Security Disclosure Statement
Beauceron Security Inc. is committed to the security and privacy of our customers – our core mission is to put you in control of technology through our products and services.
Keeping your data secure is our most important task. We have developed our Terms of Service and Privacy Policy to be clear, fair and to protect the information you entrust with us. In addition to those foundational documents, we have prepared this security disclosure statement to provide you with additional information and answer any questions you may have about our commitment to security.
COMPLIANCE
Beauceron Security is proud to have been certified ISO/IEC 27001:2013 compliant since 2020. We participate in an annual surveillance audit to ensure that our operations and software development remain compliant.
Beauceron Security also participates in the Cloud Security Alliance’s - Security, Trust, Assurance and Risk (CSA-STAR) program and maintains a Consensus Assessment Initiative Questionnaire (CAIQ) which is available in the STAR registry here: https://cloudsecurityalliance.org/star/registry/beauceron-security-inc/.
Information Security Team Certifications
Beauceron Security’s information security and management team has 20+ years of industry experience and holds relevant industry certifications such as:
ISACA Certified Information Security Manager (CISM)
GIAC Information Security Professional (GISP)
GIAC Certified Incident Handler (GCIH)
GIAC Critical Controls Certification (GCCC)
ISO/IEC 27001:2013 Internal Auditor
ACCESS AND AUTHENTICATION CONTROLS
Access to customer data is restricted on a business and need to know basis. Customer data never leaves our production environment and is strictly prohibited from entering our development environment. Wherever possible, multifactor authentication is used to protect privileged access, and is always present on systems containing customer information.
DATA HANDLING AND DATA PRIVACY
Beauceron Security strives to maintain compliance with the European Union’s General Data Protection Regulation 2016/679 (GDPR). We rely on the E.U. Commission approved standard contractual clauses for data transfer from the EEA to North America, and we have policies and procedures in place to comply with applicable data privacy laws in the countries in which we operate.
Please see our Privacy Policy to learn more about the types and lifecycle of data we collect and process.
DATA ENCRYPTION
Beauceron Security utilizes TLS for the encryption of data in transit and Azure Transparent Data Encryption for the encryption of data at rest. We use Azure Key Management Services (KMS) to handle encryption keys across all our products and production environments. Within Azure, we specifically use Azure Kubernetes Service (AKS) which is protected by an Azure load balancer/firewall which only permits HTTPS traffic. Customer databases are stored within the Azure SQL Database service, which is protected by firewalls to limit access from authorized networks.
DATA CENTER LOCATION
Beauceron Security’s primary production environment is located in Microsoft Azure’s Canada Central region, with backup facilities in Azure’s Canada East region. Azure is responsible for cloud infrastructure, and Beauceron Security is responsible for the security of the software-as-a-service we provide utilizing that cloud infrastructure. You can review all of Azure’s compliance offerings at Microsoft’s Service Trust Portal.
DATA BACKUPS AND RETENTION
By default, Beauceron Security maintains 30 days of encrypted customer data backups, audit and application logs. Customers can also select data retention schedules within the Beauceron Platform from one (1) to seven (7) years. Azure Backup solutions allow us to perform restoration operations with a recovery point objective (RPO) of less than one hour.
AWARENESS AND TRAINING
All Beauceron Security employees complete mandatory and job-specific security awareness and privacy training upon hire and annually during employment. We conduct continuous phishing and social engineering simulations and conduct quarterly security awareness engagement exercises. All Beauceron Security employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to customer data. Employee security awareness performance is reviewed by senior staff weekly.
BUSINESS CONTINUITY / DISASTER RECOVERY
As a cloud-first company, Beauceron Security maintains a zero-trust, zero-downtime environment. We continuously monitor our production environment for signs of performance degradation or instability. All our back office operations are conducted through cloud-based services, so we have no central data centers or corporate network to lose.
CODE SECURITY AND CODE UPDATES
Beauceron Security’s software engineering group implements an Agile process for managing software deployment. All production environment changes are peer reviewed and pass through multiple layers of QA prior to release. We utilize multiple staging environments and deployment rings to control release to production. Development environments are logically and physically separated from the production and test environments, which are themselves logically separated. No customer data is ever used in development environments.
LOGGING AND MONITORING
All production systems are centrally logged using Azure’s security and audit logging facilities (more information available here). Logs are retained for a period of at least 30 days. Logs are continuously monitored and reviewed for the purpose of performance and security monitoring.
VULNERABILITY MANAGEMENT
Beauceron Security utilizes automated web application scanning and vulnerability scanning to catch and kill issues before they make it to production. We also use Azure Defender to identify and manage any security vulnerabilities and protect against potential threats in our production environment. Scans are reviewed weekly and reported to senior management.
On a semi-annual basis, Beauceron Security contracts with an external company to perform manual independent vulnerability assessment and penetration testing. Any reported issues are addressed and an issue closure retest is conducted after the report to ensure all issues are resolved. Clients and prospective clients can contact your sales or customer success representative to arrange for a review and discussion of our most recent findings.
PENETRATION TESTING / BUG BOUNTY / REPORT SECURITY VULNERABILITIES
Beauceron Security is committed to the open exchange of information with regards to the security of our products and services. If you believe you have discovered a flaw in one of our products, please contact our security team directly. Security testing, automated scanning or potentially disruptive activities without prior consent are not permitted, so please contact us first. Questions about this process or this document may also be directed to security@beauceronsecurity.com. In the interests of privacy and security, only inquiries from verified security researchers will be addressed.