Vendelux Security Overview & Policies

• General
  • Do we have a privacy policy?
  • Do we have a Data Protection Agreement (DPA)?
  • Do we perform pen testing / penetration testing?
  • How do we manage users? How do we terminate users? (e.g. when an employee leaves a company)
  • How do we handle session timeouts and cookies?
  • How do we sync data from Salesforce, Hubspot, and other CRMs?
  • Do we encrypt at rest?
  • Do we encrypt in transit?
  • Do we use major, secure providers in our tech stack?
  • What security certifications (e.g. SOC 2) do we have?
  • Do we support SAML?
  • Have we been involved in a cybersecurity incident?
• Security Controls
• Incident Response, DRP and BCP
• Production Processes
• Security Assessment
• Customer Data Handling
• Technical (SaaS) Security Controls
• Authentication and Access Controls
• Network Controls
• Server Host or Container Controls
• Endpoint Controls

General

Do we have a privacy policy?

Yes

https://vendelux.com/privacy

Do we have a Data Protection Agreement (DPA)?

Yes.

Controller to controller:
https://vendelux.com/DPA-c2c

Controller to processor:
https://vendelux.com/DPA-c2p

Do we perform pen testing / penetration testing?

We use Intruder.io to perform automated penetration testing (https://www.intruder.io/automated-penetration-testing) on a weekly basis.

Manual 3rd-party pen testing takes place annually as part of our SOC 2 process and was last completed in the first quarter of 2024.

How do we manage users? How do we terminate users? (e.g. when an employee leaves a company)

• Our customer success managers will designate a main point of contact for each organization, who will have the authority to ask for user management changes (like terminating a user’s account and deleting/transferring their data)
• Upon termination of a contract with Vendelux, that same point of contact has the authority to request that we terminate all an organization’s accounts
• Enabling self-serve user management/permissioning in our platform is on our product roadmap.

How do we handle session timeouts and cookies?

• We use secure cookies for authentication data. We do not use them otherwise (e.g. for session IDs and CSRF tokens)
• Our session/login timeout length is: 1 year
• We store session data only inasmuch as is necessary to verify a JWT claim

How do we sync data from Salesforce, Hubspot, and other CRMs?

Users authenticate their CRM account with Fivetran, who then sync the appropriate data into our system (in particular, Snowflake). Fivetran have robust security practices and do not permanently hold on to CRM data. For more information about Fivetran, see https://trust.fivetran.com

Do we encrypt at rest?

Yes

Do we encrypt in transit?

Yes

• HTTPS/TLS for all web traffic
• TLS for communication between the application server and the web server
• HTTPS/TLS for administrative access to server and other online resources
• SSH for administrative and developer access to Linux hosts

Do we use major, secure providers in our tech stack?

Yes

• GitHub
• AWS
• Fivetran
• Snowflake
• Stripe
• Auth0
• Dagster Cloud

What security certifications (e.g. SOC 2) do we have?

We achieve PCI Compliance via Stripe, with whom we contract to manage payments.

We have completed the SOC 2 Type 2 audit process. Our SOC2 report can be obtained upon request.

Our policies and procedures are aligned with the requirements of SOC 2.

Do we support SAML?

Yes

We specifically support major identity providers like Okta and Azure Active Directory, but any complete and correct SAML implementation should work.

Have we been involved in a cybersecurity incident?

No

Security Controls

Do you comply with data privacy laws (GDPR, CCPA, CDPA) and are you positioned to respond to DSAR and RTBF requests in accordance with these laws?

Yes

We have taken all necessary steps to comply with the GDPR. We maintain a privacy page on our public website through which DSAR and RTBF requests may be submitted. We respond to any such requests immediately allowing anyone to request removal of their information. We send email notifications within 30 days to people added to our platform. 

Do you have a written Information Security Policy approved by management and reviewed at least once a year? Please provide additional explanation if this question is not applicable to your company.

Yes. This policy was put in place as a part of our SOC 2 certification process.

Are employees required to take security awareness training at least annually?

Yes. All employees and contractors complete a security awareness training program covering both cyber security and phishing.

Have all employees who have access to company data gone through background checks before they gain access to customer data or infrastructure that provides services to customers?

Yes. All employees are subjected to a criminal background check upon hiring.

Incident Response, DRP and BCP

Do you perform security monitoring & alerting (via SIEM, SOC personnel, Managed SOC, etc.) and take corrective action to respond to security alerts and anomalies?

Yes. Security monitoring and alerting is in place as part of our SOC 2 certification process.

Do you retain system, application, network, cloud audit activities, and other security logs for alerts and forensic analysis for a reasonable amount of time to be able to detect the RCA of an incident or attack? Please provide details and log retention period.

Yes.

Do you test your Incident Response Plan at least once a year?

Yes.

A partially-redacted copy of our IRP:

Vendelux Incident Response Plan – edited copy for external audiences

Have you had a security breach (involving exposure of customer data) within the past 12 months? If so, please describe it and any remediation efforts.

No.

Will you report any breach impacting your company within 72 hours of detection to your customer?

Yes.

Do you conduct Disaster Recovery or Business Continuity Plan tests at least annually?

Yes, in line with our SOC 2 certification process. 

Production Processes

Does company data send out of your systems to a third party?

Yes.

Is customer’s production data ever moved into other environments (test, dev, stage)?

Yes.

Is customer’s production data ever used for any other purpose than mentioned in the contract with the customer?

No.

Do you test all changes, including but not limited to upgrades, fixes, bug fixes, hot fixes, features, before promoting them to production?

Yes.

Do changes to the production environment require peer review and approval?

Yes.

Security Assessment

Do you perform internal or external infrastructure and network vulnerability scanning at least monthly?

Yes. Monthly at a minimum though in practice more frequently.

Is the vulnerability scanning report reviewed, evaluated, and assessed by the appropriate personnel?

Yes.

Are remediations taken within a defined period based on the assessment that has been done on your vulnerability scanning report? Please provide information regarding your remediation timeline or SLA along with the definition of the vulnerability severity in your company in the comment section.

Yes.

Is penetration testing performed for the in-scope environment by an independent third party at least annually?

Yes, in line with our SOC 2 certification process. 

Do you perform security assessments of your vendors (specifically any that might have access to customer data) before engaging with them?

Yes.

Do you perform security assessments of your vendors (specifically any that might have access to company data) for security risks at least every 36 months?

Yes.

Customer Data Handling

What customer data will be collected and stored?

See DPA and/or https://vendelux.com/privacy

Do you encrypt all customer data in transit?

Yes.

Do you encrypt all customer data at rest (including backups)?

Yes.

Is all sensitive information (including customer data) electronically or physically destroyed (e.g., degaussed or shredded or deleted using certified information shredding product) before a system is decommissioned?

Yes.

Is customer data securely destroyed beyond recovery upon termination or at customer’s written explicit request entirely, including but not limited to backups?

Yes.

Technical (SaaS) Security Controls

Are the IaaS and PaaS platforms (AWS, Google, Azure, etc.) users, roles, permissions, access controls, and security groups restricted to least-privileged access required, and are these items regularly reviewed for stale and /or unauthorized access?

Yes.

Are the production SaaS platform cloud account(s), domain(s), and/or network(s) separate from any internal corporate accounts, domains and networks?

Yes.

Is multi-factor authentication (MFA) required for all engineers with access to the cloud platform?

Yes, in line with our SOC 2 certification process. 

Are cloud-layer industry standard hardening controls, such as AWS, GCP, Azure CIS benchmarks applied to the SaaS cloud platform?

Yes, in line with our SOC 2 certification process. 

Is cloud-layer audit logging, monitoring, and alerting in place for all SaaS cloud accounts (e.g. AWS Cloudtrail, Cloudwatch, etc.)?

Yes, in line with our SOC 2 certification process. 

Is tenant segmentation in place to prevent unauthorized access between customer and end-user instances?

N/A

Authentication and Access Controls

Are all employees (FTE, contractors, interns, etc.) that might have access to customer data or infrastructure that host services offered to customer) required to have unique credentials?

Yes.

Do you enforce SSO and multi-factor authentication (MFA) for your employees (FTE, contractors, interns, etc.) who might have access to customer data, or the infrastructure hosting services offered to customers?

Yes, in line with our SOC 2 certification process. 

Do you review the access list of employees (FTE, contractors, interns, etc.) who might have access to customer data, or the infrastructure hosting services offered to customers at least once a quarter?

Yes, in line with our SOC 2 certification process. 

Are all default passwords for hardware, services, and software in your company changed before becoming accessible from the production or corporate environments?

Yes.

Do you follow the principle of least privilege and need to know principles?

Yes.

Are physical security controls in place at locations of internal data centers that process or store company data? Please describe types of security controls in the area (i.e., motion sensors, CCTV, guards, badge readers, alarms, etc.). If an external service manages data centers (e.g., AWS), list the service provider.

AWS, Google Cloud, and Snowflake

Network Controls

Is network segmentation in place to prevent unauthorized access between customer and end-user network environments?

N/A

Are all internal and external network communications transmitted over encrypted protocols such as TLS, HTTPS, SSH, etc.?

Yes.

Are inbound and outbound firewall rules in place to allow only trusted and required source IPs and network protocols and ports?

Yes.

Are all inbound and outbound network connections logged?

No.

Is a network ID or IPS and/or web application firewall (WAF) in place to inspect or filter inbound and outbound network traffic, based on common attack patterns, IP, domain reputation, sanctioned country restrictions, etc?

Yes (Cloudflare)

Is any network-layer rate limiting in place, based on network connections, connection size, etc.?

Yes (via Cloudflare)

Server Host or Container Controls

How often are operating system and application security patches applied to hosts and containers in the SaaS environment?

Upon release and as needed.

Are host and container permissions restricted to protect against privilege escalation and unauthorized lateral access between hosts/containers (restricted sudo access, SUID binaries, etc.)?

Yes.

Are strong authentication (MFA or comparable) and access controls in place for engineering access to all hosts and containers?

Yes, in line with our SOC 2 certification process. 

Is audit logging enabled for all administrative or engineering actions, activity, and /or commands?

Yes, in line with our SOC 2 certification process. 

Are there any host or container-layer security solutions in place, such as Endpoint Detection and Response (EDR), anti-malware, host IDS, and/or application allow listing?

Yes, in line with our SOC 2 certification process. 

Is File Integrity Monitoring (FIM) in place for critical system files on production SaaS hosts and containers?

Yes, in line with our SOC 2 certification process. 

Are host or container-layer hardening standards applied to all hosts and containers, such as CIS benchmarks?

No.

Is any host-layer rate limiting (CPU usage, etc.) in place?

No.

Are host and/or container runtime and lifetime limits enforced?

No.

Endpoint Controls

Are all endpoints (desktops, laptops, & mobile devices) managed by an MDM solution?

Yes, in line with our SOC 2 certification process. 

Do you keep all endpoint software, including operating systems and third-party applications, up to date on released security patches? How often are security updates applied?

Yes, in line with our SOC 2 certification process. 

Do you monitor and track the use of unauthorized software for endpoints?

Yes, in line with our SOC 2 certification process. 

Is anti-virus software installed (and unable to be disabled) on all endpoints?

Yes, in line with our SOC 2 certification process. 

Are all endpoints (desktops, laptops, & mobile devices) encrypted?

Yes, in line with our SOC 2 certification process. 

Is a desktop firewall enabled and blocking all unnecessary inbound connections?

No.

Do end-users have administrative access to their desktops or laptops?

Yes.

Changelog 

16 February 2022 – Mike Gogulski – Document created 

12 May 2022 – Mike Gogulski – Updates related to organizational structure and team size changes. Some cosmetic fixes and clarifications. 

14 May 2022 – Eliel Mamousette – Updated document structure to provide index of contents 16 May 2022 – Eliel Mamousette – Corrected formatting of document for consistency 

19 September 2024 – Updates to security policies