X-twitter Linkedin
Login

Our Controls and Subprocessors

Controls and Subprocessors

Controls

Operational and Security Controls

Infrastructure Protection

  • Restricted Key Access: We limit the ability to manage encryption keys strictly to approved personnel with a verified operational requirement.
  • Individualized User Accounts: To access our systems and apps, every user must provide distinct credentials, such as a unique login and password or a verified Secure Socket Shell (SSH) key.
  • Production Environment Oversight: Entry into our live application and general system infrastructure is strictly limited to cleared users.
  • Management of User Privileges: Our established protocols govern the entire lifecycle of user access, including the onboarding of new staff, role adjustments, and the prompt removal of account permissions.
  • Firewall Governance: Only authorized administrators with a legitimate business need can modify or access firewall settings.
  • Termination Procedures: We utilize comprehensive checklists to ensure that all system access is deactivated for departing employees within agreed-upon timeframes.
  • Production Network Identity: Entry into the production network requires specific authentication through unique user IDs and passwords or authorized SSH keys.
  • Encrypted External Entry: Staff members may only connect to production systems remotely through approved, high-security encrypted channels.
  • Continuous Threat Detection: We employ intrusion detection tools to provide 24/7 surveillance of our network, allowing us to spot and respond to potential security threats early.
  • Event Auditing: Log management software is utilized to record and track events that could influence our ability to meet security commitments.
  • Isolated Network Zones: Our network architecture is segmented into distinct zones to block unauthorized entry into client databases.
  • Annual Perimeter Reviews: We perform a full review of our firewall rule sets at least once a year, tracking all necessary updates to completion.
  • Firewall Implementation: We deploy active firewalls configured specifically to prevent illegitimate access to our environment.
  • Maintenance and Patching: Our service infrastructure receives regular updates and patches as part of both routine upkeep and vulnerability mitigation to defend against evolving threats.

Organizational Safeguards

  • Secure Hardware Retirement: Any electronic storage containing sensitive data is thoroughly wiped or physically destroyed using industry best practices, with official certificates issued for every device.
  • Infrastructure Logging: We maintain a detailed, official list of all assets within our production environment.
  • Removable Drive Security: All portable storage devices are required to use encryption.
  • Malware Protection: Anti-malware software is installed on all systems at risk of attack; these tools are configured for automatic updates and centralized logging.
  • Pre-Employment Screening: We conduct thorough background checks for all incoming staff members.
  • Contractor Ethics: All third-party contractors must agree to a professional code of conduct as part of their engagement.
  • Staff Accountability: Employees must acknowledge our code of conduct upon joining, and any violations result in formal disciplinary measures.
  • Privacy Agreements: Every staff member and contractor must sign a legally binding confidentiality agreement before beginning work.
  • Annual Reviews: Managers perform formal performance assessments for their team members at least once a year.
  • Password Rigor: We enforce a strict password policy across all system components to ensure high security.
  • Mobile Management: A centralized Mobile Device Management (MDM) platform is used to oversee all mobile hardware supporting our services.
  • Physical Security for Guests: All visitors are required to register, wear identification, and remain accompanied by an employee when in secure zones or data centers.
  • Security Literacy: New hires complete security training within 30 days, followed by mandatory annual refresher courses for all staff.

Product and Service Security

  • Database Encryption: All storage systems containing sensitive client information are encrypted while at rest.
  • Self-Verification of Controls: We conduct annual internal assessments to confirm that our security measures are functioning as intended, with corrective actions taken for any findings.
  • Annual Pentesting: External penetration tests are performed at least once a year, followed by a formal remediation plan to address vulnerabilities within defined timelines.
  • Secure Data Transit: We utilize industry-standard protocols to encrypt sensitive data whenever it is moved over public internet connections.
  • Documented Oversight: Official policies govern our approach to managing vulnerabilities and monitoring our systems.

Governance and Internal Procedures

  • Business Resilience Plans: We maintain detailed Disaster Recovery and Business Continuity plans, including communication strategies to maintain security even if key staff are unavailable.
  • Annual Stress Testing: Our recovery and continuity plans are put to the test at least once every year.
  • Cyber Liability Coverage: We hold cybersecurity insurance to mitigate financial risks stemming from potential business interruptions.
  • Standardized Setup: A configuration management system is in place to ensure all environments are deployed with consistent security settings.
  • Change Control: Any updates to software or infrastructure must be documented, tested, and officially authorized before going live.
  • Deployment Restrictions: Only specific, authorized individuals have the permissions required to push changes into the production environment.
  • Secure Development Cycle: We follow a formal Systems Development Life Cycle (SDLC) that dictates how we build, acquire, and maintain our technology.
  • Anonymous Reporting: A whistleblower policy and a private communication channel allow anyone to report fraud or ethical concerns anonymously.
  • Board-Level Oversight: Our Board of Directors receives annual briefings on our privacy and cybersecurity posture to provide guidance and oversight.
  • Independent Board Governance: The board includes independent directors and maintains formal records of their annual meetings regarding internal controls.
  • Data Backup Strategy: Official policies outline how we handle the backup and restoration of customer information.
  • Client Notification: We inform our customers of any significant system changes that could impact their data processing.
  • Defined Organizational Structure: We maintain a formal organization chart and assign specific security responsibilities within job descriptions.
  • Help Desk and Incident Management: We provide an external support system for reporting failures or incidents, and follow a formal policy for tracking and resolving all security events.
  • Vendor and Risk Management: We perform annual risk assessments and maintain formal agreements with all third-party vendors, including strict privacy commitments.
  • Vulnerability Scanning: External-facing systems undergo host-based vulnerability scans at least once a quarter, with high-risk issues tracked until they are fixed.

Data Governance

  • Information Lifecycle: Formal procedures are in place for the secure storage and eventual destruction of both internal and customer data.
  • Offboarding Data Removal: When a customer ends their service, we purge their confidential data from our environment following industry best practices.
  • Classification Protocols: Our data classification policy ensures that confidential information is handled with the appropriate level of security.
  • Privacy Support: We assist our clients (Data Controllers) in meeting their legal privacy obligations through our Data Processing Agreements (DPA).

Authorized Sub-processors

The following third-party entities are engaged to process end-user personal information on behalf of SOBA Network. These partners assist us in delivering our services to our clients.

We are committed to data safety and ensure that every sub-processor meets rigorous security and legal criteria. This includes the execution of a Data Processing Agreement (DPA) and, where necessary, the inclusion of Standard Contractual Clauses (SCCs) to maintain high protection standards.

Core Service Providers

  • Google Cloud EMEA (Ireland): Responsible for providing essential computing power and media processing capabilities. Primary processing takes place within the European Economic Area (EEA).
  • Amazon Web Services (AWS) EMEA SARL (Ireland): Utilized for secure data storage, general computing, and media processing. Operations are primarily centered in the EEA.

Feature-Specific Providers

There are currently no additional sub-processors required for specialized features