Security Policy

Dated 10 November 2019

Here at Appraisd we are acutely aware that our customers and their employees entrust us with very sensitive data. Not only do we have a responsibility to protect this data from external threats, but we must ensure that data is only visible to those it is intended to be visible to. For us therefore, security means several things. It is both the obvious things, using encryption, pen testing and so on to protect from hackers. But it is also a question of design - if a piece of feedback is shared with the wrong person because a user misunderstood the meaning of a button that's a security issue we take equally seriously.

ISO 27001 Certification

As of October 2019 we are certified to industry standard ISO27001:2017. We have top-level management commitment with the Tech Lead appointed as Information Security Manager. Our CEO is a former software developer who has personally overseen multiple penetration tests and so security awareness is at the heart of our business. ISO27001 is not just about getting security controls and measures in place. It's also a regular set of internal and external audits that ensure that if something could be improved, action is taken. It also embeds a culture of security awareness in all employees with an emphasis on continual self improvement.

User-first design philosophy

The easiest way for data to get into the wrong hands is for a user to inadvertently send it there. That's why we are constantly putting ourselves in the heads of users - making sure that what they expect to happen when they use our system is exactly what does happen. We use UI design to make sure admins can reliably predict how the system will behave. We make sure we capture feedback from clients to continuously improve this.

Security reviews

Every line of code we write must go through a code review process to ensure our systems development policies are being upheld. The process involves another developer of appropriate experience reading the submission and checking off a number of factors, such as whether there's adequate unit or integration test coverage and that the tenant identifier is used in queries. New features and fixes go through UAT and must be approved by a member of the Customer Success team before they can be released into production. On top of this, every build involves running over 1,000 automated tests which ensure we don't break old code when adding new code. We use Azure devops to manage this process and provide a reliable audit trail.

World class infrastructure

All our data is stored in the Microsoft Azure cloud which has over 50 compliance certifications. We build on Microsoft's PaaS which reduces our security surface area with a set of easily configured security settings. We benefit from security through simplicity, with Microsoft in charge of maintaining the base level security updates and patches for its own servers.

Super strong encryption everywhere

All data is encrypted using the latest TLS 1.2 encryption with strong ciphers while in transit, and using AES256 Microsoft Azure encryption while at rest. CSRF tokens are validated for each request to ensure your data isn't tampered with by malicious third parties.

Single Sign-on (SSO) Ready

We can integrate with your existing single sign on systems, so your employees don't need to juggle additional passwords. Where you do need to use password and email authentication, you can implement your own password policy in Appraisd.

Employees you can trust

Data access is limited within Appraisd to those who require it. Employees also go through regular Appraisd-specific and general security training and access to superuser facilities is not granted until superuser tests are passed. All employees must undergo criminal and employment history background checks.

Penetration tests

Appraisd undertakes at least-annual third-party penetration tests to ensure our security is working as expected.

Responsible disclosure and bug bounty policy

Security is a top priority at Appraisd. We believe working with security researchers can help us fix any problems as quickly as possible. If you believe you have found an issue, please notify us and we will work with you to resolve the issue promptly. We aim to resolve any critical issue within one week and non critical issues within 90 days. Please refrain from publicising issues until after a fix has been released. We are currently accepting no further bug-bounty submissions but welcome any submissions under a responsible disclosure policy. Please make every effort to avoid violating the privacy or damaging any data of any Appraisd client.

Exclusions


Please refrain from
- Social engineering/phishing attacks
- Attacks against physical property/data centres.
- Denial of service attacks
- Attacks that might negatively impact clients use of our infrastructure.