TapClicks Information Security Overview
At TapClicks we take information security very seriously. Protecting your data is one of our most important responsibilities. We strongly believe in being transparent with how we work and this must also apply to our security practices so that you as a customer understand our approach and commitment.
Compliance Certifications and Regulations
TapClicks meets some of the most widely recognized security standards and has implemented processes and technical solutions to help our customers to meet their compliance requirements.
Network Controls
TapClicks manages, controls, and secures its networks, the connected systems, applications, and data-in-transit to safeguard against internal and external threats. Firewalls & Threat Defense
TapClicks must utilize network firewalls, web application firewalls, and/or equivalent mechanisms to safeguard applicable internet connections, internal network zones, and applications from threats. TapClicks configures appropriate firewall alerts and alarms for timely response and investigation. This also applies to applicable wireless networks.
TapClicks ensures networking ports and protocols are restricted based on the principle of least functionality. Ports and network routes should only be open when there is proper business justification. Firewall configurations and rulesets are maintained. Firewall rules are implemented to minimize exposure to external threats. Significant changes to network services and configurations should be tracked in accordance with the Change Management Policy. As an additional layer of defense, TapClicks utilizes monitoring solutions to detect and alert on network-based intrusions and/or threats.
Risk Management
Risk management is a central activity within TapClicks and it is of fundamental importance for our long-term stability to have a sound risk culture and effective risk management.
People Security
In the HR field, we work actively in a number of areas to ensure that our employees and consultants understand their responsibilities, are suitable for the roles and are continuously being trained.
Background Check
All TapClicks personnel are required to complete a background check. An authorized member of TapClicks must review each background check in accordance with local laws.
Confidentiality
Prior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting TapClicks confidential information.
Onboarding
Everyone follows an established onboarding process that includes signing an Acceptable use Policy, security introduction sessions etc.
Offboarding
Offboarding follows a strict process that includes predetermined steps that the nearest Manager needs to go through. It also includes communicating the ongoing liability that remains valid upon termination of employment with respect to the signed NDA or employment contract containing the confidentiality clauses.
Secure Coding
TapClicks promotes the understanding of secure coding to its engineers in order to improve the security and robustness of TapClicks products.
Physical Security
Clear Desk
TapClicks personnel are required to ensure that all sensitive information in hardcopy or electronic form is secure in their work area when it is unattended. This requirement extends to both remote and in-office work. TapClicks personnel must remove hardcopies of sensitive information from desks and lock the information in a drawer when desks are unoccupied and at the end of the work day. Keys used to access sensitive information must not be left at an unattended desk.
Clear Screen
TapClicks employees and contractors must be aware of their surroundings at all times and ensure that no unauthorized individuals have access to see or hear sensitive information. All
mobile and desktop devices must be locked when unoccupied. Session time-outs and lockouts are enforced through technical controls for all systems containing covered information. All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g. screen saver).
Remote Work
Any TapClicks issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device. Employees or contractors accessing the TapClicks network or other cloud-based networks or tools are required to use HTTPS/TLS 1.2+ at a minimum to protect data-in-transit.
Access Management
There are implemented access management controls to ensure that only authorized individuals can gain access. Users have been granted access rights that are sufficient for their role and for them to perform their duties (following the principles of Need-to-Know and Least Privilege).
Authentication
We use authentication controls such as Multi Factor Authentication, hardware tokens and Single Sign-On to secure the accounts used to manage our services.
Access Reviews
Review of accesses is performed according to an established process and is executed regularly.
Securing the Development and Maintenance
Access to the development environment is restricted only to authorized employees via logical access control. Development and production environments are logically separated.
Secure Engineering Principles
TapClicks developers follow secure information system engineering practices for the development of new systems and for the maintenance of the existing systems. Minimum-security standards must be maintained and complied with when implementing new systems. The same secure engineering principles are applied to outsourced development. We continuously monitor the availability of our product using dedicated services.
Incident Management
TapClicks has an established incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to service and security incidents.
Supplier Management
In order to operate in an efficient and effective manner TapClicks relies on a series of supporting services from other 3rd party suppliers. Where those suppliers may be integrated to the TapClicks service or in any other way have an impact on TapClicks’ security and risk tolerance, we perform a thorough risk assessment which involves different departments within our organization. This is performed prior to the trial period for all new services and as deemed necessary for our current suppliers.
Disaster Recovery
For worst case scenarios and disaster recovery TapClicks has an established Business Continuity Plan.
Independent Testing and Assurance
We see independent testing as important for continuous evaluation and we have established a formal process that includes various types of testing of our security posture. This is done through external partners who are accredited and certified in what they do.
Penetration Testing
TapClicks conducts a yearly penetration test using an independent external 3rd party specialized in cyber security. The penetration test is conducted as a Whitebox test where the penetration testers have access to system documentation and the source code while conducting the tests. This provides the penetration testers with optimal conditions to identify and verify the existence of potential vulnerabilities. An executive summary of the latest penetration test can be shared on request. Internal penetration tests are scheduled twice a year and conducted by the Security Team. Furthermore, continuous security reviews and tests are performed as an integrated part of the Secure Development method used in TapClicks.
External Audits
TapClicks conducts annual external security audits performed by accredited Auditors.
Internal Control
We have an internal control framework that includes a large number of defined controls. Controls are followed up and evaluated continuously.
For any questions or concerns or to report an incident, please email us at security@tapclicks.com and a member of our team will get in touch with you.