Keeping our customers’ information secure is the highest priority at CyberVadis. Our security-first approach is fundamental to our business.
Our board is committed to providing and maintaining the level of Quality and Information Security that meets all of our stakeholders’ needs.
Our purposes are to:
– promote a culture that enables each employee to do their job right, the first time and every time, in a safe and stimulating work environment;
– ensure transparency on our realization of the business activities;
– preserve the availability, integrity, confidentiality and traceability of our information assets and maintain our legal and contractual compliance;
– examine systematically the organisation information security risks and implement the security controls to address the risks deemed unacceptable;
– set clear and mutually beneficial relationships with relevant interested parties and try to exceed their expectations where possible.
We incorporate security practices at all the levels described in this document.
For this reason, CyberVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk assessment. We have a security incident management process in place in order to detect and remediate security incidents in the future. Penetration tests are performed on a regular basis in order to evaluate our IT infrastructure and identify vulnerability and improvement areas.
The ISMS allows us to ensure the availability, integrity, confidentiality, and traceability of information.
Policies and Processes include:
The terms and conditions of the CyberVadis assessment platform have been designed to guarantee your data confidentiality. The information you provide is kept confidential and cannot be shared without your approval. Learn more in our terms and conditions
One major pillar for the success of the ISMS is security awareness of all CyberVadis employees. CyberVadis Employees are regularly trained on information security to keep them updated about current issues and best practices by attending a yearly refresher training and taking a test on our practices and policies.
All newly hired employees have to participate in mandatory information security training as part of the induction training. CyberVadis employees must follow the set of information security policies that are regularly reviewed. Employees also go through a regular phishing test to raise cyber awareness.
CyberVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller CyberVadis is committed to comply with regulations and to put in place the best practices.
CyberVadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system.
We use the ISO 27701 framework to meet GDPR requirements our data protection practices and compliance are confirmed by a third party audit.
For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries. We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers to have data hosted on servers based in Europe. We use the following major processors:
We are awaiting recommendations on additional measures to be issued by the French Data protection authority CNIL concerning the possibilities of transferring data to the United States based on SCCs (or BCR). Depending on their opinion, we will take further action.
CyberVadis employees are required to sign a code of conduct and a confidentiality clause as part of their employment contract prior to access to our platform. The clause prohibits any disclosures of confidential information concerning the business of CyberVadis and its customers. The obligations and duties remain valid even after termination.
CyberVadis’ online collaborative platform enables companies to assess and monitor supply chain information security performance and the information security management system governing development and operations thereof is ISO/IEC 27001:2013 certified, one of the world’s most widely recognized information security standards.
Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.
View the Statement of Applicability
Customers upload data for storage and processing within applications that are hosted on our cloud platforms.
We ensure the confidentiality and integrity of customer data with industry best practices.
CyberVadis’ services are hosted at ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2 certified Microsoft Azure data centers located within the EU.
Microsoft Azure’s data centers are certified to comply with the most comprehensive portfolio of internationally-recognized standards and certifications of any cloud service provider. Microsoft takes a layered approach to physical security. Data centers managed by Microsoft have extensive layers of protection: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.
This layered approach reduces the risk of unauthorized users gaining physical access to data and the data center resources.
Production & Non-Production environments are segregated at all levels: CyberVadis utilizes different tenants and domains for production & non-production environments.
Uptime over 99%
CyberVadis’ aims to provide services with a 99% availability. CyberVadis actively monitors all critical systems within the production environment. Both the availability and the performance of our applications are monitored.
CyberVadis is running scheduled backups, to ensure that customer data is both backed up and available on geographically dispersed locations, physically separated from the primary CyberVadis storage, aiming to ensure recovery.
CyberVadis uses industry-standard network protection procedures, including network segregation, log aggregation and alerting.
Access to production infrastructure is granted to a limited number of senior personnel with 2-factor authentication required for all accounts. CyberVadis employs RBAC and follows the principles of need-to-know and least-privilege in enforcing its access matrix. All access to infrastructure resources is properly logged and is subject to periodic audits and forensic exploration.
We take steps to develop and test against security threats to ensure the information
security of our customer data.
CyberVadis’ Software Development Life Cycle (SDLC) includes several stages to ensure that changes are documented, implemented on a source controlled version of the code, reviewed and tested against the acceptance criteria. Releases to each environment must happen through an automated, repeatable and controlled process.
In addition to our internal scanning and testing, we periodically undergo third-party black/grey box penetration tests on all our services (infrastructure & application). Furthermore, CyberVadis partners with third-parties for architectural audits on a regular basis.
Each user in CyberVadis has a unique account with a verified email address, and protected with a password, which are validated against strong password policies and stored securely using a strong hashing algorithm for every password.
Communications with CyberVadis services are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS 1.2 at least) over public networks. We use public trusted digital certificates, signed by an authorized Certificate Authority.
All customers of CyberVadis benefit from the protections of encryption at rest for the storage layer.
Each customer’s documents are stored in a segregated container. Each document is individually encrypted using a unique account key and employing envelope encryption before being stored on additionally encrypted-at-rest storage.
Documents are automatically removed 3 years after the publishing date of the last assessment they are attached to.
We offer the option to remove documents upon prior written request once a performance is published. By requesting the removal of documents, the requester cedes their access to any review option for their assessment results.
Documents uploaded to CyberVadis for the purposes of the cybersecurity assessment are never shared without the owner’s explicit consent.