Goava product and organizational security information.
Organization security
Does Goava undergo an external audit examination (SOC2 or equivalent) at least annually?
Goava made a ISO27001 self-assessment in May 2022 and now have an ongoing project for achieving ISO27001 certification. An external party executed a pen-test in May 2022, no vulnerabilities were identified.
Goava exclusively relies on cloud services for IT needs. We aim to use only SOC2 certified tools. All but one of our services are SOC2 certified; AWS, Startdeliver, Trello, Github, Slack, Google Cloud/Gsuite, Segment, Heap analytics, Hubspot CRM. Startdeliver is not certified according to SOC2.
Does Goava hold ISO27001 Certification?
No, but we have made an ISO27001 self-assessment and we have an ongoing project to achieve ISO27001 certification. We host our infrastructure with cloud providers who are ISO27001 certified.
The following services we use are ISO27001 certified; AWS, Trello, Slack, Google Cloud/Gsuite, Segment, and Github. Startdeliver (Customer Success CRM) does not have ISO 270001 certification.
Goava IT Policy framework
Goava aims for a zero-trust network architecture, i.e. we aim to verify anything and everything trying to connect to our systems before granting access regardless if a request originates from inside or outside company perimeters.
Is there a defined process for assigning or revoking of user permissions across your information systems?
When an employee joins they are assigned permission and access to information systems in accordance to what is needed in their role. Upon termination of employment that access is removed on their last day of employment. This process is overseen by the employee's manager.
Is privileged access across Information Systems reviewed periodically?
Yes – Privileged access reviews performed on an Ad-Hoc basis
When we terminate an employee and remove their access to information systems we also review all others who have access.
Are Generic IDs (including privileged access) used within Goava?
No - Generic IDs are not used
Are one or more information security awareness programs undertaken?
When an employee joins the company they are given training in the tools we use and and are made to understand what security risks comes with using the different tools.
Are password for Information systems stored securely to prevent unauthorized or malicious re-use?
Yes - Passwords are stored encrypted in the database
Is encryption used to protect the confidentiality of transmitted information, especially for personal information and confidential business information? Examples might include SSL, SSH, SFTP or IPSec.
All our services used are encrypted with SSL.
Product security
Password security
Password security requires a minimum of 6 characters. Passwords are encrypted.
Does the application terminate idle sessions after a reasonable period of inactivity?
Yes – Idle sessions are terminated after 60 mins.
Are Generic IDs (Including privileged access) used in the application?
No. Assigned Customer Success Manager can only access the accounts they manage using their personal IDs.
Is the application incorporated into Goava’s IT Disaster Recovery (DR) and Business Continuity (BC) plans in place to ensure application operations can survive disruption or complete loss of service?
Yes – IT DR and BCP exists but is not formally documented. Monitoring and regular testing of backups (AWS RDS, Amazon Elasticsearch service)
Are backups routinely scheduled as per a defined backup strategy? Are backups archived to encrypted tapes which are stored in a secure off-site location?
Yes – Backups are taken as per a defined strategy.
Does the application and underlying infrastructure configured to capture audit / event logs?
Yes – A known list of Audit / Event logs are captured.
Log monitoring and review using AWS Cloudwatch - Centralized Access Management (AWS IAM). Logs are saved for a minimum of 6 months.
Does the application protect Data Subject Rights, enabling a data subject with the right to obtain, according to the Applicable Laws, and from the data controller:
- Access to their data (A data subject can make a request to be informed about the type of personal data and how it’s processed).
- Rectification and Deletion (A data subject has the right to ask for rectification of inaccurate data processed and request for deletion of their data), and
- Objection (a data subject has the right to object to the processing of their personal Data for serious and legitimate reasons).
Yes – All requirements are compliant. The Goava applications is legally protected by a certificate of publication (utgivningsbevis) meaning that GDPR and similar regulation does not apply. Goava generally grants requests to rectify or delete data.
Is production personal data that is used in test environments anonymized or pseudo anonymised?
Yes - For specific data sets
Is the application hosted in a secure facility which is restricted to authorised personnel only?
Yes, the application is hosted by AWS Europe (Ireland).
Do you follow any secure coding guidelines while developing applications/systems?
OWASP top 10 as part of code review checklist.
Is the personal data you process on behalf of the customer encrypted?
Data is encrypted in transit. Sensitive data is encrypted at rest.
Do you require individuals with access to the customer's data to sign confidentiality agreements?
Yes, this is covered by Goava employment agreement.
Describe the different categories of processing being carried out, including any analysis, reporting or profiling.
Usage data is collected to improve service and analyse behaviour to make recommendations on how to improve usage.
List of data providers
|
Data type |
Source |
|
Company data |
Proff & Asiakastieto |
|
Board of directors |
Proff & Asiakastieto |
|
Web information |
Goava |
|
Contact information |
Goava, UC & Asiakastieto |
|
Web technologies |
Builtwith |
|
News |
Twingly |
|
Recruitments |
Goava |
|
URLs |
Proff, UC, Crowdsourcing, Scraping Google |
|
Social links |
Goava |