Does your organisation allow employees to access company data or services through mobile phones or tablets? Our Mobile & Teleworking Policy provides base level requirements for devices to access our systems. Company owned iPads are used to access our syst
Page: Access Control Policy
Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed? Yes, you may request a copy of our Access Control Policy from customers@commonplace.is mailto:customers@commonplace.is We conduct access
Page: Access Control System
Does your organisation use an access control system on its premises entry and exit points that includes logging of access? Data centres have access control systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance
Page: Account Recovery and Lock Out
How is account recovery and lock out managed for Commonplace users? Passwords can be reset via email. Users who have made attempts to login with the wrong password multiple times within a given time period, will be blocked from retrying for a given time.
Page: Activities Might Be Hazardous to Environment
Does your organisation conduct any activities that might be deemed as hazardous to the environment? No, we are an entirely desk-based organisation offering a digital service.
Page: Annual Independent Information Security
Does your organisation conduct an annual independent information security review and act upon the findings? Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.
Page: Anti-Bribery Policy and Corruption (AB&C)
Does your organisation have a documented set of policies and procedures for managing compliance with all applicable anti-bribery and corruption (AB&C) legislation or regulations in the jurisdictions in which you operate? Yes, a copy of our anti-bribery po
Page: Anti-Malware Controls
Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure? Due to the nature of the service architecture (use of AWS, etc) we operate a hybri
Page: Application Accessibility
Is the application fully accessible? Further detail on how we comply with WCAG 2.1 AA and UK Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 can be found in the Accessibility Policy on the footer of any active Common
Page: Application Support Browsers
Which browsers does your application support? Edge, Firefox, Chrome, Safari or Opera.
Page: Application Users Install
Is there an application that users install to use your service? No.
Page: Appropriate Control/Protocol
Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation? Yes. Within Commonplace: Data in transit within the Commonplace
Page: Appropriate Logging & Monitoring
Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops? Yes, logging, monitoring and alerting is in place across the database, application and infrastructure.
Page: Appropriate Security Testing
Does your organisation conduct appropriate security testing as part of your development lifecycle? We use a range of monitoring tools to ensure that the Commonplace platform remains secure during the development lifecycle. These include: AWS CloudWatch fo
Page: Arrangements for Alternate Resource
Does your organisation have arrangements in place to provide an alternate resource when a member of staff is not available for an extended period of time? We've doubled the size of our workforce in the last few years and we have robust recruitment and onb
Page: Audit Employee Access Rights
Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)? Yes. Each service is on an automated schedule for access rights reviews. Depending on the level of risk associated with each service
Page: Audit Trail of User Activity
Does the system keep an audit trail of user activity? Yes. We keep an audit trail of all key activities, as follows: Admin or comms manager user added / removed Survey user added / removed User log in / log out Create project - retains a record of when a

B

Page: Back up of Digital Production Data
Does your organisation take regular backups of its digital production data in line with current best practise guidelines? Commonplace performs regular backups of all our data, and therefore if the worst happened and all of our data were lost, the worst ca
Page: Background Checks on Staff & Contractors
Does your organisation perform background checks on staff and contractors? Yes. All Commonplace employees are screened to ensure entitlement to work in the UK, with proof of ID required. References are checked. Privileged access is reviewed as part of our
Page: Backup Policy
Does your organisation have a documented Backup Policy? Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from customers@commonplace.is mailto:customers@commonplace.is
Page: Browsers That Can Be Accessed
Is your service accessed through a browser? Yes. With any of Edge, Firefox, Chrome, Safari or Opera.
Page: Business Continuity Plan
Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster? Yes, a copy of the Business Continuity Plan is available upon request from customers@commonplace.is mailto:customers@commonplace.is
Page: Business Impact Assessment
Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating? Yes.
Page: Business Resilience
https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/BpNQjYy1 https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/DPDdno0n https://commonplace.atlassian.net/l/cp/3VDbCHtp https://commonp

C

Page: Certifications or Audit Reports
Does your organisation have any certifications or audit reports that cover environmental, social or governance issues (such as ISO 14001, ISO 45001 or B Corporation certification)? Yes, we are half way through applying to be a B Corporation.
Page: Clear Desk & Screen Policy
Does your organisation enforce a Clear Desk and Screen Policy? Yes, you may request a copy of our Clear Screen & Desk Policy from customers@commonplace.is mailto:customers@commonplace.is
Page: Client Contract Terminated
Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data? Yes. Two years after the license ends at the latest, each project is archived and the responses are ps
Page: Code of Business Ethics
Does your organisation work to a committed code of business ethics which includes ethical labour practices? Yes, we do not use zero hours contract, and we pay minimum London Living Wage.
Page: Commonplace application
https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/4fQTBENt https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/y8X2D4Xp https://commonplace.atlassian.net/l/cp/mfX1xgxH https://commonp
Page: Company Owned Laptop
Are all company owned laptop hard drives encrypted? Yes.
Page: Components of the System
Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party? Yes. Sites are cloud hosted by Commonplace. Our service is hosted with Amazon Web Services (AWS) located in London, UK. Cloudinary for i
Page: Confidential Method for Employees
Does your organisation provide a confidential method (also known as a whistleblowing procedure) for employees and contract staff to freely report any perceived issues that might impact your clients or their customers? Yes, this is documented in our Compan
Page: Confidential Paper Waste
Does your organisation ensure confidential paper waste is disposed of securely? We are a paperless business.
Page: Control Installation on User Endpoint System
Does your organisation have procedures in place to control the installation of software on user endpoint systems? Yes, via our Mobile Device Management solution JamfPro.
Page: Cookie Policy
Does your organisation have a published cookie policy? Yes, our cookie policy is available on all Commonplaces, via a link in the footer (example: https://haringeywalkingcycling.commonplace.is/cookies https://haringeywalkingcycling.commonplace.is/cookies)
Page: Countries to Store or Transfer Personal Data
Where / which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI outside of the UK? Our application and data is hosted in AWS in London, UK. Sub-processors operate data in the following: United Kingdom of Gr
Page: Cryptographic Keys
Does your organisation manage and control the use of, and access to, any cryptographic keys? Yes, our Cryptographic Controls Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is
Page: Cyber Essentials Certificate
Page: Cyber Essentials Certified
Is your organisation Cyber Essentials (Cyberessentials) certified? Yes, with the certificate https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1992228865 expiring on 9 Nov 2024, we have been continuously certified since 2020.
Page: Cyber Incident Response and Forensic
Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)? Yes, a copy of our cyber and data insurance certificate is available on request from customers@commonplace.is
Page: Cyber Insurance
Does your organisation have cyber insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £2m (updated 29/12/23).

D

Page: Data Collected via Commonplace
Who owns the data collected via Commonplace? The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers. Further det
Page: Data Inputs and Outputs
Does your organisation validate all data inputs and outputs to and from its applications? Yes, in majority of cases. We have some free text inputs which do not require validation. There is a profanity / abuse / personal information checker on free text in
Page: Data Protection
https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/11d1YW76 https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/hTQ1VG7K https://commonplace.atlassian.net/l/cp/cWvQfw1h https://commonp
Page: Data Protection Impact Assessment (DPIA)
Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals? As part of ISO27001 certified ISMS we have a documented Change Management Policy and procedure that incorp
Page: Data Protection Officer (DPO)
Does your organisation have a nominated Data Protection Officer (DPO)? We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.
Page: Default Credentials
Do all systems (such as network devices) have their default credentials changed on installation or provision? Yes. This is managed by external third parties who take care of our office network and cloud hosting.
Page: Designed to Work on Mobile Devices
Has your service been designed to work on mobile devices? Yes. The respondent parts of our platform are designed and built for mobile first. The editor provides a mobile preview to help our customers optimise their content for mobile users, which make up
Page: Digital Media Disposed
Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained? Media storage devices used to store customer data are classified by AWS as critical and treated acc
Page: Disabled Auto-Run
Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems? We do not use Windows devices, we only use Apple Macs / iPads.
Page: Diversity and Inclusion Policy
Does your organisation have a documented diversity and inclusion policy? Yes, a copy of our Diversity & Inclusion Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is
Page: Documented ISMS
Do you have a formally documented information security management system (ISMS)? Yes, we operate a ISO 27001 certified information security management system.
Page: Dummy Test Data
Does your organisation use dummy test data when undergoing testing of systems (and not live production data)? Dummy data is used in develop and staging. Redacted data is used in pre-production.

E

Page: Editing or Removing Employee Access
Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation? Yes. We have an offboarding process for all leavers which inclu
Page: Employer's Liability Insurance
Does your organisation have employer’s liability insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £10m (updated 29/12/23).
Page: Encrypt Customer Data
Does your organisation encrypt customer data on its IT systems? Yes. The Commonplace platform is hosted in AWS. The database is MongoDB Atlas, also hosted in AWS. In both cases, this is within the AWS London, UK region. AWS facilities comply with ISO 9001
Page: End Of Consultation
At the end of your consultation, you may choose to set your Commonplace as either ‘completed’ or ‘closed’. Two years after after any expiration of your licence, your Commonplaces will be set to ‘archived’. More information on each status is detailed below
Page: Enforceable Password Policy
Does your organisation have an enforceable password policy? Yes. In accordance with Cyber Essentials we have a password policy for our internal team users when using our various cloud services. This includes definitions around the generation and storing o
Page: Enforced TLS
Has your organisation configured its email services to use enforced TLS? We utilise Google Workspace for email which will always attempt to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and
Page: Environmental Management Policy
Does your organisation have a documented environmental management policy? Yes, a copy of our Environment Policy is available on request from customers@commonplace.is mailto:customers@commonplace.is
Page: Environmental, Social & Corporate Governance (ESG)
Does your organisation publicly share metrics related to your Environmental, Social & Corporate Governance? Yes, we are in the process of publishing our first Annual Impact Report.
Page: Environmental, Social & Governance
https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/waJLE3Sb https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/R42T62LT https://commonplace.atlassian.net/l/cp/G2NxspNU https://commonp
Page: External Automated Vulnerability Scans
Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings? Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. Th

F

Page: Financial risk
https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/nM0Hbzfa https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/PzkDnjoy https://commonplace.atlassian.net/l/cp/qnTnckCT https://commonp
Page: Formal Change Management Process
Does your organisation have a formal change management process that gives consideration to information security? As part of ISO 27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection e
Page: Formal Confidentiality
Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties? Yes.
Page: Formal Disciplinary Process for Employees
Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)? Yes, this is covered by our Disciplinary Policy.
Page: Formal Policy for Remote Working
Does your organisation have a formal policy for remote working that includes security? Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is mailto:customers@commonplace.is
Page: Formal Policy of Mobile
Does your organisation have a formal policy on the use of mobile devices? Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is mailto:customers@commonplace.is
Page: Formal Process to Return all IT Assets
Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation? Yes. We have an offboarding process for all leavers which includes the return of all IT assets.

G

Page: GDPR Compliance Statement
Page: Grievance Mechanism
Does your organisation provide a grievance mechanism for workers to raise workplace concerns? Yes, this is documented in our Company Handbook.

H

Page: Health & Safety Policy
Does your organisation have a documented Health & Safety Policy? Yes, a copy of our Health & Safety Responsibilities document is available on request from customers@commonplace.is mailto:customers@commonplace.is
Page: Health & Safety Programme
Does your organisation you have a senior manager or board member who is responsible for your Health & Safety Programme? Yes, this is managed by our People Lead.
Page: Human Resources Security
https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/GZuEtouT https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/fAnKR788 https://commonplace.atlassian.net/l/cp/K1td2jW3 https://commonp

I

Page: I can't find the answer to my question
Please complete this quick form. We expect to get back to you in quick time, worst case within 2 working days. https://forms.gle/WShCBo83kUfoEniX9 https://forms.gle/WShCBo83kUfoEniX9
Page: Incidences of Modern Slavery
Have any incidences of modern slavery been recorded or uncovered within your organisation or supply chains in the past 12 months? No.
Page: Incident Response Plan
Does your organisation have a documented Incident Response Plan? We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incident learning This includes recording of incidents in
Page: Individual's Data Privacy Rights
Can your organisation facilitate an individual's data privacy rights? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wi
Page: Information Classification Policy
Does your organisation have a documented Information Classification Policy? Yes, as part of our ISMS we have a fully documented information classification policy. This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable In
Page: Information Commissioner's Office Registration
Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes? Yes. Further information is available in our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999549/Data+Protect
Page: Information Security
Does your organisation have an appointed person responsible for information security, such as a CISO? An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Leigh Gordine (Informat
Page: Information Security Policy
Page: Information Security Requirements
Does your organisation have an internal audit function that ensures information security requirements are being met by the business? Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO270
Page: Information Security Responsibilities
Do employment contracts include consenting to all information security responsibilities inline with organisational policies and procedures? Yes. An example employment contract is available on request from customers@commonplace.is mailto:customers@commonpl
Home page: Infosec & Data Protection
Welcome to the Commonplace Infosec & Data Protection Knowledge Base We have added an abundance of information here about our policies, processes and technology, which will help you to audit Commonplace as a potential partner. You can either browse the art
Page: Infosec & Data Protection Change Log
This is the page where we notify you of key changes to this knowledge base. Key changes and updates will be posted here. Feel free to check back here for updates. Date Description of change Link 14 Mar 2024 Updated the sub-processors list Reworked the tab
Page: Inventory of all Data Repositories
Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners? Yes.
Page: Inventory of all IT Assets
Does your organisation keep an up-to-date inventory of all IT assets with assigned owners? Yes, we hold a device register for all assets.
Page: ISO27001 Certificate
Page: ISO27001:2013 Certified
Is your organisation ISO27001:2013 certified? Yes, with the certificate expiring on 21 Jun 2024.
Page: IT Operations
https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/T932Q17u https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/mREyzmQk https://commonplace.atlassian.net/l/cp/TkH6cH18 https://commonp

J

K

L

Page: Legal Mechanisms
Do you use appropriate legal mechanisms for all international transfers of personal data? We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which in
Page: Legally Registered Entity
Is your organisation a legally registered entity? Yes, we are registered as a United Kingdom limited company. Company number: 08575062 Incorporation certificate attached
Page: Local Administrator Rights
Has your organisation removed local administrator rights on all end point devices for all employees that do not require it? Yes. This is managed and enforced via Mobile Device Management, JamfPro.
Page: Local Health & Safety Laws & Industry
Does your organisation have an established and consistent framework for Health and Safety which includes provisions to ensure a safe and hygienic working environment for all of your personnel, in accordance with local health and safety laws and industry b
Page: Logs Stored on a Secure/Hardened Server
Are all logs stored on a secure/hardened server that is logically separate from the systems being logged? Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log i

M

Page: Media Coverage, Legal Action, Penalties or Sanctions
Has your organisation received any adverse media coverage, legal action, penalties or sanctions for environmental reasons? No.
Page: Monitor Entry & Exit Points
Does your organisation use CCTV to monitor entry and exit points of all premises? Yes. Data centres have CCTV: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have acces
Page: Multi-Factor Authentication (MFA)
Does your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)? Where available, MFA is i

N

Page: Net Zero Carbon Emissions
Is your organisation working towards a net zero carbon emissions target? Yes, we are aiming to minimise our environmental impact and achieve net zero by 2028.
Page: Network & Cloud Security
https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/4ARsdztu https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/16HZsusv https://commonplace.atlassian.net/l/cp/VurA6Lg2 https://commonp
Page: Network or Cloud Monitoring Controls
Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems? AWS hosting comes with built in IPS and
Page: Notifying Relevant Authority & Parties
Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs? Yes. As part of our ISO 27001 certified ISMS, we have documented Incident Management Procedures that include

O

Page: Operating System Use
Which operating systems (OS) does your service work with? Windows, MacOS, Windows Phone, Android, iOS, Linux / Unix
Page: Our Privacy Policy
Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing? Yes, see our privacy policy: https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy

P

Page: Password Manager
Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once? 1password is used by all employees and contractors. It provides a place for users to store various passwords, software licenses,
Page: Password Policy
Does your organisation have a Password Policy that is technically enforced throughout its IT estate? Yes, for both employees and users, in accordance with Cyber Essentials
Page: Patch Deployment Cycles & Maintenance Windows
What are your ‘patch deployment cycles’ and maintenance windows? We deploy code multiple times per day using Continuous Integration and Continuous Deployment. We have never required any planned downtime and do not expect to do so. Should this change, we w
Page: PCI DSS
Is your organisation PCI DSS compliant? No, we do not process card payments.
Page: Penetration Tests
Does your organisation conduct regular penetration tests of its public facing IT infrastructure? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Common
Page: Penetration Tests Internal Systems
Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)? We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or
Page: Personal Data Access Requests
Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months? No. Our local government customers are data controllers and so have access to their own data. We have not had personal dat
Page: Personal Data Collection & Processing Activities Record
Does your organisation maintain a record of all personal data collection & processing activities? Yes, we maintain an audit of key events around personal data collection and processing.
Page: Physical Premises Secured
Are all of your organisation's physical premises secured with an alarm? Data centres have alarm systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not control or have access to t
Page: Physical Security
https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/v04fxZUE https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/tqK9wFXr https://commonplace.atlassian.net/l/cp/18H6ntV4 https://commonp
Page: Planning & Delivery of Projects
Does your organisation include information security during the planning and delivery of projects? Yes, Jira tickets require a security risk level
Page: Prevention of Modern Slavery
Does your organisation have policies and procedures in place that ensure the prevention of modern slavery? No we don’t have a formal policy as we are too small to be required to under the legislation. However we assess suppliers individually from many per
Page: Principle of Least Privilege
Does your organisation restrict employee access to business information based upon the principle of least privilege? Yes. Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated
Page: Privileged Access Management Controls
Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration? Only IT admins have administrative access on employee machines. Employees may sometimes be granted permission to
Page: Privileged And Sensitive Accounts
Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned? For employees, all access requests require approval before account creation, which also applies to
Page: Procedures to Control Installation of Software
Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)? Due to the nature of the service architecture (use of AWS, etc), parts of this are managed by third parties: Hosting of Com
Page: Process for Provisioning User Accounts
Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs? We have an access control procedure that requires all req
Page: Process Personal Data on Behalf
Does your organisation process personal data on behalf of another organisation? Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commo
Page: Professional Indemnity Insurance
Does your organisation have professional indemnity insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £10m (updated 29/12/23).
Page: Program Source Code
Does your organisation control access to program source code in a secure manner? Yes, we use GitHub.
Page: Protect Against Denial of Service
Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial o
Page: Protect Sensitive Equipment
Does your organisation protect sensitive equipment from power failures? Data centres have uninterruptible power supplies and redundant power systems: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/co
Page: Protected by Firewalls
Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls? Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AW
Page: Provide External Services
What integrations to external services do you provide? Salesforce CRM Hubspot CRM ESRI mapping Zoom webinars
Page: Publicly Liability Insurance
Does your organisation have public liability insurance? Yes, a copy of the insurance certificate is available on request from customers@commonplace.is mailto:customers@commonplace.is The policy limit is £10m (updated 29/12/23).
Page: Published Annual Accounts
Does your organisation have 3 years (or more) of published annual accounts? Yes. Published accounts can be requested from customers@commonplace.is mailto:customers@commonplace.is upon provision of appropriate justification for this request.

Q

R

Page: Record & Store Logs
Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service pr
Page: Record & Store User Activity Logs
Does your organisation record and store user activity logs for all cloud environments, networks and associated services? Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinit
Page: Records Retention Policy
Does your organisation have a Records Retention Policy? Yes, please see details in our https://www.commonplace.is/privacy-policy https://www.commonplace.is/privacy-policy and our GDPR compliance statement https://commonplace.atlassian.net/wiki/spaces/IDP/
Page: Regular Penetration Tests
Does your organisation conduct regular penetration tests of any applications or systems that it develops? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of t
Page: Regular Security Patches
Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches? Yes, this is automated, wherever possible.
Page: Remotely Wipe Company Data
Can your organisation remotely wipe company data on laptop devices? Yes.
Page: Remotely Wipe Company Data Employee/Contractor
Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets? Yes. We are able to delete all connectivity to our company Google Workspace. Our mobile & teleworking policy prohibits employees from storing dat
Page: Reported Information of Security Incidents
Does your organisation conduct a root cause analysis for all information security incidents that are reported? Yes. We adopt a 5-stage approach to handling any incidents: Preparation Detection Triage and analysis Containment and neutralisation Post-incide
Page: Reporting Information Security Breaches
Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner? Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and i
Page: Reviewed & Actioned Security Alerts
Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary? Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained
Page: Robust Detection, Investigation & Reporting Procedures
Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches? We log every data breach or suspected data breach. We track the date, s

S

Page: Secure & Encrypt Remote Connections
Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)? Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum o
Page: Secure Configuration Process
Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment? Yes, we use Infrastructure-as-Code to minim
Page: Secure Physical Perimeter
Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)? Yes. Our data centres are managed by AWS, who were selected for their data centre security and accreditations. Please see this
Page: Secure Remote Access to Network or Cloud
Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)? Yes, via multi-factor authentication or SSH key pairing via VPN.
Page: Security and Data Protection Training Programme
Do employees receive an information security and data protection training programme? All employees receive information security and data protection training on an ongoing basis. This starts as part of their induction process with further training delivere
Page: Security Best Practice
Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)? There are a number of strands to the Secure Development Methodology within Commonplace: Secure Development
Page: Security Breaches and Weaknesses
Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses? We log every data breach or suspected data breach. We track the date, severity and resolution. Upon
Page: Security Certifications
https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/acnquA3n https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/jRoMHkhM https://commonplace.atlassian.net/l/cp/C1ev4MdL https://commonp
Page: Security Governance
https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/f9aW1Qpj https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/ArZfB1RN https://commonplace.atlassian.net/l/cp/u8vA3JXN https://commonp
Page: Security Incident
Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months? No.
Page: Security Patches
Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications? Yes. We use a number of automated security testing
Page: Security Policies Accessible
Are your organisation's information security policies accessible to all employees? Yes, available via our intranet.
Page: Security Policies Reviewed & Approved
Are your organisation's information security policies reviewed and approved by senior management at least annually? Yes.
Page: Security Risk Assessments
Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into accou
Page: Security Updates
Does your organisation run any applications or systems that are no longer supported and no longer receive security updates? No.
Page: Segmentation or Segregation
Has your organisation implemented segmentation or segregation in your networks and/or cloud environments? Yes. We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access. We
Page: Senior Management Roles & Responsibilities
Has your organisation documented senior management roles and responsibilities for security within your organisation? Yes. An Information Security Working Group meets monthly to review information security requirements and issues: Mike Saunders (CEO) | Lei
Page: Service Report Any Outages
How does your service report any outages? Via email and where possible / relevant via a banner on the platform.
Page: Software Development
https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/JdezF0MC https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/BdsyNwhE https://commonplace.atlassian.net/l/cp/nxSagP0o https://commonp
Page: Software Development Life-Cycle (SDLC)
Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input? Yes, in summary the stages are: Planning -> Defining -> Designing -> Building -> Testing -> Deployment. Security input exist
Page: SPF, DMARC and DKIM
Has your organisation implemented SPF, DMARC, and DKIM for all of its email services? Yes, this is implemented with Sendgrid and AWS Route53.
Page: Summary of all insurance cover
What insurance policies and cover does your organisation have? Public and product liability (last updated: 29/12/2023). Value: £10M Professional indemnity insurance (last updated: 29/12/2023). Value: £10M Employers liability insurance (last updated: 29/12
Page: Supplier Assurance Activities
Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements? Yes, all suppliers are reviewed annually and on demand if there is a breach or other significant disruption.
Page: Supplier Security Clauses
Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies? Yes.
Page: Supplier Security Due Diligence
Does your organisation conduct security due diligence against suppliers before entering into a contract? Yes.
Page: Supplier Security Policy
Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet? Yes. We have a documented Supplier Security Policy that details the requirements that must be in place when selecting
Page: Supply Chain Management
https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/F2MhByNv https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/2wB50ptH https://commonplace.atlassian.net/l/cp/bAZjm30T https://commonp
Page: Supporting Services
Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party? Yes, we use a suite of SaaS solutions, which all must comply with our supplier security policy. Our list of sub-p
Page: Systems Lock
Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)? Not all systems do this. However critical systems such as AWS and Google Workspace do. The Commonplace platform does not currently do
Page: Systems Processing Client Information
Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load? Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scalin

T

Page: Technical Support and Incident Response
Does your organisation offer technical support and incident response for its customers? Customers can get in touch with Commonplace Support vie email or phone between the hours of 8.00am and 6.00pm Monday to Friday (excl UK public holidays) by emailing cu
Page: Testing or Development Environments
Does your organisation segregate its production environment from any testing or development environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perfo
Page: Testing or Production Environments
Does your organisation segregate development environments from any testing or production environments? Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform
Page: Testing Process to Test Business Critical Applications
Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security? Snyk is run with each deployment, automated end-to-end, integration and unit tes
Page: Third Party Use Of Data
Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation? Yes. Commonplace operates a documented Supplier Security Policy that ensures
Page: Threat Intelligence
Does your organisation use threat intelligence to inform decisions about information security? Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our
Page: Threat Modelling
Does your organisation conduct threat modelling during the design phase of an application or system build? We maintain a security risk level indicator in all Jira tickets around data protection and info security from the point the Jira ticket is created.
Page: Triage and Remediate Identified Vulnerabilities
Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows? Yes. We have procedures in place to manage vulnerabilities for different areas of the company. For Product and

U

Page: Unauthorised Disclosure
Does your organisation segregate duties to prevent unauthorised disclosure or access to information? Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are stri
Page: Unauthorised Transfer of Data
Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms? We have rules internally about how information should be transferred. As a small team, we have not implemented technical controls
Page: Up-To-Date Data Protection Policy
Does your organisation have an up-to-date Data Protection Policy? Yes. Our GDPR Compliance Statement https://commonplace.atlassian.net/wiki/spaces/IDP/pages/1991999564 details how we comply with GDPR and is available on request from customers@commonplace.
Page: Use Laptop Devices
Does your organisation use laptop devices? Yes, each employee is given a company owned Mac Book, provisioned via Apple Business Manager and monitored via JamfPro.
Page: Use of Removable Media
Does your organisation prevent the use of removable media, and is this enforced technically? Yes, enforced via mobile device management software.
Page: User Roles Available
What are the user roles available? The following roles are available for customer users, who access the platform with a username and password: Admin: Can add, edit and revoke user accesses Have access to all communications and all data Can edit the projec

V

Page: Visitor Log Books
Does your organisation use visitor log books (or the digital equivalent) to record visitors at all premises? Data centres have visitor procedures: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/contr
Page: Visitors ID Check
Does your organisation require visitors to undergo an ID check on arrival at all premises? Data centres have visitor procedures: https://aws.amazon.com/compliance/data-center/controls/. https://aws.amazon.com/compliance/data-center/controls/ We do not con

W

Page: Web Application Firewalls (WAFs)
Does your organisation have web application firewalls (WAFs) implemented to protect web applications? Yes, we use AWS WAF. We review the rules as required, at lease annually, and tailor them to Commonplace’s needs.
Page: Whistleblowing Procedure
Does your organisation clearly inform employees and contract staff how to access and utilise the whistleblowing procedure to confidentially report any issues? Yes, this is documented in our Company Handbook, which is available on the every employee’s defa

X

Y

Z

!@#$