Security Questions

Security Questions that are often asked during the purchase process.

No PDF data is stored in our environment. See Basic Questions - Security




Comments & details

1- Do you have an information security policy? Yes  
2- Do you have a process to conduct regular and comprehensive cyber risk assessments? Yes We perform yearly penetration tests on our environments.
3- Do you have security certification such SOC 2 Type II, ISO 27001? If yes, Can you provide the reports? No We do not have certifications yet, but we are working towards the NIST framework and are aiming for SOC II compliance next year
4- Do you process personal information?
If so, are you in compliance with privacy laws such as the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA) or the laws* on the protection of personal information in Quebec ( including its amendments under Bill 64/Bill 25) or any other law applicable to your jurisdiction?
If not, what is your plan to comply with your legal framework?
No We don’t process any personal information
5- How do you protect data in motion and at rest? Yes All our project data lives in M365, and it is protected at rest with Microsoft encryption. We use DLP policies, conditional access policies, and Micrpsoft defender for protecting data in motion
6- Is there any segregation of customer data? Yes Customer data is protected by permissions and Azure information protection sensitivity labels, which are only accessed on corporate devices by users having accurate permissions
7- Where are located your data centers that could host our data?   All our data is in M365 and hence on Microsoft-hosted data centers
8- Do you apply access control policy to access customer data? Yes Customer data is protected by permissions and Azure information protection sensitivity labels which are only accessed on corporate devices by users having accurate permissions
9- Do you use secure application development (SDLC) practices? Yes All our code is checked in to TFS online and safe coding guidelines are followed
10- Do you have the security tools in place to protect yourself from cyber attacks? If yes, please specify. Yes SoHo uses Microsoft defender, which enables us to use safe links, safe attachments, anti-spam and anti-malware policies to protect our tenants from cyber attacks
11- Is there a vulnerability management program in place? No  
12- Do you regularly perform penetration tests of your infrastructure? Do you have a frequency? Yes Penetration tests are performed annually
13- Do you perform logging and monitoring of your infrastructure activities? Yes All our infrastructure is in the cloud and doesn’t need server logging. Activity and sign-in logs are currently maintained through MS cloud app security, and we are in the process of implementing SIEM logs using MS Sentinel
14- Do you have an incident management process? Yes Please find our incident management policy attached
15- For outsourcing of critical IT service, do you consider cyber security risk as part of your due diligence process? Yes Since our internal IT services are in the cloud, it is a global availability. We do our due diligence with the usage of MS endpoint management software- InTune, and make sure our data is accessible and downloadable only on corporate devices
16- Do you have a business continuity plan (BCP) or a disaster recovery plan (PRA)? If so, are tests carried out and which date? Yes We use Datto SaaS protection for backing up our M365 environment and restores are tested every 6 months. BCP included in the InfoSec policy
17- Do your employees and consultants undergo criminal background checks? Do they sign confidentiality and non-disclosure agreements? Yes These are a part of our onboarding procedures
18- Do you have an information security awareness program and contextualized training for database administrators and developers? Yes We provide annual cybersecurity training to our end users
19- Do you have a cyber insurance contract in force? Yes We have Cybersecurity Insurance