Security Details & FAQ
Security Certifications
- Weever Apps Inc. is SOC 2 Type 2 certified. Please contact us for a copy of our most recent SOC 2 Type 2 audit report.
- Weever’s cloud-based applications are hosted on a popular, SOC 2 Type 2 compliant cloud provider. Additional details available on request.
- The Weever Process product is certified as compliant to Food and Drug Administration (FDA) regulation 21 CFR Part 11; Electronic Records and Signatures, and European Union (EU) Annex 11; Computerized Systems
GDPR and Privacy Policies
Weever observes EU and UK GDPR compliance guidelines including recurring review of data privacy (DPIA, PIA) and confidentiality. Please see our Data Privacy Statement to learn how we safeguard customer and user privacy in Weever Apps Inc. products.
Weever Apps Inc. categorically refrains from engaging in the sale of any PII or customer data under any circumstances. A limited subset of non-sensitive personal data may be disclosed to third-party providers for the purpose of service analytics, ensuring the optimization and refinement of our offerings. More information is available in our data privacy statement.
Standard Operating Procedures (SOPs)
Weever maintains an information security program which includes training, recurring internal audits and semi-independent audits (manual and automated), and an integrated approach to business requirements and standard operating procedures. Weever includes security considerations in all code and product reviews, and we maintain working groups on group testing including security and an internal security practices group. We leverage independent penetration testing and other services as part of our security posture.
SOP's concerning Information Security and Confidentiality include but are not limited to:
- Recurring quarterly and annual Risk Management Assessment and Audit Plan (RMAP) exercises
- Recurring semi-independent internal SOP risk-management and practice compliance audits
- Recurring information security practice training
- Recurring staff user access policies and practice training
- Recurring staff and full scope regulatory compliance reviews including data privacy
- Recurring FDA 21 CFR Part 11 and EU Annex 11 training and policy reviews
- Recurring review of Weever practices against industry best practice standards and NIST recommendations
- Recurring security incident and data network breach response training
- Recurring check of all vendors for incidents, self check for data breach incidents on the web
- Recurring disaster recovery training and working groups
- Recurring training on risk escalation and identification
- Recurring training on information classification and handling
- Recurring vendor management risk audits
- Recurring encryption and password policy compliance including a managed password repository (ACL)
- Recurring Code of Conduct policy acceptance/awareness events
- Responsible disclosure policies
- Ongoing vulnerability awareness and patch programs
- Acceptable device use policies and checks
- Asset management policies and security monitoring
- Independent penetration testing and vulnerability testing (e.g,. OWASP, etc.)
- Third party management (services, contractors) and security agreements (NDA's, et al.)
SOP's for Application and Infrastructure Risk Management include but are not limited to:
- Recurring manual reviews of server and database exceptions and errors
- Recurring reviews of data deletion and data protection policies and infrastructure
- Recurring API and outbound data security reviews
- Recurring review of automated code and library risks (versions, warnings)
- Recurring review of monitoring system data (application and infrastructure, including security behaviours)
- Recurring manual security scans using multiple tools / risk check types including automated and manual penetration testing
- Infrastructure: Recurring system access management policy compliance checks
- Infrastructure: System Access Control policy and multiple recurring review types
- Code: All code must be reviewed by multiple parties, testing and risk considerations must be included in review, multiple approvals required for merge to monitored, staged testing (change management policies)
- Code: Multiple active environmental and per-merge-request scanners (e.g., OWASP Top 10 et al.)
- Base and recurring software security "as you code" training for all engineers
Login Security and Account Access
- All Weever applications use encrypted login and communication. All provision access is per user on a secure basis and in relationship to a maintained access matrix.
- Staff: All Weever staff and application access accounts are reviewed recurrently for validity of access
- Staff: Weever’s own internal passwords are stored and managed within a role-based password manager which includes an audit trail and is reviewed recurrently by SOP
- Staff: Recurring Personal Security Compliance reviews include hardware and software status, version and secure operation requirements
- Staff and Infrastructure: All server/application code access is VPN restricted and MFA accessed
Policy FAQs
How can I report a suspected security vulnerability or a security/privacy concern?
- Please send an email directly to our CTO at privacy at weeverapps.com. Reports are confidential and your privacy will be respected.
Do you train staff on how to respond to data breaches?
- Yes. All staff undergo critical incident response training on a recurring basis.
Do you monitor for incidents and breaches?
- Yes, in addition to best practice technical monitors (firewalls, et al.) we run a recurring check for any incidents involving Weever our the emails/information of our staff on the larger web.
Do you maintain a firewall and intrusion detection systems?
- Yes, we maintain both web application firewalls (WAF) and multiple systems to log and alert us of suspect events.
Do you conduct independent penetration testing, vulnerability testing and monitoring?
- Yes, we regularly undergo testing by security teams and/or independent services. We run security monitoring software on all systems.
Do you practice Security Information Event Monitoring (SIEM)?
- Yes, all key systems and products produce SIEM reports. Our FDA compliant products include an administrator-facing SIEM report as well.
How quickly would you inform us if a critical security vulnerability were discovered in your solution?
- Clients are notified of data breach / security incidents by SOP (24 hours) or client contract term
How quickly would you make a patch available?
- For any critical security vulnerabilities, immediately (top company priority). Our SLA is 14 days.
- For any high security vulnerability, within 30 days
What hiring practices do you maintain?
- All staff undergo reference checks and interviews include security practice(s)
- All staff regularly undergo regular reviews which include security topics
- We conduct recurring reviews of risk management practices including security (company-wide)
Do you train your staff on security practices?
- Yes, all staff participate continuous security awareness training.
- We also maintain dozens of recurring security policy compliance reminders and practice trainings.
Do you have a data classification policy?
- Yes. For context, Weever applications are generally limited to low risk data.
What kind of Personally Identifiable Information (PII) is used in your applications?
- PII is limited to business-operational use for our customers. User profiles include a name and unique email.
Do you maintain and verify restorability of backups?
- Yes. We manually verify our backup systems monthly including "hot swap" (fallback) systems
- Backups are stored without expiry. Older data is secured to read only and access is increasingly restricted over time.
Does Weever encrypt data in transit and at-rest?
- Yes. We manually verify this policy is being applied correctly as part our recurring security activities including manual penetration testing.
- All encryption meets industry best practice standards.
Do you have Business Continuity plans in place?
- Weever Apps has cyber insurance
- Weever trains all technical staff on our Disaster Recovery and Incident Response policy and procedures on a recurring basis
- Weever trains all technical staff on our Emergency Response to Data Network Breach policy and procedures on a recurring basis
- Weever trains all staff on our Business Continuity and Disaster Recovery Plan on a recurring basis
Do you maintain physical security at your offices?
- Yes. Please contact us if you would like more information.
Do you require your staff to encrypt their devices?
- Yes, all staff must encrypted their data storage (disks) and all access is provided through secure cloud keys with additional verification layers (e.g., MFA)
- Staff are required to use and keep their antivirus and operating system software up to date. We monitor staff devices for compliance issues.
- Removable storage media (USB drives, etc.) are not allowed per SOP's and policy.
How long do you retain customer data for?
- We retain data indefinitely in a period for (5) years or more, or to the period specified by our customers IT Sec. policies.
- In the event of cancellation or request we will provide exports of your data and take appropriate measures.
- See our data privacy statement for more information.
My question isn't listed here...
- Send an email to privacy at weeverapps.com. We'll be happy to help.
Changelog
- 2020-12-08: Document version one created
- 2021-10-10: Document review, no changes
- 2022-02-16: Link to Data Privacy Statement
- 2022-03-18: Add continuity policy, update vulnerability SLA periods, define PII scope
- 2022-04-04: Publish that Weever Apps Inc. is SOC 2 Type II certified
- 2022-06-21: Full review of security page, no changes required
- 2022-09-20: Full review of security page, no changes required
- 2022-12-20: Full review of security page, updated encryption statements to be more explicit
- 2023-03-22: Full review of security page, added FAQ items on data retention and monitoring for breaches
- 2023-06-20: Full review of security page. Updated items on WAF, intrusion detection, encryption, and security awareness training.
- 2023-09-19: Full review of security page. Updated GDPR statement to specify "UK & EU".
- 2023-12-12: Full review of security page. Specified independent pen. testing more clearly.
- 2024-03-18: Added information on third party management policies
- 2024-06-27: Clarified / resolved content on third party management