Third Party Risk Assessment

POLICY AND STANDARDS

1. Is your company UK or EU based (i.e. all servers/ staff sit within the EU and are therefore under EU GDPR legislation).

Yes.

2. Do you ISO27001 certification or another form of information security accreditation (e.g. A GDPR compliant certificate, PCI DSS, ISO22301/BS2599, COBIT)

Yes, the service is run on GCP (Google Cloud Platform) in North America. This facility completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls (SOC 1, 2 and 3) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, GCP has achieved ISO 27001 certification and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), HIPAA and more.

3. Do you have written information security, data protection and confidentiality policies that outline your overall policy framework?

Yes, see our security policy statement

DATA PROTECTION AND PRIVACY

4. Do you have a DPO in place?

Yes, dpo@generalaudittool.com

5. Do you maintain a record of your data processing activities in line with the requirements of the General Data Protection Regulation including DPO details; Processing purpose; Data types; Sharing details; International transfers; Retention periods?

Yes.

6. Will you need to/ be required to access personal data/ confidential information belonging to our organization? e.g. staff; customer data; confidential business information.

Yes. GAT only requires metadata. We build our exposure profile based purely on the metadata. GAT never retrieves file contents for auditing. We believe the risk in extracting file contents from the secure ‘shredded’ environment of Google’s servers to any third party software is too great for companies serious about security, so we don’t do it. Some of the most security-sensitive government customers in the US and the UK use GAT precisely because we don’t extract file contents.

INFORMATION SECURITY AND RISK MANAGEMENT

7. Do you have a policy and process for secure disposal of both IT equipment and media?

No customer data is ever stored on local equipment or media. Google is responsible for this.

8. Will our organisation be able to manage who has access to the service (our organization´s staff)?

GAT is the very first Google Workspace security tool provider to offer ‘lock and key’ access to Google Workspace files and emails. Ever aware that end-user security is paramount, this feature set goes much further than any of our competitors, not only does it allow for full file management, but it is the only tool to give silent views of all files and emails (Admins and Security Officers won’t appear as ‘Viewers’ of the files or emails), while at the same time it executes in a secure way that deeply protects end user’s rights. We carefully designed the solution to require both a lock and key for access. Managers, C level executives and security officers can also relax knowing you cannot download GAT and have unrestricted access to sensitive financial files or snoop on HR emails. Google Workspace Admin staff using GAT can report that they have the most functional security tool in the marketplace, yet with the highest security standards available.

9. Do you have an encryption policy which covers data encryption in transit and at rest?

“The Tool itself runs using a 2048-bit modulus RSA key, SHA256 used for hashing, AES (256-bit) used for encryption. It is Verified by Comodo. This ensures the site you connect to is who it says it is (generalaudittool.com), thus eliminating man in the middle attacks. It also ensures that any data transferred is moved inside an HTTPS tunnel, from Google to the audit tool and from the audit tool to your browser.

10. Do you undertake security testing and audits such as penetration testing and internal and external vulnerability scanning?

We depend on Google for security and pen-testing.

INCIDENT MANAGEMENT

11. Do you have a Security/ Breach Incident Management Policy and Procedure in place?

In the event of a customer data breach, we have a declared policy of customer notification. The response to any specific incident will depend on the nature of the incident and is not defined in specific terms.

12. Do you have a Business Continuity Policy in place?

For business continuity of our cloud services, we are dependent on GCP business continuity.

13. Do you have a Privacy policy? As an EU based company, this would comply with GDPR requirements.

Our privacy policy is stated as complete non-disclosure of customer data and automatically implemented ‘right to be forgotten’ of customer data after 30 days since last use. This policy predates GDPR. There is no access to customer data by any staff other than development engineers. Customer data is never removed from GCP.

14. You are based in Ireland, and run services on the North American GCP. Could you please confirm your view as to whether this means that data transfers outside of the EU?

Yes, we are based in Ireland. We state so clearly on our website. Yes, our services are run 100% from GCP in North America. It is our view that data is transferred out of the EU and its protection is covered by Google under the EU/US data protection umbrella agreement. We as a data processor are covered directly by EU law.

METADATA MANAGEMENT

15.  What data do we work with?

We process and store metadata.

16. Where is the metadata stored?

It’s stored on Google Cloud Platform (GCP). The GCP is located in the US-central region (Google Data Center: Council Bluffs, Iowa, USA).

17. How is my metadata kept secured?

Data at rest is encrypted with AES-256 algorithm.

18. Is my metadata secure during transit?

Data in transit is encrypted with TLS.

19. Who has access to my metadata?

Engineers responsible for production environment and Support engineers can have access to their metadata.

20. How is metadata accessed via Google API?

This metadata is accessed directly from Google Workspace via HTTPS, the same encryption standard that you use to access Google Workspace.