Security and Privacy at Certiverse

Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own.
 
Security Statement Permalink
Governance

Certiverse's Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

01.
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.

02.
Security controls should be implemented and layered according to the principle of defense-in-depth.

03.
Security controls should be applied consistently across all areas of the enterprise.

04.
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.

Security and Compliance at Certiverse

Certiverse is currently implementing the SOC 2 Type II framework through Vanta's compliance process.

Data protection 

Data at rest
All datastores with customer data are encrypted at rest with AES 256 Encryption. Sensitive collections and tables also use encryption. This means the data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.

Data in transit
Certiverse uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by Microsoft Azure and deployed via Azure's Content Distribution Networks.

Secret management
Encryption keys are managed via Azure Key Vault. Secure key management is essential to protect data in the cloud. Azure Key Vault encrypts keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS validated HSMs (hardware and firmware) - FIPS 140-2 Level 2 for vaults and FIPS 140-2 Level 3 for HSM pools.

Application secrets are encrypted and stored securely via Azure Key Vault and access to these values is strictly limited.

Product security

Vulnerability scanning

Certiverse requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):

  • Static analysis (SAST) testing of code during pull requests and on an ongoing basis
  • Malicious dependency scanning to prevent the introduction of malware into our software supply chain
  • Network vulnerability scanning on a period basis
  • Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
  • External attack surface management (EASM) continuously running to discover new external-facing assets

Enterprise security

Endpoint protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.


Secure remote access
Certiverse secures remote access to internal resources. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.


Security education
Certiverse provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta’s platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.

Certiverse's security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.


Identity and access management
Certiverse uses Okta to secure our identity and access management. We enforce the use of phishing-resistant authentication factors, using WebAuthn exclusively wherever possible.

Certiverse employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.


Vendor security
Certiverse uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:

  • Access to customer and corporate data
  • Integration with production environments
  • Potential damage to the Certiverse brand
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.

Data privacy

At Certiverse, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data.

Privacy Shield
Certiverse maintains an active Privacy Shield Agreement 

Regulatory compliance
Certiverse evaluates updates to regulatory and emerging frameworks continuously to evolve our program.

Privacy Policy and DPA
View Certiverse's Privacy Policy
View our list of subprocessors
View our DPA 

Responsible Disclosure

Looking to report a security concern?

Please visit our Contact Us page.

 

Some additional information in one line