Gloat’s Security Program
We at Gloat are committed to respecting our customers’ and their users’ privacy. Customer trust is of the utmost importance to us, so we offer Enterprise-grade data protection for our customers. Our security program is lead by our Chief Information Security Officer (CISO) and involves members of our engineering, operations, and legal team to include all aspects of cybersecurity and data protection. Our product was built with privacy in mind, to ensure that Personal Data is protected and used properly.
Our Secure Software Development Lifecycle incorporates security – including both automated and manual checks – into each stage of the software development process. The tools and manual efforts that go into security allows us to quickly detect any potential risk, and take the necessary steps to mitigate. Software patches are regularly released as part of our monthly release cycle, with more critical patches released more frequently as necessary. We have a detailed Change Management policy that allows us to be agile and efficient in the event changes need to be made. Key stakeholders and responsibilities for all components of our software development lifecycle are well defined and clearly communicated.
Data Storage and Residency
Customer data is stored in Amazon Web Services (AWS) data centers. Our data storage policy is location-agnostic, meaning we can assist our customers in maintaining compliance with data protection regulations such that data can be stored in the relevant geographic region.
Data is encrypted at rest via AES256 and in transit via TLS1.2+. Customer data is regularly backed up in AWS facilities.
Business Continuity and Disaster Recovery
We have a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DR Plan) which incorporate AWS services to ensure customer data is backed up and retrievable in the event of a qualifying situation. We perform an annual DR drill which is documented as per our policy.
Physical Access control of our data centers is managed by AWS, and includes components such as CCTV, authorized access based on a policy of least privilege, access logs, etc. Details about AWS physical access can be found here: https://aws.amazon.com/compliance/data-center/controls/
Physical access to our corporate locations is monitored by security personnel, CCTV, and access control mechanisms that allow access only to authorized individuals.
Our security apparatus includes multi-layer security measures like firewalls, network layer security, application layer security, threat detection and protection, vulnerability scans, access control, encryption, and designed processes to secure our systems and customer data.
Data protection is one of the main components of Gloat’s security program as we are committed to customer trust and data safety.
Data Protection Awareness Training
All Gloat employees undergo security and privacy awareness training upon hire and annually thereafter. Specific roles may undergo security training more frequently dependent on access to sensitive information. Our culture is one that values customer trust and protection, so employees follow best practices to ensure the safety of customer data.
Access Management and Authentication
All access to sensitive customer data is restricted via a policy of least privilege, and access is reviewed regularly. Access to our sensitive systems requires SSO with 2FA as well as VPN connectivity. Access to customer data or sensitive systems is strictly limited to specific roles based on a policy of least privilege. Access is regularly reviewed. All Admin Access to our sensitive systems is logged, and logs are stored indefinitely.
Gloat utilizes multiple AWS data centers globally so that we can assist our global customer base in complying with relevant data protection regulations. Our customers can request that their data be stored in a particular region according to their compliance needs.
Gloat has a formal data retention policy which outlines the retention period for customer data. Our customers can request an executive summary of our policy upon signature of mNDA.
Data Subject Rights
End users (employees of our customers, or Data Subjects) may reach out to our support team with any questions regarding their data. [email protected]
Gloat is ISO27001 certified. We are audited annually to ensure compliance and maintain our certification status.
Gloat is ISO27017 certified. We are audited annually to ensure compliance and maintain our certification status.
Gloat is ISO27018 certified. We are audited annually to ensure compliance and maintain our certification status.
Gloat is compliant with the General Data Protection Regulation (GDPR), and can assist our customers in maintaining compliance.
Gloat is audited by third-party penetration testers on an annual basis. Findings and remediations are documented.
Other Global / Industry Specific Regulations
Gloat can assist our customers in maintaining their compliance status with a variety of global and industry specific data protection regulations. Customers interested in learning about our compliance with a particular regulation should contact our support team with any questions.
Gloat leverages a number of third party applications and services in support of the delivery of our products to our customers. The company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. Our security team has established a vendor management program and third party vendor security policy that sets forth the requirements to be established and agreed upon when we engage with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Gloat and our customers. A full list of our sub-processors is available upon request.