Winmore, Inc., together with our subsidiaries (“Winmore, “we”, “us” or “our”), sells web-based and mobile applications (the “Service”) that are used by organizations of all sizes to manage their business operations and customer relationships throughout the world. The Service allows the data controller (“Customer”) to focus on their business and their customers while we focus on the Service development and reliability.
We have a due diligence process for the selection of a subcontractor or sub-processor (“Vendor”) that includes a review and confirmation of the Vendor’s administrative, physical and technical controls concerning data protection or privacy.
Winmore expects our Vendors to apply security best practices and manage platform security so Winmore can focus on the Service. Winmore expects any Vendor platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.
Winmore must ensure that we have agreements/contracts in place with our Vendors which place the same or equivalent obligations on our Vendors as are required in our contract with our customer in relation to processing our Customer’s data.
Winmore must ensure that the applicable standards and procedures are in place in the locations/jurisdictions where Winmore or our Vendors operate are appropriate and are, in any event, at least equivalent to the standards and procedures we agree with our Customer.
Commitment to Data Protection and Privacy
Vendor’s documented policies and procedures must include a statement of commitment to Data Protection and Privacy.
Security Assessments and Compliance
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Security Assessments and Compliance.
Vendor’s physical infrastructure must be hosted and managed within secure data centers and utilize state-of-the-art technology. Vendor must continually manage risk and undergoes recurring assessments to ensure compliance with industry standards. Vendor’s data center operations must be properly accredited, such as:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
If Vendor is a publicly traded company in the United States, then Vendor must be audited annually and remain in compliance with the Sarbanes-Oxley (SOX) Act of 2002.
Penetration Testing and Vulnerability Assessments
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Penetration Testing and Vulnerability Assessments.
Third party security testing of the Vendor application must be performed by independent and reputable security consulting firms. Findings from each assessment must be reviewed with the assessors, risk ranked, and assigned to the responsible team.
Vendor, or their subcontractors, must utilize ISO 27001 and FISMA certified data centers.
Vendor, or their subcontractors, must only provide access and information to employees who have a legitimate business need for such privileges.
Environmental Safeguards
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Environmental Safeguards, such as:
- Automatic fire detection and suppression
- Fully redundant power
- Climate and temperature control
- Monitoring of electrical, mechanical and other support systems and equipment
- Preventative maintenance
Network Security
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Network Security, such as:
- Firewalls
- DDoS Mitigation
- Spoofing and Sniffing Protections
- Port Scanning
Data Security
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Data Security, such as:
- Customer applications
- Postgres databases
- Add-ons
System Security
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of System Security, such as:
- System Configuration
- Customer Application Isolation
- System Authentication
Vulnerability Management
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Vulnerability Management.
Vendor must undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Vendor must have a third party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Vendor must work closely with external security assessors to review the security of the Vendor platform and applications and apply best practices.
Issues found in Vendor applications are risk ranked, prioritized, assigned to the responsible team for remediation, and Vendor’s security team reviews each remediation plan to ensure proper resolution.
Backups and Disaster Recovery
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Backups and Disaster Recovery.
Privacy
Vendor must have a published privacy policy that clearly defines what data is collected and how it is used. Vendor must be committed to customer privacy and transparency.
Vendor must take steps to protect the privacy of our customers and protect data stored within their platform. Some of the protections inherent to Vendor’s products should include authentication, access controls, data transport encryption, HTTPS support for customer applications, and the ability for customers to encrypt stored data.
Access to Customer Data
Vendor staff must not access or interact with customer data or applications as part of normal operations. Although there may be cases where Vendor is requested to interact with customer data or applications at the request of their customer for support purposes or where required by law. Customer data is access controlled and all access by Vendor staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
Employee Screening and Policies
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Employee Screening and Policies.
Customer Security Best Practices
Vendor’s documented policies and procedures must include a statement of commitment to and detailed descriptions of Customer Security Best Practices, such as:
- Encrypt Data in Transit
- Encrypt Sensitive Data at Rest
- Secure Development Practices
- Authentication
- Logging
- Use of Third-Party Solutions
Change in Vendor
Winmore shall not engage another Vendor without prior specific or general written authorization of our Customer.
In the case of general written authorisation in our MSA, Winmore must inform the Customer of any intended changes concerning the addition or replacement of a Vendor to give the Customer the opportunity to object to such changes. The process of informing the Customer is handled through the Winmore Customer Engagement and Support teams.
End of Contract
Winmore must ensure that all Vendor contracts provides for the deletion or return of all personal data at the end of the contract.
Comments
0 comments
Article is closed for comments.