...
A: Claritum is not ISO 27001 certified but Rackspace, who which are ISO 27001 certified.
Claritum is not certified for ISO 27001 but does have a policy of complying with industry 'best practice’. All data resides on the hosting infrastructure provided by our partner, Rackspace, who is certified ISO 27001, ISO 27002, SSAE1, SOC1, SOC2, SOC3, PCI-DSS, Safe Harbor, Content Protection and Security Standards (CPS).
...
Q: Are your systems subjected to penetration testing? Is testing performed by internal personnel or outsourced? When When was the last penetration test? What were the results?
A: Claritum do perform penetration performs vulnerability testing by internal personnel. Some minor weaknesses were revealed during the last test and we plan to have these resolved in the next release. We do not share detailed results of these tests. This is performed on a regular basis, once per month. If any weaknesses are revealed, we address them through our regular release cycle. Critical vulnerabilities are resolved as part of an emergency release. Claritum can share the most recent vulnerability scanning report on request.
Q: Does Claritum maintain cybersecurity policies, including a written security policy or plan?
...
A: TLS and SSL are used to encrypt all data in transit. Passwords are encrypted with Bcrypt (Blowfish) with random salts and HMAC authentication.
Data at rest is encrypted (databases) are not encrypted but backups are encrypted using AES256.
Q: Please provide details of encryption and key management.
...
A: London. No part of the UK hosting infrastructure resides outside of the UK. However, data may be transferred outside the UK/EEA if, for example, you (the data controller), a supplier or a customer do reside outside the UK/EEA.
Q: What are the Claritum's policies regarding the secondary use of customer data? Are there technical limitations on the secondary use of our data?
...
A: All your data is held in a self-contained database schema and file - storage containers. Upon completion, the DB schemas and file storage containers are permanently deleted. We can provide encrypted backups of this data to you if requested, prior to deletion.
...
Q: Describe your security awareness program for personnel.
A: Claritum have has a documented Secure Application Development Policy including detailed developer practices. Regular code reviews by senior developers. Regular internal distribution and discussion around relevant security topics.
...
A: Claritum's internal testing environments do not hold PII. Use The use of PII data on your test platform would be subject to your policies.
...