Tapper security posture

Introduction

At Tapper, we are committed to protecting the privacy and security of our users' and customers' data. This document outlines our security and privacy posture, as well as the measures we take to ensure the confidentiality, integrity, and availability of our users' and customers' data.

Information Security Program

At Tapper, we take information security seriously and strive to ensure the highest level of protection for your personal data. Our Information Security Program follows industry best practices, policies, and procedures to guard against unauthorized access and protect your information. We conduct regular reviews and enhancements to comply with the latest industry standards and regulations. Our security controls include:

Endpoint detection and response (XDR)
Endpoint Mobile Device Management (MDM)
Cloud security posture management (CSPM) and cloud workload protection (CWP)
Vulnerability monitoring (OWASP 10, SAST, CAST, IAC)
Vendor risk management platforms
Data loss prevention (DLP) tools
Web application firewall (WAF)
Log management
Security information and event management (SIEM) for log monitoring
Moreover, we operate a security operations center (SOC) that works 24/7 to quickly identify and respond to potential security threats.

We are committed to maintaining the highest level of information security and protecting your data. If you have any questions or concerns about our Information Security Program, please don't hesitate to reach out to us at: support@tapper.ai

Network Security

We use firewalls, intrusion detection and prevention systems, and other network security measures to protect our systems from unauthorized access and attacks. We regularly monitor our network for anomalies and suspicious activity and have a response plan in place to address any potential security incidents.

System Security

We follow industry-standard security best practices to secure our systems and infrastructure. This includes regular patching and updates, vulnerability scanning and remediation, and system hardening. We also use endpoint protection and other security tools to protect our systems from malware and other threats.

Security Operations

We have a dedicated security operations team responsible for monitoring and responding to security incidents. Our security operations team uses industry-standard tools and techniques to detect and respond to potential threats and works closely with other teams to ensure a coordinated response.

Restricted Access

We limit access to our systems and data to authorized personnel only. We use Role-Based Access Control (RBAC) and two-factor authentication (2FA) to ensure that users are granted appropriate access and that their identities are verified. We also use VPNs, the Zero Trust approach, and other security measures to secure remote access.

Logging

We maintain detailed logs of system activity to help us detect potential security incidents and investigate any issues. Our logs are protected, stored securely, and regularly reviewed to ensure their effectiveness. Our logging system includes appropriate access controls and audit trails to ensure the integrity of our logs.

Application-Level Security

We implement a security-oriented design in multiple layers, including the application layer. The Tapper application is developed according to the OWASP Top 10 framework, and all code is peer-reviewed prior to deployment to production. Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, and unit testing. Tapper developers undergo periodic security training to stay updated with secure development best practices. We also use web application firewalls and other security measures such as CSPM to protect our applications and APIs from attacks.

Data Protection, Continuity, and Retention

We follow industry-standard best practices to protect our users' data. This includes data encryption at rest and in transit, regular backups, and disaster recovery and business continuity plans. We also have retention policies in place to ensure that data is retained only as long as necessary.

Internal IT Security

We follow industry-standard best practices to ensure the security of our internal systems and infrastructure. This includes regular patching and updates, endpoint protection, MDM, and other security measures to protect against potential threats.

Change Management

We follow a rigorous change management process to ensure that changes to our systems and infrastructure are properly tested and validated before being implemented in production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.

Vulnerability Management

Our vulnerability management program promptly detects and resolves security vulnerabilities using industry best practices, including regular scanning and testing aligned with OWASP and NIST standards. Our testing covers both application and infrastructure with a combination of manual and automated tools. We prioritize high-risk vulnerabilities and conduct retesting after fixing them to ensure continuous improvement.

Encryption

We use encryption to protect data at rest and in transit. This includes using HTTPS for web traffic, encrypting sensitive data using industry-standard algorithms, and encrypting backups and other stored data. All transmitted data between the end user and Tapper is encrypted via SSL. Data is encrypted by AWS-managed KMS service.

High Availability

We use multiple AWS & Azure regions and redundant systems to ensure high availability and minimize downtime. Our systems are designed to be highly available to ensure that our users can access our services and their data when they need it. This includes using redundant hardware and networks and implementing appropriate failover and disaster recovery measures.

Security Incident Management

We have a security incident management process in place to ensure that potential security incidents are identified, contained, and remediated in a timely manner. Our security incident management process includes a defined response plan, communication protocols, and regular training for our security operations team.

Resilience and Service Continuity

We have a disaster recovery and business continuity plan in place to ensure that our service remains available in the event of a major disruption. This includes regular testing of our disaster recovery plan and backup systems, and a process for prioritizing and restoring critical systems during an outage.

Backups and Recovery

We maintain regular backups of our systems and data to ensure that we can quickly recover from a major disruption. Our backup systems are securely stored and regularly tested to ensure their effectiveness.

Monitor and Resilience

We have implemented appropriate 24/7 monitoring and resilience measures to ensure that our systems and services are functioning properly and that potential disruptions are promptly identified and remediated. This includes implementing appropriate monitoring and alerting tools and techniques and regularly testing our resilience measures.

Access Controls

We use RBAC, 2FA, Single Sign-On (SSO), and other access control measures to ensure that only authorized personnel have access to our systems and data. We also regularly review and update our access control policies to ensure their effectiveness and conduct a user access review on all company applications, systems, and tools.

Password Controls

We follow industry-standard password policies to ensure the security of our users' accounts. This includes requiring strong passwords, enforcing regular password changes, and using other password protection measures.

Security Organization and Program

We have a dedicated security team responsible for ensuring the ongoing security and compliance of our systems and services. Our security team works closely with other teams to ensure a coordinated response to potential threats, and regularly reviews and updates our security program to address new risks and vulnerabilities.

Confidentiality

We maintain strict confidentiality controls to protect our users' data and other sensitive information. This includes restricting access to sensitive information, using encryption and other security measures to protect data in transit and at rest, and following appropriate retention and deletion policies.

People Security

We conduct regular security awareness training for our employees to ensure that they understand and follow our security policies and procedures. We also conduct other security checks on new employees to ensure their trustworthiness.

Third-Party Vendor Management

We have a vendor management program in place to ensure that third-party vendors that have access to our systems and data follow appropriate security and privacy controls. We conduct regular security assessments and due diligence on our vendors to ensure their security posture. This includes implementing appropriate vendor security assessments, contracts, and controls, and regularly reviewing and updating our third-party vendor management policies and procedures.

Security by Design

We follow a security-by-design approach to ensure that security is built into our systems and infrastructure from the ground up. This includes using industry-standard security frameworks, conducting regular security reviews, following secure coding practices, implementing appropriate security controls and policies at every stage of the development lifecycle, and regularly reviewing and updating our security-by-design practices and procedures.

Secure Development Practice

We follow secure development practices to ensure our applications are designed and developed with security in mind. This includes conducting regular application security testing, using secure coding practices, and following secure development methodologies.

Staged Releases

We follow a staged release process to ensure that new features and updates are properly tested and validated before being released to production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.

Architecture and Data Segregation

We follow a multi-layered security architecture and data segregation techniques to ensure that our users' data is appropriately segmented and isolated. This includes using appropriate network and data segmentation techniques and implementing appropriate access control measures.

Physical Security

We follow industry-standard physical security measures to ensure the security of our facilities. This includes using access controls, surveillance, and other measures to prevent unauthorized access and protect our systems and assets.

SOC 2 Type 2

We are SOC 2 Type 2 certified. We follow industry-standard security and privacy controls and have been audited by a third-party auditor to ensure our compliance with the SOC 2 framework.

GDPR Ready

We comply with the EU's General Data Protection Regulation (GDPR) to ensure that our users' personal data is processed lawfully, fairly, and transparently. We have implemented appropriate technical and organizational measures to protect our users

Updated on: 18/08/2024