SECURITY AND COMPLIANCE

We prioritize trust.

This page contains information about Gloat’s security and regulatory compliance. We are committed to keeping your data safe and secure by using best practices to protect our systems.

Security

Gloat's Security Program

We at Gloat are committed to respecting our customers’ and their users’ privacy. Customer trust is of the utmost importance to us, so we offer Enterprise-grade data protection for our customers. Our security program is lead by our Chief Information Security Officer (CISO) and involves members of our engineering, operations, and legal team to include all aspects of cybersecurity and data protection. Our product was built with privacy in mind, to ensure that Personal Data is protected and used properly.

Security Governance and Management

Gloat uses a documented security control framework based upon accepted industry standards for governing the information security practices. These frameworks utilize a standard set of controls and include widespread use of commercially available protective measures. Please visit “Gloat Certifications and Attestations” section for full list of frameworks implemented in Gloat. Gloat developed and is maintaining a set of comprehensive Information Security Policies and enforcement procedures based on the adopted security control frameworks and industry best-practices. The policies reviewed not less than annually or whenever there is a material change in practices or regulatory requirements. Gloat monitors its Policy and procedures to ensure that the program described therein is operating in a manner reasonably required to protect confidentiality, integrity and availability of our customer’s data.

Identification and Authorization (Access Management)

Gloat implemented a formal user registration and de-registration procedure for granting and revoking access to its personnel to processing resources and personal data. Upon termination of any of Gloat’s personnel, the Gloat ensures that such personnel’s access to personal data is revoked. In the event of an involuntary termination, the Gloat ensures all access is revoked immediately. We maintain appropriate access control mechanisms to enable access to personal data and/or Gloat’s processing resources only by Gloat personnel who have a “need to access” to support Gloat’s processing. Additionally, the actual access is granted on “just in time” (JIT) basis, logged and regularly reviewed. Gloat ensures that segregation of duties exists such that the individual or system granting access is not the same individual or system which approves such access. Authentication to Gloat systems managed in the centralized Identity and Access Management solution which enforces strong passwords, Single Sign-on (SSO) and mandatory Multi-Factor Authentication (MFA). The connection to Gloat systems is restricted to Virtual Private Network (VPN) only.

Product Security

Our Secure Software Development Lifecycle incorporates security – including both automated and manual checks – into each stage of the software development process. The tools and manual efforts that go into security allows us to quickly detect any potential risk, and take the necessary steps to mitigate. Software patches are regularly released as part of our monthly release cycle, with more critical patches released more frequently as necessary. We have a detailed Change Management policy that allows us to be agile and efficient in the event changes need to be made. Key stakeholders and responsibilities for all components of our software development lifecycle are well defined and clearly communicated.

Data Storage and Residency

Customer data is stored in Amazon Web Services (AWS) data centers. Our data storage policy is location-agnostic, meaning we can assist our customers in maintaining compliance with data protection regulations such that data can be stored in the relevant geographic region.

Encryption

Encryption in transit – Gloat encrypts data, records, and files that shall be transmitted wirelessly or travel across public networks with TLS v1.2 or higher protocol. Encryption at rest – Gloat encrypts data at rest. Industry acceptable cryptographic algorithms commensurate with key size are used whenever cryptographic services are applied. All such encryption meets the Advanced Encryption Standard with a 256-bit cypher key (“AES-256”). All encryption keys are protected against modification; secret and private keys are protected against unauthorized disclosure.

Availability, Business Continuity and Disaster Recovery

Gloat implements and maintains Business Continuity Policy (BCP) and Disaster Recovery Plan (DRP). We test our Business Continuity regularly. Gloat developed and maintained resilient design and architecture of the Services. In order to measure the resiliency and continuously improve services architecture, Gloat implemented and regularly tests Disaster Recovery drills.

Physical Security

Gloat maintains appropriate physical security controls and environmental controls to Gloat controlled facilities, to prevent unauthorized physical access to its controlled facilitates from which personal data can be accessed. Such measures include, but not limited to use of personal access cards identification, door sensors, video surveillance and monitoring. Physical Access control of Gloat data centers is managed by our Cloud Provider, and includes components such as CCTV, authorized access based on a policy of least privilege, access logs, etc. Cloud Provider data centers undergo certification and attestation processes. For more information, please visit Please visit “Third-Party Data Center Certifications” section.

Event Logging

Gloat maintains appropriate mechanisms and processes for detecting, recording, analyzing, and resolving unauthorized attempts to access personal data or Gloat’s systems. Access logs being reviewed periodically to ensure that access permissions are appropriate and necessary. Gloat’s operating system security mechanisms are configured to support appropriate security procedures, and capable to Identify and verify the identity of each authorized user; and Record successful and failed system accesses.

Vulnerability Management and Penetration Testing

Gloat conducts comprehensive scans for known vulnerabilities on all externally facing systems no less than one time per month. Vulnerabilities are prioritized based on severity and mitigated in accordance with Gloat’s policies. Annual penetration tests on Internet facing assets performed by reputable testing company or on material change. Findings are documented, prioritized and remediated accordingly. Gloat utilizes and keeps current reputable, commercially available anti-malware software on Gloat’s end points.

Risk Management

Gloat developed and is using risk assessment methodology based on industry standard frameworks. We conduct regular risk assessments and reviews the assessments on a regular basis to ensure controls are properly operating. The results of all risk assessments are documented. Gloat develops action plans for the mitigation of findings, and tracks the progress of such action plans.

Security Systems

Our security apparatus includes multi-layer security measures like firewalls, network layer security, application layer security, threat detection and protection, vulnerability scans, access control, encryption, and designed processes to secure our systems and customer data.

Third Parties

Gloat leverages a number of third party applications and services in support of the delivery of our products to our customers. The company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. Our security team has established a vendor management program and third party vendor security policy that sets forth the requirements to be established and agreed upon when we engage with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Gloat and our customers. A full list of our sub-processors is available upon request.

Data Protection

Data Protection Awareness

All Gloat employees undergo security and privacy awareness training upon hire and annually thereafter. Specific roles may undergo security training more frequently dependent on access to sensitive information. Our culture is one that values customer trust and protection, so employees follow best practices to ensure the safety of customer data.

Data Residence

Gloat utilizes multiple AWS data centers globally so that we can assist our global customer base in complying with relevant data protection regulations. Our customers can request that their data be stored in a particular region according to their compliance needs.

Data Retention

Gloat has a formal data retention policy which outlines the retention period for customer data. Our customers can request an executive summary of our policy upon signature of mNDA.

Data Subject Rights

End users (employees of our customers, or Data Subjects) may reach out to our support team with any questions regarding their data. [email protected]

GLOAT CERTIFICATIONS AND ATTESTATIONS

SOC 2 Type II Attestation report focuses on the American Institute of Certified Public Accountant’s (AICPA) trust service principles. It examines a service provider’s internal controls and systems related to security, availability and confidentiality of data.
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services.
ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

SELF-EVALUATIONS

The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union.
The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy, accompanied by CAIQ a questionnaire that provides a set of questions based on the security controls in the CCM.
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

THIRD-PARTY DATA CENTER CERTIFICATIONS

Gloat utilizes top tier Cloud Vendor data centers for our infrastructures and services. Our Cloud Vendor maintains robust Compliance Program, maintaining Certifications and Attestations for security and compliance frameworks such as: C5, CMMC, Cyber Essentials Plus, DoD SRG, ENS High, FedRAMP, FINMA, FIPS, GSMA, HDS, IRAP, ISMAP, ISO 9001, ISO 27001, ISO 27017, ISO 27018, K-ISMS, MTCS Tier 3, OSPAR, PCI DSS Level 1, SOC 1, SOC 2, SOC 3, TISAX:
CyberGRX assessment which has been independently validated by CyberGRX partners and apply a dynamic and comprehensive approach to third party risk assessment.
PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.*
Other Global / Industry Specific Regulations
Gloat can assist our customers in maintaining their compliance status with a variety of global and industry specific data protection regulations. Customers interested in learning about our compliance with a particular regulation should contact our support team with any questions.