Last Modified 5/18/2022
This Security Overview describes SlapFive’s security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Platform. As security threats change, SlapFive continues to update its security program and strategy to help protect Customer Data and the Platform. As such, SlapFive reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at https://www.slapfive.com/security-overview. This Security Overview does not apply to any (a) Platform versions that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by SlapFive.
SlapFive maintains a risk-based assessment security program. The framework for SlapFive’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Platform and confidentiality, integrity, and availability of Customer Data. SlapFive’s security program is intended to be appropriate to the nature of the Platform and the size and complexity of SlapFive’s business operations. SlapFive has separate and dedicated Information Security teams that manage SlapFive’s security program. There is a team that facilitates and supports independent audits and assessments performed by third parties. SlapFive’s security framework is based on the SOC2 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with SlapFive’s Chief Information Security Officer (CISO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all SlapFive employees for their reference.
SlapFive has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All SlapFive employees and contract personnel are bound by SlapFive’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
Employee Background Checks. SlapFive performs background checks on all new employees at the time of hire in accordance with applicable local laws. SlapFive currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, SlapFive may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
Employee Training. At least once (1) per year, SlapFive employees must complete a security and privacy training which covers SlapFive’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. SlapFive’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. SlapFive has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
Third Party Vendor Management
Vendor Assessment. SlapFive may use third party vendors to provide the Platform. SlapFive carries out a security risk-based assessment of prospective vendors before working with them to validate they meet SlapFive’s security requirements. SlapFive periodically reviews each vendor in light of SlapFive’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. SlapFive ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of SlapFive.
Vendor Agreements. SlapFive enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
Security Certifications and Attestations
The SOC 2 Type 1 certification presently in process – targeted June of 2022.
Hosting Architecture and Data Segregation
The SlapFive Platform is hosted on the Google Cloud Platform (“GCP”) in the United States of America and protected by the security and environmental controls of Google. The production environment within GCP where the SlapFive Platform and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within GCP is encrypted at all times. GCP does not have access to unencrypted Customer Data. More information about GCP security is available at https://cloud.google.com/security. For GCP SOC Reports, please see https://cloud.google.com/security/compliance/soc-2.
GCP data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, SlapFive’s fully remote workforce is covered by policies and automated verification of Virus Protection, Short duration Screen lock, disk encryption for all remote work systems.
Security By Design
SlapFive follows security by design principles when it designs the Services. SlapFive also applies the SlapFive Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.
To minimize the risk of data exposure, SlapFive follows the principles of least privilege through a team-based-access-control model when provisioning system access. SlapFive personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. SlapFive logs high risk actions and changes in the production environment. SlapFive leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
SlapFive has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Platform.
For the SlapFive Platform, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s browser and the Platform utilizes TLS v1.2. All Video and Audio assets Recorded by the SlapFive Platform Customer Data are encrypted at rest using the Advanced Encryption Standard.
SlapFive maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. SlapFive uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in SlapFive’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the SlapFive cluster over a predefined schedule. For high-risk patches, SlapFive will deploy directly to existing nodes through internally developed orchestration tools.
SlapFive performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
Security Incident Management
SlapFive maintains security incident management policies and procedures in accordance with internal policy. SlapFive’s Security Incident Response Team (SIRT) assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. SlapFive retains security logs for one hundred and eighty (180) days. Access to these security logs is limited to SIRT. SlapFive utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
Discovery, Investigation and Notification of a Security Incident
SlapFive will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, SlapFive will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
Resilience and Service Continuity
Resilience. The hosting infrastructure for the SlapFive Services and Segment Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.
Service Continuity. SlapFive also leverages specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. SlapFive is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
Customer Data Backups
SlapFive performs regular backups of Customer Data, which is hosted on GCP’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard