Security Questions
Security Questions are often asked during the purchase process.
No PDF data is stored in our environment. See Basic Questions - Security
Question |
Answer(Yes/No) |
Comments & details |
| 1- Do you have an information security policy? | Yes | |
| 2- Do you have a process to conduct regular and comprehensive cyber risk assessments? | Yes | We perform yearly penetration tests on our environments. |
| 3—Do you have security certifications such as SOC 2 Type II or ISO 27001? If yes, Can you provide the reports? | No | We do not have certifications yet, but we are working towards the NIST framework and are aiming for SOC II compliance next year. |
| 4- Do you process personal information? If so, are you in compliance with privacy laws such as the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA) or the laws* on the protection of personal information in Quebec ( including its amendments under Bill 64/Bill 25) or any other law applicable to your jurisdiction? If not, what is your plan to comply with your legal framework? |
No | We don’t process any personal information |
| 5- How do you protect data in motion and at rest? | Yes | All our project data lives in M365, and it is protected at rest with Microsoft encryption. We use DLP policies, conditional access policies, and Microsoft Defender to protect data in motion |
| 6- Is there any segregation of customer data? | Yes | Customer data is protected by permissions and Azure information protection sensitivity labels, which are only accessed on corporate devices by users having accurate permissions |
| 7- Where are your data centers located that could host our data? | All our data is in M365 and hence on Microsoft-hosted data centers | |
| 8- Do you apply access control policy to access customer data? | Yes | Customer data is protected by permissions and Azure information protection sensitivity labels which are only accessed on corporate devices by users having accurate permissions. |
| 9- Do you use secure application development (SDLC) practices? | Yes | All our code is checked into TFS online, and safe coding guidelines are followed |
| 10- Do you have the security tools in place to protect yourself from cyber-attacks? If yes, please specify. | Yes | SoHo uses Microsoft defender, which enables us to use safe links, safe attachments, anti-spam and anti-malware policies to protect our tenants from cyber attacks |
| 11- Is there a vulnerability management program in place? | No | |
| 12- Do you regularly perform penetration tests of your infrastructure? Do you have a frequency? | Yes | Penetration tests are performed annually by a 3rd party vendor, |
| 13- Do you log and monitor your infrastructure activities? | Yes | All our infrastructure is in the cloud and doesn’t need server logging. Activity and sign-in logs are currently maintained through MS Cloud app security, and we are in the process of implementing SIEM logs using MS Sentinel |
| 14- Do you have an incident management process? | Yes | Please find our incident management policy attached |
| 15- For outsourcing critical IT services, do you consider cyber security risk as part of your due diligence process? | Yes | Since our internal IT services are in the cloud, it is a global availability. We do our due diligence with the usage of MS endpoint management software- InTune, and make sure our data is accessible and downloadable only on corporate devices |
| 16- Do you have a business continuity plan (BCP) or a disaster recovery plan (PRA)? If so, are tests carried out, and on which date? | Yes | We use Datto SaaS protection to back up our M365 environment; restores are tested every six months. BCP included in the InfoSec policy |
| 17- Do your employees and consultants undergo criminal background checks? Do they sign confidentiality and non-disclosure agreements? | Yes | These are a part of our onboarding procedures |
| 18- Do you have an information security awareness program and contextualized training for database administrators and developers? | Yes | We provide annual cybersecurity training to our end users |
| 19- Do you have a cyber insurance contract in force? | Yes | We have Cybersecurity Insurance |
