Date Last updated: 29/10/2018
If you observe any security issues and want to report anything to UnderDefense, please, email us to [email protected]
All employees receive a regular information security and privacy training. Employees with access to production data receive an additional training specific to their roles and background checks, which are mandatory for Employees with access to production data or production systems.
We have dedicated security staff, including a Chief Security Officer and Certified Information Systems Security Professionals.
We regularly conduct both internal vulnerability assessments (including architecture reviews by security professionals) and external vulnerability assessments.
IT Security Policies
Detailed internal policies dictate how we handle security and privacy incidents, including detection, response, forensics, and notifications. We incorporate security into our services development processes at all stages. From initial architecture considerations to post-release, security is built into all aspects of our services and development workflow.
We maintain a robust incident response program with a well-documented incident response, escalation, and notification plans with trained personnel available on a 24/7 basis to monitor and respond to any alerts or events that may indicate more serious security incidents.
Our response and escalation plans are tested on at least an annual basis and detailed customer post-mortems are made delivered within 3 business days of following any major incidents.
Secure Development Life Cycles – Code and Infrastructure
Guiding security principles and required security training help to ensure UnderDefense technologists make the best security decisions possible. Threat assessments on high-risk features help to identify potential security issues as early in the development lifecycle as possible.
Code vulnerability testing
To prevent and address code-level vulnerabilities, we utilized secure coding patterns and static code analysis tools to identify and prevent security flaws. In addition to static code analysis, we leverage language and framework dependency checks to assess dependencies for known vulnerabilities.
Internal and external penetration tests are conducted quarterly by a qualified independent security organization. Any vulnerabilities found are documented and immediately remediated. Post-mortem analysis is performed to identify root cause and implement future controls.
Prior to release, we validate that the functionality being developed and maintained meets its internal security requirements. Post-release, we utilize independent security service providers to analyze and monitor the product for potential security issues.
All new functionality requires extensive testing and peer-code review. Additionally, we provide explicit notice around any changes impacting customer experience or usage and are committed to working with our customers to minimize any negative impact from changes.
Sensitive data is managed in the UnderDefense. The UnderDefense encryption keys are stored and managed in a logically separate location.
For data in motion, we require Transport Layer Security 1.2 with Authenticated Encryption mode ciphers. Data at rest is protected using the latest Authenticated Encryption with Associated Data AEAD mode symmetric ciphers.
Vulnerability Management and Monitoring
Our first priority is to mitigate risk to your data and our systems. Where reasonable, we work to remediate issues and minimize customer impact and interaction.
Any new incidents or vulnerabilities are immediately escalated to our security team, reviewed for applicability, risk ranked and assigned to be resolved by the appropriate
The latest applicable security patches and
We’ve implemented tools to alert us when downtime thresholds have been reached. Additionally, we continuously monitor our availability and uptime by monitoring and evaluating our current processing capacity and usage so that we can best manage capacity demand and meet our availability commitments and system requirements.
We maintain a robust and well-documented recovery plan. We run daily backups of any changes and conduct a full backup on a weekly basis. Backups are replicated across multiple availability zones. Disaster recovery drills are conducted on at least an annual basis.
We conduct annual internal risk assessments to identify, prioritize and reduce or mitigate known risks. High impact risks are remediated immediately upon discovery. The entire assessment process is thoroughly documented and audited annually. Findings and remediation are reviewed, discussed and approved by our internal security team and leadership.