Trust center
Information Security
Keeping our customers’ information secure is the highest priority at CyberVadis. Our security-first approach is fundamental to our business.
Our board is committed to providing and maintaining the level of Quality and Information Security that meets all of our stakeholders’ needs.
Our purposes are to:
– promote a culture that enables each employee to do their job right, the first time and every time, in a safe and stimulating work environment;
– ensure transparency on our realization of the business activities;
– preserve the availability, integrity, confidentiality and traceability of our information assets and maintain our legal and contractual compliance;
– examine systematically the organisation information security risks and implement the security controls to address the risks deemed unacceptable;
– set clear and mutually beneficial relationships with relevant interested parties and try to exceed their expectations where possible.
We incorporate security practices at all the levels described in this document.
For this reason, CyberVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk assessment. We have a security incident management process in place in order to detect and remediate security incidents in the future. Penetration tests are performed on a regular basis in order to evaluate our IT infrastructure and identify vulnerability and improvement areas.
The ISMS allows us to ensure the availability, integrity, confidentiality, and traceability of information.
Policies and Processes include:
Contractual Privacy Protection
for Customers
The terms and conditions of the CyberVadis assessment platform have been designed to guarantee your data confidentiality. The information you provide is kept confidential and cannot be shared without your approval. Learn more in our terms and conditions
Security Training and Information
security policies
One major pillar for the success of the ISMS is security awareness of all CyberVadis employees. CyberVadis Employees are regularly trained on information security to keep them updated about current issues and best practices by attending a yearly refresher training and taking a test on our practices and policies.
All newly hired employees have to participate in mandatory information security training as part of the induction training. CyberVadis employees must follow the set of information security policies that are regularly reviewed. Employees also go through a regular phishing test to raise cyber awareness.
EU General Data Protection Regulation
CyberVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller CyberVadis is committed to comply with regulations and to put in place the best practices.
CyberVadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system.
We use the ISO 27701 framework to meet GDPR requirements our data protection practices and compliance are confirmed by a third party audit.
For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries. We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers to have data hosted on servers based in Europe. We use the following major processors:
Intercom
Address
55 2nd Street
4th Floor
San Francisco,
CA 94105 USA
Purpose
Customer communication
Salesforce
Address
2 Henry Adams St,
San Francisco,
CA 94103 USA
Purpose
CRM
Microsoft Azure
Address
Microsoft Campus,
Redmond,
WA 98052 USA
Purpose
Hosting of the Cybersecurity assessment platform
Address
1600 Amphitheatre Parkway
Mountain View,
CA 94043 USA
Purpose
Data Processing
We are awaiting recommendations on additional measures to be issued by the French Data protection authority CNIL concerning the possibilities of transferring data to the United States based on SCCs (or BCR). Depending on their opinion, we will take further action.
Code of conduct and Confidentiality agreements
CyberVadis employees are required to sign a code of conduct and a confidentiality clause as part of their employment contract prior to access to our platform. The clause prohibits any disclosures of confidential information concerning the business of CyberVadis and its customers. The obligations and duties remain valid even after termination.
CyberVadis’ online collaborative platform enables companies to assess and monitor supply chain information security performance and the information security management system governing development and operations thereof is ISO/IEC 27001:2013 certified, one of the world’s most widely recognized information security standards.
Access the PwC database.
Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.
View the Statement of Applicability
Data Center and Network Security
Customers upload data for storage and processing within applications that are hosted on our cloud platforms.
We ensure the confidentiality and integrity of customer data with industry best practices.
CyberVadis’ services are hosted at ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2 certified Microsoft Azure data centers located within the EU.
Microsoft Azure’s data centers are certified to comply with the most comprehensive portfolio of internationally-recognized standards and certifications of any cloud service provider. Microsoft takes a layered approach to physical security. Data centers managed by Microsoft have extensive layers of protection: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.
This layered approach reduces the risk of unauthorized users gaining physical access to data and the data center resources.
Segregation of Production & non-Production Environments
Production & Non-Production environments are segregated at all levels: CyberVadis utilizes different tenants and domains for production & non-production environments.
Uptime over 99%
CyberVadis’ aims to provide services with a 99% availability. CyberVadis actively monitors all critical systems within the production environment. Both the availability and the performance of our applications are monitored.
Continuous Data Backup
CyberVadis is running scheduled backups, to ensure that customer data is both backed up and available on geographically dispersed locations, physically separated from the primary CyberVadis storage, aiming to ensure recovery.
Tenable Network Security Infrastructure
CyberVadis uses industry-standard network protection procedures, including network segregation, log aggregation and alerting.
Privileged Access Control
Access to production infrastructure is granted to a limited number of senior personnel with 2-factor authentication required for all accounts. CyberVadis employs RBAC and follows the principles of need-to-know and least-privilege in enforcing its access matrix. All access to infrastructure resources is properly logged and is subject to periodic audits and forensic exploration.
Application Security
We take steps to develop and test against security threats to ensure the information
security of our customer data.
Software Development Lifecycle
CyberVadis’ Software Development Life Cycle (SDLC) includes several stages to ensure that changes are documented, implemented on a source controlled version of the code, reviewed and tested against the acceptance criteria. Releases to each environment must happen through an automated, repeatable and controlled process.
Audits & Penetration Testing
In addition to our internal scanning and testing, we periodically undergo third-party black/grey box penetration tests on all our services (infrastructure & application). Furthermore, CyberVadis partners with third-parties for architectural audits on a regular basis.
Authentication and Access Control
Each user in CyberVadis has a unique account with a verified email address, and protected with a password, which are validated against strong password policies and stored securely using a strong hashing algorithm for every password.
Encryption in Transit
Communications with CyberVadis services are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS 1.2 at least) over public networks. We use public trusted digital certificates, signed by an authorized Certificate Authority.
Encryption at Rest
All customers of CyberVadis benefit from the protections of encryption at rest for the storage layer.
Document Encryption
Each customer’s documents are stored in a segregated container. Each document is individually encrypted using a unique account key and employing envelope encryption before being stored on additionally encrypted-at-rest storage.
Document Retention
Documents are automatically removed 3 years after the publishing date of the last assessment they are attached to.
We offer the option to remove documents upon prior written request once a performance is published. By requesting the removal of documents, the requester cedes their access to any review option for their assessment results.
Document Transfer
Documents uploaded to CyberVadis for the purposes of the cybersecurity assessment are never shared without the owner’s explicit consent.