Security Policy
Last updated: 12 March 2024
Purpose
Security is a key design parameter for Grasple in its infrastructure, functionality and its policies. The purpose of this document is to protect the confidentiality and integrity of all the data which we collect and store. This policy applies to data of our own company, data of our customers, and data of users of our platform.
Scope
This policy applies to all employees of Grasple that work with documents or information that concerns customers, partners or any other for whom the organization has collected information in the normal course of its business.
Goals and objectives
The goals and objectives of this policy are to:
- Protect information from unauthorized access or misuse;
- Ensure the confidentiality of information;
- Maintain the integrity of information;
- Maintain the availability of information systems and information for service delivery;
- Comply with regulatory, contractual and legal requirements;
- Dispose of information in an appropriate and secure manner when it is no longer in use.
Awareness and training
The entire management is aware of the security policy and is committed to support this effort on an ongoing basis. There is a security officer that is responsible for implementing and maintaining information security. All other employees of Grasple are updated on our information security policy and are responsible for following policies and guidelines in place.
Employees who just joined the organization, follow an information security and privacy awareness training and have to take an exam on the first day, for which they have to pass with a 100% score.
Security measures and evaluation
At Grasple, we are dedicated to secure the data that we use and to comply with national and international security standards. Therefore, we have various security measures in place. Below a general outline is described.
- Security is always a consideration in the development process of our application. With every development project, we analyze whether any of the tasks or goals affect the security of our platform. To ensure our application is secure, we use best practices and guidelines and keep track of updates of those best practices and guidelines.
- We apply the least privilege policies in both our own platform and in systems we use. This ensures that both Grasple employees and users in the platform only have access to the information they require to perform their job/goal.
- Our infrastructure is shielded from the internet by default and only certain gateways are accessible for correct functioning of the application (e.g. the load balancer of the API server).
- Data is encrypted in rest and in transit by default.
- We have automated vulnerability scanners for our codebase and infrastructure, informing the security team immediately as soon as a potential vulnerability has been found. These will be fixed based on our risk assessment and management procedure.
- We have automated patch management, ensuring we have periodic updates of the software we use to ensure we have the latest patches installed (including their security fixes/improvements).
- We use a continuous deployment procedure to ensure we can quickly deploy patches, security fixes and features. Here we use the principle of Development, Review and Deployment which ingrains the philosophy of DTAP.
- We follow the best practices/guidelines on security (e.g. OWASP), for example within the areas of Encryption, Traffic, Authentication and Authorization and Preventing Injections.
- We backup the application data every 24 hours and remove these after a set period. Both the backup creation and removal of those backups are done automatically.
- We monitor our system in multiple ways: error logging, access logging, audit logging and performance monitoring. This allows us to act quickly and verify (security) events if need be.
- If and when we use third parties, we critically analyze different providers and choose the third party based on their security awareness and extensive reporting on their security measures, GDPR compliance and reliability. When becoming a partner, the third party signs a DPA and they only receive the minimal set of personal data required for their goal.
Our security approach is regularly audited by an external auditor using the Privacy Control Framework (PCF) created by the NOREA (the professional association of IT auditors in the Netherlands). The PCF is based on the ISO 27001 and ISO 27002 frameworks. The outcome of the latest audit is that Grasple complies to the control objectives for processors of the Privacy Control Framework (PCF), meaning that the auditor has validated we have processes and measures in place regarding information security and handling personal information.
Continuous improvement
Grasple is committed to continuously improve the information security system. We actively monitor for vulnerabilities in our application. This is done by automatic as well as manual methods. If needed, external support will be sought by external partners, such as technical advice, independent security testing, or audits by independent parties.