At Zuddl, we are committed to protecting the confidentiality, integrity, reliability and availability of our product and systems and our customer’s data. We are continuously improving our security processes and analyzing their effectiveness to give you confidence in our solution.
Here is an overview of some of the measures in place to protect your data.
Cloud Security
Data Center Physical Security
Facilities
Zuddl uses Amazon AWS for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
AWS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others.
Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.
Threat Detection
Zuddl leverages threat detection services within AWS to continuously monitor for malicious and unauthorized activity.
Vulnerability Scanning
We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.
DDoS Mitigation
Zuddl uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Cloudflare’s sophisticated CDN with built in DDoS protection as well as native AWS tools and application specific mitigation techniques.
Access Control
Access is limited to least privilege model required for our staff to carry out their jobs. This is subject to frequenct internal audit and technical enforcement and monitoring to ensure compliance.
Encryption
In Transit
Communication with Zuddl is encrypted with TLS 1.3 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration.
At Rest
Zuddl data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.
Availability & Continuity
Uptime
Zuddl is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.
Disaster Recovery
In the event of a major region outage, Zuddl has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation.
DR deployment is managed by the same configuration management and release processes as our production environment ensuring that all security configurations and controls are applied appropriately.
Application Security
Quality Assurance
Zuddl’s Quality Assurance team reviews and tests code base on a per squad basis. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training and security resources are provided to the QA team.
Environment Segregation
Testing, staging and production environments are logically separated from one another. No customer data is used in any development or test environment.
Personal Security
Security Awareness
Zuddl delivers a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees. In addition, we roll out quarterly focused training to key departments including Secure Coding, Data Legislation and Compliance obligations.
Information Security Program
Zuddl has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy and our Employee Handbook.
Confidentiality Agreements
All employees are required to sign Non-Disclosure and Confidentiality agreements.
Access Controls
Access to systems and network devices is based upon a documented, approved request process. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is performed on a quarterly basis to determine that access is commensurate with the users job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.
Certifications
ISO 27001
GDPR
SOC 2
Third Party Security
Vendor Management
Zuddl understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.
Third-Party Sub Processors
Zuddl uses third-party sub processors to provide core infrastructure and services which support the application. Prior to engaging any third party, Zuddl evaluates a vendor’s security as per our Third-party Management Policy.