Security Questions
Security Questions that are often asked during the purchase process.
No PDF data is stored in our environment. See Basic Questions - Security
Question |
Answer(Yes/No) |
Comments & details |
| 1- Do you have an information security policy? | Yes | |
| 2- Do you have a process to conduct regular and comprehensive cyber risk assessments? | Yes | We perform yearly penetration tests on our environments. |
| 3- Do you have security certification such SOC 2 Type II, ISO 27001? If yes, Can you provide the reports? | No | We do not have certifications yet, but we are working towards the NIST framework and are aiming for SOC II compliance next year |
| 4- Do you process personal information? If so, are you in compliance with privacy laws such as the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA) or the laws* on the protection of personal information in Quebec ( including its amendments under Bill 64/Bill 25) or any other law applicable to your jurisdiction? If not, what is your plan to comply with your legal framework? |
No | We don’t process any personal information |
| 5- How do you protect data in motion and at rest? | Yes | All our project data lives in M365, and it is protected at rest with Microsoft encryption. We use DLP policies, conditional access policies, and Micrpsoft defender for protecting data in motion |
| 6- Is there any segregation of customer data? | Yes | Customer data is protected by permissions and Azure information protection sensitivity labels, which are only accessed on corporate devices by users having accurate permissions |
| 7- Where are located your data centers that could host our data? | All our data is in M365 and hence on Microsoft-hosted data centers | |
| 8- Do you apply access control policy to access customer data? | Yes | Customer data is protected by permissions and Azure information protection sensitivity labels which are only accessed on corporate devices by users having accurate permissions |
| 9- Do you use secure application development (SDLC) practices? | Yes | All our code is checked in to TFS online and safe coding guidelines are followed |
| 10- Do you have the security tools in place to protect yourself from cyber attacks? If yes, please specify. | Yes | SoHo uses Microsoft defender, which enables us to use safe links, safe attachments, anti-spam and anti-malware policies to protect our tenants from cyber attacks |
| 11- Is there a vulnerability management program in place? | No | |
| 12- Do you regularly perform penetration tests of your infrastructure? Do you have a frequency? | Yes | Penetration tests are performed annually |
| 13- Do you perform logging and monitoring of your infrastructure activities? | Yes | All our infrastructure is in the cloud and doesn’t need server logging. Activity and sign-in logs are currently maintained through MS cloud app security, and we are in the process of implementing SIEM logs using MS Sentinel |
| 14- Do you have an incident management process? | Yes | Please find our incident management policy attached |
| 15- For outsourcing of critical IT service, do you consider cyber security risk as part of your due diligence process? | Yes | Since our internal IT services are in the cloud, it is a global availability. We do our due diligence with the usage of MS endpoint management software- InTune, and make sure our data is accessible and downloadable only on corporate devices |
| 16- Do you have a business continuity plan (BCP) or a disaster recovery plan (PRA)? If so, are tests carried out and which date? | Yes | We use Datto SaaS protection for backing up our M365 environment and restores are tested every 6 months. BCP included in the InfoSec policy |
| 17- Do your employees and consultants undergo criminal background checks? Do they sign confidentiality and non-disclosure agreements? | Yes | These are a part of our onboarding procedures |
| 18- Do you have an information security awareness program and contextualized training for database administrators and developers? | Yes | We provide annual cybersecurity training to our end users |
| 19- Do you have a cyber insurance contract in force? | Yes | We have Cybersecurity Insurance |
