Last Updated: June 12, 2023
Veteran Crowd is committed to our customers’ data security and privacy. This statement is meant to provide customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.
Information Security Policy
Veteran Crowd has defined and published a set of information security policies which is:
- Based on PCI-DSS and NIST Risk Management Framework
- Approved by management
- Communicated to all employees and relevant external parties
- Reviewed annually by stakeholders
Product Security Assessments
Veteran Crowd regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:
- Release testing - each release of a product is scanned for security vulnerabilities using security scanners include Checkov and Trufflehog.
- In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
- Threat modeling—for major new releases, VCR creates and/or updates threat models that provide a baseline for other security testing activities.
Security for Software as a Service
- Our SaaS offerings utilizes industry leading cloud services providers including Amazon Web Services (AWS) which is known for their security and protections.
- In addition to the security provided by our cloud service providers (AWS), VCR uses real-time monitoring tools for cloud configuration and code integrity, a web application firewall, and other security controls.
- Veteran Crowd has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
- The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
- Veteran Crowd has deployed IDS/IPS, Firewalls, and related technologies to protect against external threats.
- Network environments are physically and logically segregated; customer data are logically segregated.
- Security alerts are monitored 24x7 by a dedicated security team.
- Vulnerability scans are performed daily.
- All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
- All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
- All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.
Availability, Backup, and Disaster Recovery
- High availability is achieved using the native cloud orchestration capabilities of AWS.
- Customer data are backed up daily with a 35-day retention policy.
- The product is implemented in Serverless Lambda, they will automatically record and scale due to the cloud-native architecture.
- In general, across all types of disaster situations, including failures beyond core infrastructure, VCR's recover time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.
- Only limited production personnel have access to customer data. Access is reviewed each 90 days.
- Multi-factor authentication (MFA) capability is required to VCR staff to access critical company IT systems and applications.
Logging and Monitoring
User and system administrator activities are logged and:
- Routed to a centralized log for monitoring, analysis, and alerting
- Protected from tampering
- Retained for at least one year
Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
All changes are logged via a ticketing system, and approvals are required and tracked.
The technical review includes a risk assessment and all other technical aspects of the change.
We are PCI-DSS compliant.