Controls
Here we detail the controls we have in place to minimize security risks for our customers.
Infrastructure
HowdyGo follows industry best-practices for its architecture and infrastructure access.
High-level overview of our infrastructure:
- Web-app hosting: Vercel
- Storage and underlying architecture: AWS
Controls
| Control | Details | Status |
|---|---|---|
| Encryption Key Access Restricted | The company restricts privileged access to encryption keys to authorized users with a business need. | ✅ |
| Unique Account Authentication Enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | ✅ |
| Production Application Access Restricted | System access restricted to authorized access only. | ✅ |
| Access Control Procedures Established | The company's access control policy documents the requirements for the following access control functions: adding new users; modifying users; and/or removing an existing user's access. | ✅ |
| Production Database Access Restricted | The company restricts privileged access to databases to authorized users with a business need. | ✅ |
| Firewall Access Restricted | The company restricts privileged access to the firewall to authorized users with a business need. | ✅ |
| Production OS Access Restricted | The company restricts privileged access to the operating system to authorized users with a business need. | ✅ |
| Production Network Access Restricted | The company restricts privileged access to the production network to authorized users with a business need. | ✅ |
| Access Revoked Upon Termination | The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs. | ✅ |
| Unique Network System Authentication Enforced | The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | ✅ |
| Remote Access MFA Enforced | The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | ✅ |
| Remote Access Encrypted Enforced | The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | ✅ |
| Intrusion Detection System Utilized | The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches. | ✅ |
| Log Management Utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | ✅ |
| Infrastructure Performance Monitored | An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. | ✅ |
| Network Segmentation Implemented | The company's network is segmented to prevent unauthorized access to customer data. | ✅ |
| Network Firewalls Reviewed | The company reviews its firewall rulesets at least annually. Required changes are tracked to completion. | ✅ |
| Network Firewalls Utilized | The company uses firewalls and configures them to prevent unauthorized access. | ✅ |
| Network and System Hardening Standards Maintained | The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually. | ✅ |
| Service Infrastructure Maintained | The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats. | ✅ |
Organizational
| Control | Details | Status |
|---|---|---|
| Asset Disposal Procedures Utilized | The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed. | ✅ |
| Production Inventory Maintained | The company maintains a formal inventory of production system assets. | ✅ |
| Portable Media Encrypted | The company encrypts portable and removable media devices when used. | ✅ |
| Anti-Malware Technology Utilized | The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. | ✅ |
| Employee Background Checks Performed | The company performs background checks on new employees. | ✅ |
| Code of Conduct Acknowledged by Contractors | The company requires contractor agreements to include a code of conduct or reference to the company code of conduct. | ✅ |
| Code of Conduct Acknowledged by Employees and Enforced | The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy. | ✅ |
| Confidentiality Agreement Acknowledged by Contractors | The company requires contractors to sign a confidentiality agreement at the time of engagement. | ✅ |
| Confidentiality Agreement Acknowledged by Employees | The company requires employees to sign a confidentiality agreement during onboarding. | ✅ |
| Performance Evaluations Conducted | The company managers are required to complete performance evaluations for direct reports at least annually. | ✅ |
| Password Policy Enforced | The company requires passwords for in-scope system components to be configured according to the company's policy. | ✅ |
| Visitor Procedures Enforced | The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas. | ✅ |
| Security Awareness Training Implemented | The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter. | ✅ |
Product
| Control | Details | Status |
|---|---|---|
| Data Encryption Utilized | The company's datastores housing sensitive customer data are encrypted at rest. | ✅ |
| Control Self-Assessments Conducted | The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. | ✅ |
| Data Transmission Encrypted | The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | ✅ |
| Vulnerability Monitoring Procedures Established | The product is scanned for vulnerabilities as part of each release cycle. | ✅ |
Internal security
| Control | Details | Status |
|---|---|---|
| Configuration Management System Established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | ✅ |
| Change Management Procedures Enforced | The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. | ✅ |
| Production Deployment Access Restricted | The company restricts access to migrate changes to production to authorized personnel. | ✅ |
| Development Lifecycle Established | The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements. | ✅ |
| Board Oversight Briefings Conducted | The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed. | ✅ |
| Board Charter Documented | The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control. | ✅ |
| Board Expertise Developed | The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed. | ✅ |
| Backup Processes Established | The company's data backup policy documents requirements for backup and recovery of customer data. | ✅ |
| System Changes Externally Communicated | The company notifies customers of critical system changes that may affect their processing. | ✅ |
| Management Roles and Responsibilities Defined | The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls. | ✅ |
| Organization Structure Documented | The company maintains an organizational chart that describes the organizational structure and reporting lines. | ✅ |
| Roles and Responsibilities Specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | ✅ |
| Security Policies Established and Reviewed | The company's information security policies and procedures are documented and reviewed at least annually. | ✅ |
| Support System Available | The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. | ✅ |
| System Changes Communicated | The company communicates system changes to authorized internal users. | ✅ |
| Access Requests Required | The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. | ✅ |
| Incident Response Policies Established | The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users. | ✅ |
| Incident Management Procedures Followed | The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures. | ✅ |
| Physical Access Processes Established | The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners. | ✅ |
| Data Center Access Reviewed | The company reviews access to the data centers at least annually. | ✅ |
| Company Commitments Externally Communicated | The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS). | ✅ |
| External Support Resources Available | The company provides guidelines and technical support resources relating to system operations to customers. | ✅ |
| Service Description Communicated | The company provides a description of its products and services to internal and external users. | ✅ |
| Risk Assessment Objectives Specified | The company specifies its objectives to enable the identification and assessment of risk related to the objectives. | ✅ |
| Third-party Agreements Established | The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity. | ✅ |
| Vendor Management Program |
Data and privacy
| Control | Details | Status |
|---|---|---|
| Data Retention Procedures Established | The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data. | ✅ |
| Customer Data Deleted Upon Leaving | The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service. | ✅ |
| Data Classification Policy Established | The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel. | ✅ |