Thank you for considering Weever to collect and report operational data for your company.  Cloud-based systems are becoming increasingly more secure than on-premise systems because they employ more sophisticated security methodologies.

Certifications and Assessments

  • Weever’s cloud-based applications are hosted on a popular, SOC 2 Type II compliant cloud provider.  Additional details available on request.
  • The Weever Process product is certified as compliant to Food and Drug Administration (FDA) regulation 21 CFR Part 11; Electronic Records and Signatures, and European Union (EU) Annex 11; Computerized Systems
  • Weever Apps Inc. will obtain SOC 2 Type I compliance in January 2021 and Type II thereafter

GDPR and Privacy Policies

Weever is GDPR compliant.  Please see our privacy page.  All Weever Process customers are additionally provided with regular Data Privacy documentation and process updates.

Standard Operating Procedures (SOP’s)

Weever maintains an information security program which includes training, recurring internal audits and semi-independent audits (manual and automated), and an integrated approach to business requirements and standard operating procedures. Weever includes security considerations in all code and product reviews, and we maintain working groups on group testing including security and an internal security practices group.

SOP’s concerning Information Security and Confidentiality include but are not limited to:

  • Recurring Risk Management Assessment and Audit Plan (RMAP)
  • Recurring semi-independent internal SOP risk-management and practice compliance audits
  • Recurring information security practice training
  • Recurring staff user access policies and practice training
  • Recurring staff and full scope regulatory compliance reviews including data privacy
  • Recurring GDPR, FDA/EU training and policy reviews
  • Recurring security incident and data network breach response training
  • Recurring disaster recovery training and working groups
  • Recurring training on risk escalation and identification
  • Recurring training on information classification and handling
  • Recurring vendor management risk audits
  • Ongoing vulnerability awareness and patch programs
  • Acceptable device use policies and checks

SOP’s for Application and Infrastructure Risk Management include but are not limited to:

  • Recurring manual reviews of server and database exceptions and errors
  • Recurring API and outbound data security reviews
  • Recurring review of automated code and library risks (versions, warnings)
  • Recurring review of monitoring system data (application and infrastructure, including security behaviours)
  • Recurring manual security scans using multiple tools / risk check types including automated and manual penetration testing
  • Code: All code must be reviewed by multiple parties, testing and risk considerations must be included in review, multiple approvals required for merge to monitored, staged testing
  • Code: Multiple active environmental and per-merge-request scanners (e.g., OWASP Top 10 et al.)

Login Security and Account Access

  • All Weever applications use encrypted login and communication.  All provision access per user on a secure basis.
  • Staff: All Weever staff and application access accounts are reviewed recurrently for validity of access
  • Staff: Weever’s own internal passwords are stored and managed within a role-based password manager which includes an audit trail and is reviewed recurrently by SOP
  • Staff: Recurring Personal Security Compliance reviews include hardware and software status, version and secure operation requirements
  • Staff and Infrastructure: All server/application code access is VPN restricted and MFA accessed

Policy FAQs

How quickly would you inform us if a security vulnerability were discovered in your solution?

  • Any high or severe security vulnerabilities and/or incidents are notified by SOP (24 hours) or client contract term, whichever is a shorter time period

How quickly would you make a patch available?

  • For any high or severe security vulnerabilities, immediately (top company priority).
  • For any medium security vulnerability, within 1-2 weeks

What hiring practices do you maintain?

  • All staff undergo reference checks and interviews include security practice(s)
  • All staff regularly undergo regular reviews which include security topics
  • We conduct recurring reviews of risk management practices including security (company-wide)

Do you maintain and verify restorability of backups?

  • Yes.  We manually verify our backup systems monthly including “hot swap” (fallback) systems
  • Backups are stored without expiry.  Older data is secured to read only and access is increasingly restricted over time.

Do you have Business Continuity plans in place?

  • Weever Apps has insurance
  • Weever trains all technical staff on Disaster Recovery and Incident Response procedures on a recurring basis
  • Weever trains all technical staff on Emergency Response to Data Network Breach on a recurring basis

Do you require your staff to encrypt their devices?

  • Yes, all staff must encrypted their data storage (disks) and all access is provided through secure cloud keys with additional verification layers (e.g., MFA)
  • Staff are required to use and keep their antivirus and operating system software up to date.  We monitor staff devices for compliance issues.

My question isn’t listed here…

  • Send an email to privacy at weeverapps.com.  We’ll be happy to help.

Changelog

  • Document last updated December 8th, 2020