TRUST & SECURITY
The following outlines Sourcepoint’s approach to privacy, security and compliance for the Sourcepoint portfolio of products. Included are details of our privacy and security practices including our organizational and technical controls to protect confidentiality, integrity, availability, and resilience of corporate and customer data.
Sourcepoint’s Chief Privacy Counsel and Information Security Director bring an excess of thirty five years of professional experience and are committed to ensuring Sourcepoint maintains a culture of Privacy and Security beyond mere compliance.
Training and Awareness
Security and privacy awareness are conducted at least once per calendar year. Sourcepoint staff participate in training as part of onboarding and as often as quarterly thereafter. Specialized role-based training is provided for key stakeholders including, but not limited to, software developers and senior leadership.
Vulnerability and Patch Management
Sourcepoint’s vulnerability and patch management program consists of annual penetration testing conducted by independent third party, network and application vulnerability scanning, and monthly patching of high and critical severity vulnerabilities.
User endpoints are configured to run with corporate approved anti-malware solutions that are regularly updated. Logging and Monitoring
Except where adherence to regulatory guidelines suggests otherwise, logs from production systems are retained for a minimum of 90 days. Logs are protected from unauthorized access, alteration or destruction. Logs are periodically reviewed and configured to generate alerts when immediate mitigation may be necessary.
Sourcepoint has a documented Incident Response program that includes at least annual training of all staff on their responsibilities to report security weaknesses and vulnerabilities. The process provides guidance on notification requirements for customers that will meet or exceed all regulatory requirements.
The principles of least privilege and need to know access form the foundation of the Sourcepoint access control practices. Strong authentication including multi-factor authentication, breached password detection and quarterly access reviews, minimize the chance for unauthorized access to protected resources.
Third party risk management
Sourcepoint vendors and suppliers are evaluated in accordance with Sourcepoint’s security and privacy standards, always considering use cases and data accessed or processed. Sourcepoint will only conduct business with vendors or suppliers who can meet these standards.
Sourcepoint utilizes an agile software development methodology where the phases include Design, Development, QA and Deployment. All application code is peer reviewed for quality and security. Web applications developed with secure coding best practices including, but not limited to, preventing the OWASP Top 10 application security risks. Production and non-production environments are logically and/or physically segregated.
All system, application or network changes at Sourcepoint are subject change management review and approval. All changes are evaluated for their value/impact to the business and potential risk.
Backups and Business Continuity
At least once per day full backups of databases are conducted. Backups are stored encrypted and retained for no more than thirteen months. Business Continuity plans are reviewed and tested at least once annually. Production environments are often hosted across multiple availability zones to ensure continuity of services should one zone or datacenter become unavailable.
Third Party Attestation
As part of the ongoing commitment to support customers with the highest level of information security and privacy management, Sourcepoint maintains certification to ISO/IEC 27001 and 27701 standards, of which it is audited against annually.
Sourcepoint makes every effort to limit collection and retention of PII to the minimum elements required. Sourcepoint leverages anonymization and de-identification techniques to reduce the risk of unauthorized or unintended disclosure. PII is only retained for as long as required and in accordance with applicable regulatory guidelines.
Sourcepoint’s Role as Processor
Sourcepoint in its role as a Data Importer and Processor will process IP addresses for the purpose of determining the location of our clients property visitors. Processing of location information of client website visitors is strictly for the purpose of ensuring geographic specific messaging can be displayed. Client property visitors will be assigned a randomly generated UUID utilized for the purpose of mapping consent decisions only.
All security related inquiries should be directed to email@example.com and privacy related inquiries should be directed to firstname.lastname@example.org.
Keep in touch
Sign up for our newsletter to keep up with the latest privacy and media news.