Thank you for considering Weever to collect and report operational data for your company.  Cloud-based systems are becoming increasingly more secure than on-premise systems because they employ more sophisticated security methodologies.

Certifications and Assessments

  • Weever Apps Inc. is SOC 2 Type I compliant.
  • Weever’s cloud-based applications are hosted on a popular, SOC 2 Type II compliant cloud provider.  Additional details available on request.
  • The Weever Process product is certified as compliant to Food and Drug Administration (FDA) regulation 21 CFR Part 11; Electronic Records and Signatures, and European Union (EU) Annex 11; Computerized Systems

GDPR and Privacy Policies

Weever is GDPR compliant.  Please see our privacy page.  All Weever Process customers are additionally provided with regular Data Privacy documentation and process updates.

Standard Operating Procedures (SOP’s)

Weever maintains an information security program which includes training, recurring internal audits and semi-independent audits (manual and automated), and an integrated approach to business requirements and standard operating procedures. Weever includes security considerations in all code and product reviews, and we maintain working groups on group testing including security and an internal security practices group.

SOP’s concerning Information Security and Confidentiality include but are not limited to:

  • Recurring quarterly and annual Risk Management Assessment and Audit Plan (RMAP) exercises
  • Recurring semi-independent internal SOP risk-management and practice compliance audits
  • Recurring information security practice training
  • Recurring staff user access policies and practice training
  • Recurring staff and full scope regulatory compliance reviews including data privacy
  • Recurring GDPR, FDA/EU training and policy reviews
  • Recurring security incident and data network breach response training
  • Recurring disaster recovery training and working groups
  • Recurring training on risk escalation and identification
  • Recurring training on information classification and handling
  • Recurring vendor management risk audits
  • Recurring password policy compliance including a managed password repository (ACL)
  • Recurring reminders and compliance checks on vendor and password practices, et al.
  • Responsible disclosure policies
  • Ongoing vulnerability awareness and patch programs
  • Acceptable device use policies and checks

SOP’s for Application and Infrastructure Risk Management include but are not limited to:

  • Recurring manual reviews of server and database exceptions and errors
  • Recurring reviews of data deletion and data protection policies and infrastructure
  • Recurring API and outbound data security reviews
  • Recurring review of automated code and library risks (versions, warnings)
  • Recurring review of monitoring system data (application and infrastructure, including security behaviours)
  • Recurring manual security scans using multiple tools / risk check types including automated and manual penetration testing
  • Infrastructure: Recurring system access management policy compliance checks
  • Infrastructure: Recurring email and notifications security and best practice compliance
  • Code: All code must be reviewed by multiple parties, testing and risk considerations must be included in review, multiple approvals required for merge to monitored, staged testing
  • Code: Multiple active environmental and per-merge-request scanners (e.g., OWASP Top 10 et al.)

Login Security and Account Access

  • All Weever applications use encrypted login and communication.  All provision access is per user on a secure basis and in relationship to a maintained access matrix.
  • Staff: All Weever staff and application access accounts are reviewed recurrently for validity of access
  • Staff: Weever’s own internal passwords are stored and managed within a role-based password manager which includes an audit trail and is reviewed recurrently by SOP
  • Staff: Recurring Personal Security Compliance reviews include hardware and software status, version and secure operation requirements
  • Staff and Infrastructure: All server/application code access is VPN restricted and MFA accessed

Additional Security Policy Information

Reporting concerns:

  • If you are aware of a potential security issue please send an email directly to our CTO at privacy at weeverapps.com.
  • Reports are confidential and your privacy will be respected.

Vulnerability resolution:

  • Identified high or severe security vulnerabilities and/or incidents will be resolved within SOP standards (24 hours) or client contract term, whichever is a shorter time period
  • We will resolve any medium security vulnerability within 1-2 weeks

Staff policies:

  • All staff undergo reference checks and interviews include security practice(s)
  • All staff regularly undergo regular reviews which include security topics
  • Yes, all staff must encrypted their data storage (disks) and all access is provided through secure cloud keys with additional verification layers (e.g., MFA)
  • Staff are required to use and keep their antivirus and operating system software up to date.  We monitor staff devices for compliance issues.

Risk management practices:

  • We conduct recurring reviews of risk management practices including security (company-wide)
  • Weever trains all technical staff on Disaster Recovery and Incident Response procedures on a recurring basis
  • Weever trains all technical staff on Emergency Response to Data Network Breach on a recurring basis

Backup systems:

  • We manually verify our backup systems monthly including “hot swap” (fallback) systems
  • Backups are stored without expiry.  Older data is secured to read only and access is increasingly restricted over time.

Business systems:

  • Weever Apps has cyber insurance

Questions?

  • Send an email to privacy at weeverapps.com.  We’ll be happy to help.

Changelog

  • Document updated December 8th, 2020
  • Document updated June 15th, 2020: Updated SOC 2 and Email risk management policy
  • Documented updated September 21, 2021: Updated policy list to include recurring reminder / compliance checks