top of page

Application & Interface Security *

Application Security

CAIQ ID: AIS-01.2

  • Do you use an automated source code analysis tool to detect security defects in code prior to production?

  • Source code analysis scans are run automatically on code changes to detect  security vulnerabilities as part of our continuous integration process.

CAIQ ID: AIS-01.5

  • (SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

  • Yes. All security defects found during review or testing are remediated prior to deployment to production. Internally, we treat these as an ‘automatic’ top priority.

Customer Access Requirements

CAIQ ID: AIS-02.1

  • Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

  • Yes. We provide full details of this via our customer agreement and privacy policy on our website.

Data Integrity

CAIQ ID: AIS-03.1

  • Does your data management policies and procedures require audits to verify data input and output integrity routines?

  • Yes. We check the validity of data input prior to ingestion and to sanitize all outputs. We have tests, static security code scanning tools and human review. All data schema migrations need to follow standard code review procedures.

Audit Assurance & Compliance*

Independent Audits

CAIQ ID: AAC-02.1

  • Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

  • No. However, we rely on our server host’s audit, and they are SOC 2 and ISO 27001 certified.

CAIQ ID: AAC-02.2

  • Do you conduct network penetration tests of your cloud service infrastructure at least annually?

  • We run a public bug bounty security program. We are under a 24/7 security audit performed by the people participating in the program.

CAIQ ID: AAC-02.3

  • Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?

  • Yes. See previous answer.

Information System Regulatory Mapping

CAIQ ID: AAC-03.1

  • Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?

  • Yes. We review the regulatory landscape on a quarterly basis and make changes to our internal policies & documentation as a result.

Business Continuity Management & Operational Resilience

Business Continuity Testing

CAIQ ID: BCR-02.1

  • Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?

  • Yes. We review our business continuity plan on an annual basis (or upon significant organizational and environmental change) and make changes to our internal policies & documentation as a result.

Policy

CAIQ ID: BCR-10.1

  • Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?

  • Yes. We continuously update our customer documentation, our internal documentation & staff training material. We use source control systems to store and publish these to ensure there is change tracking. Our engineers rotate into support roles on a regular basis to ensure that everybody is clear on how to support our customers and services.

Retention Policy

CAIQ ID: BCR-11.1

  • Do you have technical capabilities to enforce tenant data retention policies?

  • Yes. We have technical controls enforcing data retention policies.

CAIQ ID: BCR-11.3

  • Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?

  • Yes.

CAIQ ID: BCR-11.7

  • Do you test your backup or redundancy mechanisms at least annually?

  • Yes

Change Control & Configuration Management

Unauthorized Software Installations

CAIQ ID: CCC-04.1

  • Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

  • Yes. We automate the provisioning of the infrastructure we use to deliver our services. We only rely on trusted sources, access to systems is monitored.

Data Security & Information Lifecycle Management

E-commerce Transactions

CAIQ ID: DSI-03.1

  • Do you provide standardized (e.g. ISO/IEC) non-proprietary encryption algorithms (3DES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?

  • Yes

CAIQ ID: DSI-03.2

  • Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?

  • Yes. All data transferred by our infrastructure components is either transferred through private networks or by using encryption via TLS 1.2 and above.

Nonproduction Data

CAIQ ID: DSI-05.1

  • Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?

  • Environments are isolated and data is never shared. Production data is only accessible by support personnel working on our infrastructure.

Secure Disposal

CAIQ ID: DSI-07.1

  • Do you support the secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data?

  • All logs and backups are deleted after the retention period. Secure deletion is managed by our datacenter provider.

CAIQ ID: DSI-07.2

  • Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?

  • If customers would like to stop using our product, our website makes it easy to cancel or deactivate their account. Data from live databases are deleted shortly after that.

Datacenter Security

Asset Management

CAIQ ID: DCS-01.2

  • Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?

  • All Prodity assets are tracked and owned by the Operations and Security team.

Controlled Access Points

CAIQ ID: DCS-02.1

  • Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented for all areas housing sensitive data and information systems?

  • All cloud infrastructure is hosted on Microsoft Azure that implements such physical security measures. We can share the audit report after establishing a non-disclosure agreement (NDA).

User Access

CAIQ ID: DCS-09.1

  • Do you restrict physical access to information assets and functions by users and support personnel?

  • See previous answer.

Encryption & Key Management

Key Generation

CAIQ ID: EKM-02.1

  • Do you have the capability to allow creation of unique encryption keys per tenant?

  • Yes. Each tenant’s sensitive data within an Prodity database is encrypted with its own unique Master Key. Our cloud provider provides encryption at rest for all other storage. For more information please refer to the Azure customer data protection documentation.

Encryption

CAIQ ID: EKM-03.1

  • Do you encrypt tenant data at rest (on disk/storage) within your environment?

  • Sensitive database fields are encrypted at rest. Passwords are stored, hashed and salted using bcrypt with a work function of 12. Backups are encrypted using the AES-256 cipher.

Governance and Risk Management

Baseline Requirements

CAIQ ID: GRM-01.1

  • Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?

  • Yes. All of our infrastructure provisioning is automated. Changes to these templates must undergo code review.

Policy

CAIQ ID: GRM-06.1

  • Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?

  • Our information security policy is available to all employees and follows industry best practices.

Policy Enforcement

CAIQ ID: GRM-07.1

  • Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?

  • Yes. These actions are enforced by our employment contracts and defined in our policies.

Policy Reviews

CAIQ ID: GRM-09.1

  • Do you notify your tenants when you make material changes to your information security and/or privacy policies?

  • Yes.

CAIQ ID: GRM-09.2

  • Do you perform, at minimum, annual reviews of your privacy and security policies?

  • Yes.

Human Resources

Asset Returns

CAIQ ID: HRS-01.1

  • Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally owned assets?

  • Yes.

Background Screening

CAIQ ID: HRS-02.1

  • Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification?

  • Yes.

Employment Agreements

CAIQ ID: HRS-03.1

  • Do your employment agreements incorporate provisions and/or terms in adherence to established information governance and security policies?

  • Yes

Employment Termination

CAIQ ID: HRS-04.1

  • Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination?

  • Yes.

Training / Awareness

CAIQ ID: HRS-09.5

  • Are personnel trained and provided with awareness programs at least once a year?

  • Yes. Our new hires are inducted with a security awareness program. Beyond that our people are coached on an as needed basis.

Identity & Access Management

Audit Tools Access

CAIQ ID: IAM-01.1

  • Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)?

  • Yes. Our cloud vendors provide alerts and logging of unusual login behavior which are actioned by operations and security team members. Only authorized engineers are granted access to our information security systems.

CAIQ ID: IAM-01.2

  • Do you monitor and log privileged access (e.g., administrator level) to information security management systems?

  • Yes. Our systems are provided by cloud products and we’re able to log administrator level access via their tooling.

User Access Policy

CAIQ ID: IAM-02.1

  • Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?

  • Yes. We have an offboarding plan for staff that leave Prodity, only authorized engineers are able to access the production environment.

Policies and Procedures

CAIQ ID: IAM-04.1

  • Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?

  • Yes.

Source Code Access Restriction

CAIQ ID: IAM-06.1

  • Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?

  • Access to our infrastructure is only provided for developers. Source code is managed within GitHub, and we only allow access to authorized personnel.

CAIQ ID: IAM-06.2

  • Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?

  • We are a SaaS; our customers are only able to access Prodity via web and official apps.

User Access Restriction / Authorization

CAIQ ID: IAM-08.1

  • Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege?

  • Access to customer data is restricted to our live infrastructure. It is only granted to support personnel working on our live infrastructure and access is documented internally.

User Access Reviews

CAIQ ID: IAM-10.1

  • Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function?

  • Yes.

User Access Revocation

CAIQ ID: IAM-11.1

  • Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties?

  • Yes

Infrastructure & Virtualization Security

Audit Logging / Intrusion Detection

CAIQ ID: IVS-01.1

  • Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

  • Not Applicable. The majority of our cloud infrastructure is provided by PaaS applications, so this doesn’t apply. Our workers are built on IaaS which will alert us to anomalous network or egress traffic behavior. Our website is protected by a web application firewall.

CAIQ ID: IVS-01.2

  • Is physical and logical user access to audit logs restricted to authorized personnel?

  • Yes

CAIQ ID: IVS-01.5

  • Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

  • Yes. The cloud services we use provide alerting for anomalous access & failed access attempts; these are human reviewed as required. Application errors and uptime notifications are also reviewed as needed.

Clock Synchronization

CAIQ ID: IVS-03.1

  • Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?

  • We ensure time-synchronization on all hosts.

OS Hardening and Base Controls

CAIQ ID: IVS-07.1

  • Are operating systems hardened to provide only the necessary ports, protocols, and services to meet business needs using technical controls (e.g., antivirus, file integrity monitoring, and logging) as part of their baseline build standard or template?

  • Our operating systems contain only packages required for our apps to be run and monitored properly. We follow all the standard security procedures.

Production / Non-Production Environments

CAIQ ID: IVS-08.1

  • For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes?

  • We’re a SaaS-only provider. separate environments for production and test processes doesn't make sense for our customers. We do allow trial accounts to be created without restrictions.

CAIQ ID: IVS-08.3

  • Do you logically and physically segregate production and non-production environments?

  • Yes

Segmentation

CAIQ ID: IVS-09.1

  • Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?

  • Our system and network environments are sufficiently segregated with separate access restrictions to ensure security requirements.

VMM Security - Hypervisor Hardening

CAIQ ID: IVS-11.1

  • Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?

  • Access to the hosted environment’s administrative console is restricted to authorized personnel only and based on the principle of least privilege.

Wireless Security

CAIQ ID: IVS-12.1

  • Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic?

  • Yes. We offer authorized devices Wi-Fi access to allow internet access. Wi-Fi access is granted according to our Wi-Fi policy.

CAIQ ID: IVS-12.2

  • Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings)?

  • Yes.

CAIQ ID: IVS-12.3

  • Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network?

  • Yes

Interoperability & Portability

APIs

CAIQ ID: IPY-01.1

  • Do you publish a list of all APIs available in the service and indicate which are standard and which are customized?

  • Not Applicable

Mobile Security

Approved Applications

CAIQ ID: MOS-03.1

  • Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores can be loaded onto a mobile device?

  • Prodity does not issue mobile devices to employees to work.

Security Incident Management, E-Discovery, & Cloud Forensics

Incident Management

CAIQ ID: SEF-02.1

  • Do you have a documented security incident response plan?

  • Yes.

CAIQ ID: SEF-02.4

  • Have you tested your security incident response plans in the last year?

  • Not Applicable

Incident Reporting

CAIQ ID: SEF-03.1

  • Are workforce personnel and external business relationships adequately informed of their responsibility, and, if required, consent and/or contractually required to report all information security events in a timely manner?

  • Our employees are trained in how to communicate incidents internally and our customers will be kept informed of incidents if those affect them.

CAIQ ID: SEF-03.2

  • Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations?

  • See previous question.

Incident Response Legal Preparation

CAIQ ID: SEF-04.4

  • Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

  • All database and log data from our apps can be extracted if needed.

Supply Chain Management, Transparency, and Accountability

Incident Reporting

CAIQ ID: STA-02.1

  • Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?

  • Yes.

Network / Infrastructure Services

CAIQ ID: STA-03.1

  • Do you collect capacity and use data for all relevant components of your cloud service offering?

  • Multiple tools are used for the tracking of use and capacity data to forecast capacity planning and determine the potential cause of anomalous usage patterns.

Third Party Agreements

CAIQ ID: STA-05.4

  • Do third-party agreements include provision for the security and protection of information and assets?

  • Yes.

CAIQ ID: STA-05.5

  • Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

  • No. We will implement it in the 2nd Q. in 2025.

Supply Chain Metrics

CAIQ ID: STA-07.4

  • Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance?

  • Not Applicable. Prodity doesn’t offer SLA or SLA Performance monitoring.

Third Party Audits

CAIQ ID: STA-09.1

  • Do you mandate annual information security reviews and audits of your third-party providers to ensure that all agreed upon security requirements are met?

  • While we review the security of third-party providers frequently we do not require annual security reviews to ensure agreed security requirements.

Threat and Vulnerability Management

Antivirus / Malicious Software

CAIQ ID: TVM-01.1

  • Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?

  • Security and vulnerability management for infrastructure is tackled via automated tools that review our source code, and ultimately human review. Employees are required to use Bitdefender anti-malware feature and keep the system updated.

Vulnerability / Patch Management

CAIQ ID: TVM-02.5

  • Do you have the capability to patch vulnerabilities across all of your computing devices, applications, and systems?

  • Our infrastructure is patched with automated operating system updates. We also update manually all libraries and external dependencies as we are subscribed to all relevant sources. We use an endpoint security solution to keep all work machines updated and following best practices.

Mobile Code

CAIQ ID: TVM-03.1

  • Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy?

  • Not Applicable. We don’t issue employees with mobile technology such as mobile phones or tablets.

bottom of page