Sophus’ Information Security Committee conducts an annual evaluation and authorization of personnel with access to the production console to ensure security and compliance.

Sophus maintains a comprehensive log of information security incidents, documenting investigation details and
response actions in accordance with established incident management policies and procedures.

Sophus proactively identifies and addresses platform vulnerabilities through regular and systematic vulnerability scans.

Sophus monitors and mitigates all identified vulnerabilities, adhering to defined policies and procedures for vulnerability management.

All user activities and system events are systematically logged and made available for monitoring, review, and audit purposes.

• All stored data (including databases and attachments) is encrypted using AES-256-bit encryption, with
  encryption keys managed through AWS services and rotated annually.
• All data transmitted over networks is encrypted using HTTPS with TLS 1.2 or later.

Sophus has implemented SSO to facilitate secure and streamlined application access.

Sophus enforces logical access provisioning for critical systems, requiring explicit approval from authorized personnel based on role-based or need-based criteria.

Sophus ensures the immediate revocation of logical access for employees upon termination.

Sophus limits production database access strictly to personnel whose roles necessitate such privileges.

Sophus mandates multi-factor authentication for all personnel accessing critical systems to enhance security.

Senior Management or the Information Security Committee periodically reviews and ensures that access to critical systems is restricted to necessary personnel only.

Senior Management or the Information Security Committee conducts periodic reviews to ensure administrative accessvis appropriately restricted.

Sophus implements robust cryptographic mechanisms to encrypt all production databases storing customer data.

Sophus maintains a documented and updated inventory of organizational infrastructure assets to ensure accountability and security.

Sophus performs regular backups of user and system data to meet recovery objectives and verifies backup integrity.

Sophus routinely tests backup data to validate media reliability and data integrity.

Sophus ensures compliance with regulatory requirements by obtaining user consent before processing personal data.

Sophus processes Subject Access Requests in accordance with its Privacy Policy and applicable regulations.

Daily backups of primary data are conducted, stored in a separate location, and can be restored in alignment with recovery objectives.

All stored data is encrypted using AES-256-bit encryption, with encryption keys managed through AWS services and rotated annually.

All transmitted data is encrypted using HTTPS with TLS 1.2 or later.

All customer data is securely processed within AWS infrastructure, adhering to industry-standard physical security controls.

Sophus evaluates system-generated information to assess its impact on internal controls and security posture.

Sophus enforces strict controls to limit public internet exposure for production database and Secure Shell (SSH) access.

All production systems are protected by firewalls with deny-by-default rules, enforced through Sophus’ cloud provider.

Sophus employs strong encryption protocols, including HTTPS with TLS, to ensure the confidentiality of transmitted data.

Sophus configures its infrastructure to analyze audit logs for identifying suspicious activities and potential threats.

Sophus continuously monitors critical assets to optimize performance, plan for future capacity, and mitigate denial-of-service risks.

Sophus ensures that customer data used in testing environments receives the same level of security as production data.

Sophus configures infrastructure to generate and store audit logs for all critical security-related activities.

Sophus utilizes AWS as its exclusive hosting provider, ensuring all data remains within a secure Virtual Private Cloud (VPC).

Sophus ensures that the most current privacy-related information is readily accessible to customers on its website.

Sophus adheres to structured protocols for securely modifying its operational environment.

Sophus has established formalized procedures to ensure all system modifications are thoroughly reviewed and approved before implementation.

Sophus utilizes Sprinto for continuous security monitoring, providing alerts on unauthorized access level changes for team members.

Sophus employs GitHub Dependabot for automated static code analysis to identify vulnerabilities and dependency risks.

Sophus follows a secure SDLC framework, ensuring that new feature releases adhere to best security practices without compromising existing applications.

Sophus remediates identified vulnerabilities within defined timeframes based on severity levels, ensuring timely patching and software updates after rigorous testing.

Sophus maintains a well-documented policy outlining behavioral standards and ethical business practices.

Sophus implements a structured framework to define authorities, facilitate information flow, and assign responsibilities.

Sophus establishes transparent communication procedures to ensure staff understand their security-related responsibilities.

Sophus ensures that security-sensitive positions are staffed with appropriately qualified professionals.

Sophus conducts security screenings prior to granting personnel access to critical systems.

Sophus provides role-specific security and privacy awareness training to all staff.

Sophus assesses employees in IT, engineering, and security roles based on their responsibilities and contributions.

Sophus ensures all employees are educated on incident response protocols, covering triage, containment, eradication, and recovery procedures.