July 15, 2024
Industry Standard Security
- SOC 2 Type 2 Compliance
- At VIBE SMG Inc., ensuring the security of our products and services is a fundamental aspect of our operations. Our policies, procedures, and operational controls are designed with an unwavering focus on security. We proudly uphold SOC 2 Type 2 compliance, a testament to our rigorous standards. This compliance guarantees the security for your programs and data, reinforcing our dedication to protecting our clients’ interests with every service we provide.
- Annual Aduits
- Audits are conducted annually by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provide risk management and assurance services
- Please contact us at support@rewardsnation.com for a copy of our most recent audit results.
Organizational Security
- Roles and Responsibilities
- Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all the security policies.
- Security Awareness Training
- Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
- Confidentiality
- All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
- Background Checks
- We perform background checks on all new team members in accordance with local laws.
Cloud Security
- Cloud Infrastructure Security
- All our services leverage the security features and infrastructure of Microsoft Azure data centres. Azure employs a robust security program with multiple certifications. For more information please visit Azure Security.
- Data Hosting Security
- All customer data is stored in Microsoft Azure data centres located in the United States and/or Canada.
- Modern Customer Data Isolation
- All customer data is isolated on separate databases prevent any accidental or malicious co-mingling.
- Encryption at Rest
- All data is encrypted at rest to prevent any unauthorized access and prevent data breaches.
- Encryption in Transit
- Data is encrypted in transit with industry approved protocols ensuring customer data and sensitive information is protected at all times.
- Vulnerability Scanning
- We deploys third party penetration testing and vulnerability scanning of all production and internet facing systems on a regular basis.
- Logging and Monitoring
- We actively monitor and log cloud service activity.
- Business Continuity and Disaster Recovery
- We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
- Incident Response
- We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Access Security
- Permissions and Authentication
- Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
- We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
- Least Privilege Access Control
- We follow the principle of least privilege with respect to identity and access management.
- Access Reviews
- We perform annual access reviews of all team members with access to sensitive systems.
- Password Requirements
- All team members are required to adhere to a minimum set of password requirements and complexity for access.
- Password Managers
- All company issued devices utilize a password manager for team members to manage passwords and maintain password complexity.
Secure Development
- Secure Development Lifecycle
- All development projects, including on-premises software products and support services follow secure development lifecycle principles.
- Security In Design
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- Mandatory Code Reviews
- Code reviews are required for all code changes.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
- Best Practices
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Vendor and Risk Management
- Annual Risk Assessments
- We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
- Vendor Risk Management
- Vendor compliance certification and security documentation is routinely reviewed, including downstream vendor management. Risk is determined and monitored through-out all vendor relationships.
Contact Us
If you have any questions, comments, or concerns or if you wish to report a potential security issue, please contact security@vibesmg.com.