Thank you for considering Weever to collect and report operational data for your company. Cloud-based systems are becoming increasingly more secure than on-premise systems because they employ more sophisticated security methodologies.
Certifications and Assessments
- Weever’s cloud-based applications are hosted on a popular, SOC 2 Type II compliant cloud provider. Additional details available on request.
- The Weever Process product is certified as compliant to Food and Drug Administration (FDA) regulation 21 CFR Part 11; Electronic Records and Signatures, and European Union (EU) Annex 11; Computerized Systems
- Weever Apps Inc. will obtain SOC 2 Type I compliance in March 2021 and Type II thereafter
GDPR and Privacy Policies
Weever is GDPR compliant. Please see our privacy page. All Weever Process customers are additionally provided with regular Data Privacy documentation and process updates.
Standard Operating Procedures (SOP’s)
Weever maintains an information security program which includes training, recurring internal audits and semi-independent audits (manual and automated), and an integrated approach to business requirements and standard operating procedures. Weever includes security considerations in all code and product reviews, and we maintain working groups on group testing including security and an internal security practices group.
SOP’s concerning Information Security and Confidentiality include but are not limited to:
- Recurring quarterly and annual Risk Management Assessment and Audit Plan (RMAP) exercises
- Recurring semi-independent internal SOP risk-management and practice compliance audits
- Recurring information security practice training
- Recurring staff user access policies and practice training
- Recurring staff and full scope regulatory compliance reviews including data privacy
- Recurring GDPR, FDA/EU training and policy reviews
- Recurring security incident and data network breach response training
- Recurring disaster recovery training and working groups
- Recurring training on risk escalation and identification
- Recurring training on information classification and handling
- Recurring vendor management risk audits
- Recurring password policy compliance including a managed password repository (ACL)
- Responsible disclosure policies
- Ongoing vulnerability awareness and patch programs
- Acceptable device use policies and checks
SOP’s for Application and Infrastructure Risk Management include but are not limited to:
- Recurring manual reviews of server and database exceptions and errors
- Recurring reviews of data deletion and data protection policies and infrastructure
- Recurring API and outbound data security reviews
- Recurring review of automated code and library risks (versions, warnings)
- Recurring review of monitoring system data (application and infrastructure, including security behaviours)
- Recurring manual security scans using multiple tools / risk check types including automated and manual penetration testing
- Infrastructure: Recurring system access management policy compliance checks
- Code: All code must be reviewed by multiple parties, testing and risk considerations must be included in review, multiple approvals required for merge to monitored, staged testing
- Code: Multiple active environmental and per-merge-request scanners (e.g., OWASP Top 10 et al.)
Login Security and Account Access
- All Weever applications use encrypted login and communication. All provision access is per user on a secure basis and in relationship to a maintained access matrix.
- Staff: All Weever staff and application access accounts are reviewed recurrently for validity of access
- Staff: Weever’s own internal passwords are stored and managed within a role-based password manager which includes an audit trail and is reviewed recurrently by SOP
- Staff: Recurring Personal Security Compliance reviews include hardware and software status, version and secure operation requirements
- Staff and Infrastructure: All server/application code access is VPN restricted and MFA accessed
How can I report a suspected security vulnerability or a security/privacy concern?
- Please send an email directly to our CTO at privacy at weeverapps.com. Reports are confidential and your privacy will be respected.
How quickly would you inform us if a security vulnerability were discovered in your solution?
- Any high or severe security vulnerabilities and/or incidents are notified by SOP (24 hours) or client contract term, whichever is a shorter time period
How quickly would you make a patch available?
- For any high or severe security vulnerabilities, immediately (top company priority).
- For any medium security vulnerability, within 1-2 weeks
What hiring practices do you maintain?
- All staff undergo reference checks and interviews include security practice(s)
- All staff regularly undergo regular reviews which include security topics
- We conduct recurring reviews of risk management practices including security (company-wide)
Do you maintain and verify restorability of backups?
- Yes. We manually verify our backup systems monthly including “hot swap” (fallback) systems
- Backups are stored without expiry. Older data is secured to read only and access is increasingly restricted over time.
Do you have Business Continuity plans in place?
- Weever Apps has cyber insurance
- Weever trains all technical staff on Disaster Recovery and Incident Response procedures on a recurring basis
- Weever trains all technical staff on Emergency Response to Data Network Breach on a recurring basis
Do you maintain physical security at your offices?
- Yes. Please contact us if you would like more information.
Do you require your staff to encrypt their devices?
- Yes, all staff must encrypted their data storage (disks) and all access is provided through secure cloud keys with additional verification layers (e.g., MFA)
- Staff are required to use and keep their antivirus and operating system software up to date. We monitor staff devices for compliance issues.
My question isn’t listed here…
- Send an email to privacy at weeverapps.com. We’ll be happy to help.
- Document last updated December 8th, 2020