SOC 2 is an auditing standard focused on organizational controls in five areas: security, availability, processing integrity, confidentiality and privacy, as defined by the American Institute of Certified Public Accountants (AICPA). EY (formerly Ernst & Young), a global leader in assurance, tax, transactions and advisory services, performed a rigorous audit of ControlUp’s security controls and processes for its products and services. To download a copy of the ControlUp SOC 2 Type II Attestation Report, please contact us.
Your Data Is Safe With ControlUp
Security and privacy controls are always a top priority when it comes to using software as a service. At ControlUp we are committed to the protection of confidentiality, integrity, availability and privacy of our customer’s data and to their service continuity. We uphold that information security is crucial for our customer’s business operations and to our own success. These principles govern us and the way we conduct business. While there’s no bulletproof solution to cloud data and service protection, we do everything possible to exceed expectations. ControlUp’s services are secure, reliable and trusted.
The SOC3 report was concluded in February 2020 and conducted during the period of January 1, 2019 to December 31, 2019. The SOC 3 report can be freely distributed to the public for general use. The report is based on the criteria for security, availability, processing, integrity, and confidentiality by the standards of the American Institute of Certified Public Accountants.
A CSA STAR Level 1 Questionnaire for ControlUp is available for download on the Cloud Security Alliance’s STAR Registry web site. The CSA Security, Trust & Assurance Registry (STAR). is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping customers assess the security of cloud providers they currently use or are considering contracting with. ControlUp has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to over 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider.
Technical Security Controls
ControlUp employs various security controls to further protect against security threats:
- Virtual Private Cloud (VPC): ControlUp’s cloud uses a virtual private cloud that delivers a private, isolated and controlled section of AWS.
Network Traffic Controls: ControlUp’s cloud utilizes firewall rules to control the inbound and outbound network traffic per each internal resource.
- TLS: ControlUp’s cloud utilizes TLS protocol to encrypt the bidirectional traffic between the customer device and desktop and the service.
- Customer Data Isolation: Only authenticated and customer authorized users are permitted to access their own data.
- Authentication: Access to ControlUp’s cloud is controlled with authentication utilizing strict password policy. ControlUp’s cloud challenges password-brute force attempts. Optional Multi-Factor Authentication is available. Single Sign-on authentication is supported using Federation technology and SAML protocol.
- User Management: ControlUp’s cloud customers administrators alone can manage their authorized users’ identities and permissions within the customer tenant. Each customer authorized user can enforce strict permissions within the customer tenant using the assigned user group. Customer users manage their own passwords. Customer users’ repositories can also be synchronized.
- Authorization: All Access to ControlUp’s cloud platform is restricted to authorized ControlUp employees only, in accordance with documented processes, logged and tracked for auditing purposes. Remote access is also secured with VPN with two-factor authentication. Permissions for access and actions in the ControlUp cloud platform are defined using the segregation of duties and least-privileges principles.
- Web attacks protection: Unauthorized web access attempts to the ControlUp’s cloud are filtered.
Anti-Malware protection: Malicious software is blocked, detected and removed.
- Security patch management: Applications, services and operating systems are routinely patched to provide ongoing protection from exploits.
- Hardened systems: Only crucial software packages are installed. Systems security policies are enabled. Unnecessary services are stopped and non-required ports are closed.
- Monitoring of security events: Audit policies and procedures, which includes log collection, correlation and alerts of security incidents are sustained.
- Amazon S3: Provides comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements. It gives you flexibility in the way you manage data for cost optimization, access control, and compliance.
Information security risks in ControlUp’s cloud are managed through external and internal audit processes, as follows:
- Code Security Inspection: For every software major release, security procedures are implemented and code security inspections are carried out by an independent third party.
- Penetration Testing: ControlUp’s cloud performs regular penetration testing and vulnerability assessments of the service and network by an independent third party.
- Audits: ControlUp’s cloud has regular internal and external audits of users activities, systems and applications vulnerabilities, systems and data access controls, configuration changes and security processes in order to detect and mitigate security risks.
- Risk Assessment: ControlUp performs regular risk assessments at least once a year, or in case there is a major change in the technical or legal environment. The purpose is to evaluate the effectiveness of current controls and determine whether new risks require additional mitigating controls.
ControlUp is committed to the customer’s data protection by using the following controls:
- Access to Customer Data: Access to the customer data is protected by strict authentication and permission controls and is accessed only to provide the service. Authorized customer users have constant real-time access to the stored personal data via the web-based tenant’s account interface.
- GDPR – ControlUp is committed to GDPR standards which is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that take place within EU member states. ControlUp’s DPA can be found here.
Encryption-ControlUp protects files in transit between our apps and our servers, and at rest. Each file encrypted using a strong cipher