Compliance

Do you have any compliance certifications?

AWS Cloud is used https://aws.amazon.com/compliance/

‍

Do you conduct penetration tests of your service regularly?

Yes, we conduct internal penetration tests either every 3 months or after every major release.

‍

Do you conduct audit regularly?

Yes, internally, every 3 months, or major release - whichever comes faster.

‍

Are policies and procedures anonymized?

Yes, AWS data is anonymized. AWS IAM Policy is in place to prevent data access.

‍

Do you have the capabilities to enforce customer data retention policies?

Yes, customer data is purged with Customer or Camera deletion. The integrator has control over deletion.

‍

Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?

Yes, AWS VPC is used to separate environments. No on-premise staging environment is used.

‍

Do you have controls in place to prevent data leakage or intentional/accidental compromise between customers in a multi-tenant environment?

Yes, AWS data is anonymized. AWS IAM Policy  is in place to prevent data access.

‍

Do you have a Data Loss Prevention (DLP) or extrusion prevention solution in place for all systems which interface with your cloud service offering?

Yes, no 3rd party access to AWS cloud infrastructure. AWS GuardDuty is used.

‍

Will customers data be moved from one physical location to another?

No, all data is always stored on AWS servers.

‍

Do your information security and privacy policies align with particular industry standards?

Yes, AWS SecuirtyHub is used. https://aws.amazon.com/compliance/

‍

Do you utilize 3rd party providers for your service?  

Yes, AWS cloud.

‍

Do you have controls in place ensuring timely removal of systems access which is no longer required for business purposes?  

Yes, the AWS IAM policy is used.

‍

Do you maintain documentation for the granting and approval of access to data?  

Yes, AWS CloudTrail and SecurityHub.

‍

Is timely deprovisioning, revocation or modification of user access to the organization's systems, information assets, and data implemented upon any change in the status of employees, contractors, customers, business partners, or third parties? 

Yes.

‍

Do you encrypt customer data at rest (on disk/storage) within your environment? What is Encryption strength?

Yes, AWS encryption is at rest at applicable services used. For footage, AWS S3 server-side encryption AE-256 is used.

‍

Do you encrypt the data during transport? If so, what is encryption strength?  

Yes, in case of 3dEYE PUSH technology a secure SSL tunnel is created between the camera and the cloud. AES-256 is used.

‍

Do you conduct network, OS, and/or application vulnerability scans at some regular interval?

Yes, the latest AWS AMI based on AWS ECS ASG, Fargate and AWS Serverless architecture is used.

‍

Do you have the capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?  

Yes, On critical vulnerability AWS will recall AMI. AWS ECS and AWS serverless infrastructure will re-deploy.

‍

Do you have anti-malware programs installed on all systems which support your cloud service offerings?

Yes, AWS WAF, AWS GuardDuty, the latest AWS AMI, ECS, and AWS serverless architecture are used.

‍

Is the customer informed of an incident in the event of the unauthorized release of confidential or sensitive data?

Yes.

Do you have a security information and event management (SIEM) system?

Yes, AWS SecurityHub, AWS Guard Duty, AWS CloudTrail.

Does your logging and monitoring framework allow isolation of an incident to specific customers?

Yes, AWS data is anonymized and not available. Customers can review application logs in the 3dEYE platform admin panel related to a specific customer.

‍

Are controls in place to prevent unauthorized access to application, program or object source code, and assure it is restricted to authorized personnel only?  

Yes, AWS IAM policy is used, AWS GuardDuty, AWS CloudTrail.

‍

Do you have outsourced providers that manage your service?  

No.

‍

Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?  

Yes. Separate, personalized Private Cloud installation can be used to ensure logical segmentation.

‍

Do you have policies and procedures in place describing what controls you have in place to protect customers' intellectual property?  

Not applicable. We don’t store, process, or access Customers' intellectual property.

‍

Do you allow customers to specify which of your geographic locations their data is allowed to traverse into/out of?  

Yes, the Public cloud is available in the US and Europe AWS region. Personalized Private Cloud installation can be located in any AWS region and zones including GovCloud.

‍

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes & controls?

Yes.

‍

Do you enforce and attest to customer data separation when producing data in response to legal subpoenas?

Yes.

‍

Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific customer without freezing other customer data? 

Yes, the Customer can save video footage clips in Library for evidence. Such footage won't be deleted unless the Camera or Customer is deleted.

‍

Do you utilize or access customer data and/or metadata? If so, how?

Yes, In case the customer creates an Alert schedule, AI Video analytics will access customer footage to produce relevant events.

‍

Do you collect or create metadata about customer data through the use of inspection technologies (search engines, etc.)?

No.

‍

Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Yes, AWS SAML, OAuth2 is available for integrations.

‍

Do you provide customers with strong (multifactor) authentication options (digital certs, tokens, biometric, etc..) for user access?

Yes, MFA is available for end-users.

‍

Do you enforce strong (multifactor) authentication options (digital certs, tokens, biometric, etc..) for your administrators to manage the solution?

Yes, AWS IAM policies and MFA is used.

‍

Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build-in security for your Systems/Software Development Lifecycle (SDLC)?

Yes.

‍

Are passwords stored in an encrypted format? Provide encryption algorithm used?

Yes, AWS SSM and SecretsManager are used. AES 256 or AWS service relevant cipher.

‍

Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes.

‍

Does the solution provide for built-in userID/Password management?

Yes, AWS IAM and SecretManager are used.MFA is Mandatory.The minimum password length is 8 characters.Require at least one number.Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ').Allow users to change their own password.Remember the last 3 password(s) and prevent reuse.

‍

Do you have a risk assessment program that has been approved by management, communicated, and assigned ownership?

Yes. 3dEYE has integrated a risk and compliance program throughout the organization. This program aims to manage risk in all phases of service design and deployment and continually improve and reassess the organization’s risk-related activities.

‍

Do you have a security program with established information security policies that have been approved by management, communicated, and assigned ownership?

Yes.

‍

Has the 3dEYE program and policies been reviewed within the last year?

Yes.

‍

Do you have a third-party management program that has been approved by management, communicated, and assigned ownership?

3dEYE leverages AWS Security and Compliance tools https://aws.amazon.com/products/security

‍

Do you execute background checks on employees?

Yes. https://aws.amazon.com/products/security

‍

What is the frequency of the background checks performed on the employees?

Annual or change related to employee status.

‍

Do you have a change control or change management program and policy that has been approved by management, communicated, and assigned ownership?

Yes.

‍

Is there an antivirus/malware policy and program that has been approved by management, communicated, and assigned ownership?

3dEYE leverages AWS Detection, AWS Network, AWS application protection tools, GitHub security and vulnerability tools, and Microsoft security tools. AWS Services, such as GuardDuty, provide us with continuous monitoring for malicious activity and unauthorized behavior.

‍

Are system backups of Data performed? How often?

3dEYE leverages AWS snapshot and backups https://aws.amazon.com/backup/Services are redundant. AWS Serverless architecture is used. Backups and snapshots storage duration and recurrency are service dependent. For instances is usually daily recurrence snapshots.

‍

Is there any firewall / ACLs at the edge?

3dEYE leverages AWS Detection, AWS Network tools https://aws.amazon.com/products/security/?nc=sn&loc=2

‍

Are vulnerability assessments, scans and/or penetration tests performed on internal or external networks? How often? Is documentation available?

Yes, we conduct internal penetration tests either every 3 months or after every major release. 3dEYE performs load tests and code inspections on every new version build. 3dEYE follows AWS Well Architected framework and respective AWS tools. https://aws.amazon.com/architecture/well-architected

‍

Are vulnerability tests (internal/external) performed on all applications at least annually?

Yes, we conduct internal penetration tests either every 3 months or after every major release. 3dEYE performs load tests and code inspections on every new version build. End-user UI (web/mobile) is checked against the common vectors of attacks.

‍

Is there a formal Software Development Life Cycle (SDLC) process that includes security and privacy by design?

Yes.

3dEYE exercises mandatory policy to move to new framework versions. The latest updated libraries during the build process are used. Best practices during the development process are followed. Standard libraries and approaches to encryption, authentication and authorization are used. 3dEYE performs load tests and code inspections on every new version build. End-user UI (web/mobile) is checked against the common vectors of attacks. Extraneous content on the client is blocked using CSP headers.

‍

Are encryption tools managed and maintained?

3dEYE utilizes AWS Encryption. Every AWS Service where data lands provide Encryption at rest and in transit.

‍

Do you have an Incident Management program?

AWS Incident Management services are used. https://aws.amazon.com/products/security/?nc=sn&loc=2

‍

Is there a documented policy for business continuity and disaster recovery that has been approved by management, communicated, and an owner to maintain and review the policy?

Yes. AWS D/CP is leveraged: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

‍

How often are BC/DR tests performed?

Annually or after major infrastructural changes. AWS Config is used continuously to monitor and record AWS resource changes. AWS CloudFormation is used to automate tests. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

‍

Is a Business Impact Analysis conducted at least annually?

Yes. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

‍

Is there an internal audit, risk management, or compliance department with responsibility for identifying and tracking the resolution of outstanding regulatory issues?

Yes. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

‍

Are there regular privacy risk assessments conducted?

Yes, annually or during new region acquisition and expansion.

‍

Is there a formal process for reporting and responding to privacy complaints or privacy incidents?

Yes.

‍

Is there a documented response program to address privacy incidents, unauthorized disclosure, unauthorized access, or breach?

Yes, 3dEYE leverages AWS Automated Incident Response and Forensics Framework, AWS Incident Response.

‍

Is there a documented privacy program with administrative, technical, and physical safeguards for the protection of Systems and Data?

3dEYE leverages respective guidelines and policies. AWS Security and Compliance tools https://aws.amazon.com/products/securityAWS FTR program AWS Well Architected Framework and toolset https://aws.amazon.com/architecture/well-architected/

‍

Is 3dEYE Compliant with GDPR?

3dEYE employs a comprehensive suite of AWS tools and services to facilitate GDPR compliance for its clients. Furthermore, 3dEYE has strategically deployed its infrastructure within the AWS Stockholm datacenter, thereby ensuring data storage within the geographical confines of the European Union. This meticulous approach underscores our commitment to data security and regulatory adherence. More info: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/