Enterprise Solutions [Go to GAT Labs for Education solutions here]
GAT Labs

Third Party Risk Assessment

POLICY AND STANDARDS

Is your company UK or EU based (i.e. all servers/ staff sit within the EU and are therefore under EU GDPR legislation).

Yes

Yes, the service is run on GCP (Google Cloud Platform) in North America. This facility completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls (SOC 1, 2 and 3) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, GCP has achieved ISO 27001 certification and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), HIPAA and more.
Yes, see our security policy statement

DATA PROTECTION AND PRIVACY

Do you have a DPO in place?
Yes, dpo@generalaudittool.com

Yes.

Yes. GAT only requires metadata. We build our exposure profile based purely on the metadata. GAT never retrieves file contents for auditing. We believe the risk in extracting file contents from the secure ‘shredded’ environment of Google’s servers to any third party software is too great for companies serious about security, so we don’t do it. Some of the most security-sensitive government customers in the US and the UK use GAT precisely because we don’t extract file contents.

INFORMATION SECURITY AND RISK MANAGEMENT

Do you have a policy and process for secure disposal of both IT equipment and media?
No customer data is ever stored on local equipment or media. Google is responsible for this.
GAT is the very first Google Workspace security tool provider to offer ‘lock and key’ access to Google Workspace files and emails. Ever aware that end-user security is paramount, this feature set goes much further than any of our competitors, not only does it allow for full file management, but it is the only tool to give silent views of all files and emails (Admins and Security Officers won’t appear as ‘Viewers’ of the files or emails), while at the same time it executes in a secure way that deeply protects end user’s rights. We carefully designed the solution to require both a lock and key for access. Managers, C level executives and security officers can also relax knowing you cannot download GAT and have unrestricted access to sensitive financial files or snoop on HR emails. Google Workspace Admin staff using GAT can report that they have the most functional security tool in the marketplace, yet with the highest security standards available.
The Tool itself runs using a 2048-bit modulus RSA key, SHA256 used for hashing, AES (256-bit) used for encryption. It is Verified by Comodo. This ensures the site you connect to is who it says it is (generalaudittool.com), thus eliminating man in the middle attacks. It also ensures that any data transferred is moved inside an HTTPS tunnel, from Google to the audit tool and from the audit tool to your browser.
We depend on Google for security and pen testing.

INCIDENT MANAGEMENT

Do you have a Security/ Breach Incident Management Policy and Procedure in place?
In the event of a customer data breach, we have a declared policy of customer notification. The response to any specific incident will depend on the nature of the incident and is not defined in specific terms.
For business continuity of our cloud services, we are dependent on GCP business continuity.
Our privacy policy is stated as complete non-disclosure of customer data and automatically implemented ‘right to be forgotten’ of customer data after 30 days since last use. This policy predates GDPR. There is no access to customer data by any staff other than development engineers. Customer data is never removed from GCP.
Yes, we are based in Ireland. We state so clearly on our website. Yes, our services are run 100% from GCP in North America. It is our view that data is transferred out of the EU and its protection is covered by Google under the EU/US data protection umbrella agreement. We as a data processor are covered directly by EU law.

METADATA MANAGEMENT

What data do we work with?
We process and store metadata.
It’s stored on Google Cloud Platform (GCP). The GCP is located in the US-central region (Google Data Center: Council Bluffs, Iowa, USA).
Data at rest is encrypted with AES-256 algorithm.
Data in transit is encrypted with TLS.
Engineers responsible for production environment and Support engineers can have access to their metadata.
This metadata is accessed directly from Google Workspace via HTTPS, the same encryption standard that you use to access Google Workspace.

Infrastructure Design

Want to know more?

Contact GAT Labs today for a free trial or a live demonstration of all our products’ features.
It has never been easier to do more, see more and protect more, wherever your Google Workspace and Chrome users are in the world.

Do you have an
Education domain?