Q. Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?
Yes, policies and procedures are established, and mechanisms are implemented to detect, address, and stabilize vulnerabilities in a timeframe that matches the Security Patch Management Standards.
Q. Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?
Yes, Compass's products are supported by leading anti-malware programs. These are connected with our cloud service offerings and are a part of all our systems.
Q. Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.
Q. Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, we ensure that there is no breach in network layers with vulnerability scans as per the industrial standards.
Q. Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, to check the hygiene of the application layer, our vulnerability scans are done as prescribed by the industrial standard.
Q. Will you make the results of vulnerability scans available to tenants at their request?
Yes, tenants can request for vulnerability scan reports.
Q. Do you have controls and processes in place to perform host/file integrity monitoring for all systems storing and transmitting sensitive data?
Yes, in order to detect any unauthorized changes in the data or system configuration, we have a procedure in place for host/file integrity monitoring.
Q. Do you conduct daily vulnerability scans at the operating system layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the operating system layer.
Q. Do you conduct daily vulnerability scans at the database layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.
Q. Do you conduct daily vulnerability scans at the application layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the application layer.
Q. Do you have external third-party services conduct vulnerability scans and periodic penetration tests on your applications and networks?
Yes, vulnerability scans and penetration tests are conducted periodically by third parties and external services to test our security measures.
Q. Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
Yes, we have proper forensic procedures in place that include chain-of-custody management processes and controls.
Q. What controls are used to mitigate DDoS (distributed denial–of-service) attacks?
As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.
Q. Is there a cloud audit program to address the client's audit and assessment requirements?
Yes, in our cloud audit program, we analyse and address all the requirements put forth by the tenant to ensure maximum satisfaction.
Q. Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?
Yes, we have proper forensic procedures for data collection and analysis for incident responses.
Q. Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?
Yes, we can freeze data from a specific time without freezing other data if need be.
Q. Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?
Yes. Tenant data is enforced and attested in case it comes to light in legal subpoenas.
Q. Give details of the platform on which the application is developed?
The Compass Platform is developed on microservices architecture because the applications are independent applications and deployed on the AWS virtual platform cloud.
Q. Does your product provide/support mobility through native mobile apps etc.?
Yes, our product is supported by a comprehensive web and mobile application that can be accessed via desktop and mobile devices.
Q. Do you offer configurability in your SaaS solution? Give the options if available?
Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.
Q. Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?
Yes, Compass comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.
Q. Do you offer configurability in your SaaS solution? Give the options if available
Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.
Q. What types of Advisory and technical support are provided?
Compass's customer support team is available at all times to address any queries and support with respect to advisory and technical operations.
Q. How does the Cloud Service Provider protect keys, and what security controls are in place to affect that?
Each tenant data is uniquely encrypted using a client specific key. We use AES 256-bit encryption for data at rest to ensure maximum security measures.
Q. Are hardware security modules used to protect such keys? Who has access to such keys?
Yes, hardware security modules are used to protect these keys, and the key access lies with the Chief Technical Office.
Q. What procedures are in place to manage and recover from the compromise of keys?
We use the Key Management Service by AWS to manage all the keys. In the event that keys get compromised, they can be recovered through the Key Management Service.
Q. If an advanced warning is given for service interruption, will it count as downtime?
Yes, in the event of service interruption, the prior notification will count for the downtime.
Q. What is the SLA (Time) for different levels of support for different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less
The time of support ranges between six to forty-eight hours. This depends on the level of service and the gravity of incidents.
Q. Do you have penalty clauses in the event of performance failure?
No, there is no penalty clause attached in the event of a performance failure.
Q. Does the application have robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and test results? Is it Active-active?
Since we are a SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi-AZ deployment with periodic backup for our DR. BCP, DR is active-passive.
Q. How is data isolated between customers? Is the data in non-prod instances refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?
We use logical data isolation with the help of company specific encryption keys. Data in a non-production environment is not updated with the production data. We generate separate test data. Data at transit - TLS1.2 encryption, Data at rest - AES256.
Q. How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc
We are a SAAS solution, and hosting is handled by us. No instances needed from the client. We use public cloud for hosting.
Q. What is the RTO and RPO? Can you share the latest DR strategy test results?
6 Hours RTO and 6 Hours RPO, yes upon request we can share latest DR strategy test results.
Q. What are WCAG Guidelines?
Web Content Accessibility Guidelines (WCAG) defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.
Q. Do you comply with WCAG Guidelines?
Yes. We always give our best to make sure that our applications are developed as per WCAG guidelines and help differently abled people across the globe.
Q. Can people with disabilities use your website and application without barriers?
Yes. We ensure that people with disabilities can use our websites and applications without any difficulties. Our website and products are having very simple options with very good visibility of the content.
Q. Do you consider WCAG guidelines during product development?
Yes. We always consider the WCAG guidelines for helping differently abled people.
Q. Do you conduct any periodical review and improve the website or applications?
Yes. We periodically review and do all the necessary changes to our website and applications as per the guidelines.