Controls
Here we detail the controls we have in place to minimize security risks for our customers.
Infrastructure
HowdyGo follows industry best-practices for its architecture and infrastructure access.
High-level overview of our infrastructure:
- Web-app hosting: Vercel
- Storage and underlying architecture: AWS
Controls
| Control | Details | Status |
|---|---|---|
| Encryption Key Access Restricted | The company restricts privileged access to encryption keys to authorized users with a business need. | ✅ |
| Unique Account Authentication Enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | ✅ |
| Production Application Access Restricted | System access restricted to authorized access only. | ✅ |
| Access Control Procedures Established | The company’s access control policy documents the requirements for the following access control functions: adding new users; modifying users; and/or removing an existing user’s access. | ✅ |
| Production Database Access Restricted | The company restricts privileged access to databases to authorized users with a business need. | ✅ |
| Firewall Access Restricted | The company restricts privileged access to the firewall to authorized users with a business need. | ✅ |
| Production OS Access Restricted | The company restricts privileged access to the operating system to authorized users with a business need. | ✅ |
| Production Network Access Restricted | The company restricts privileged access to the production network to authorized users with a business need. | ✅ |
| Access Revoked Upon Termination | The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs. | ✅ |
| Unique Network System Authentication Enforced | The company requires authentication to the “production network” to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | ✅ |
| Remote Access MFA Enforced | The company’s production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | ✅ |
| Remote Access Encrypted Enforced | The company’s production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | ✅ |
| Intrusion Detection System Utilized | The company uses an intrusion detection system to provide continuous monitoring of the company’s network and early detection of potential security breaches. | ✅ |
| Log Management Utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company’s ability to achieve its security objectives. | ✅ |
| Infrastructure Performance Monitored | An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. | ✅ |
| Network Segmentation Implemented | The company’s network is segmented to prevent unauthorized access to customer data. | ✅ |
| Network Firewalls Reviewed | The company reviews its firewall rulesets at least annually. Required changes are tracked to completion. | ✅ |
| Network Firewalls Utilized | The company uses firewalls and configures them to prevent unauthorized access. | ✅ |
| Network and System Hardening Standards Maintained | The company’s network and system hardening standards are documented, based on industry best practices, and reviewed at least annually. | ✅ |
| Service Infrastructure Maintained | The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats. | ✅ |
Organizational
| Control | Details | Status |
|---|---|---|
| Asset Disposal Procedures Utilized | The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed. | ✅ |
| Production Inventory Maintained | The company maintains a formal inventory of production system assets. | ✅ |
| Portable Media Encrypted | The company encrypts portable and removable media devices when used. | ✅ |
| Anti-Malware Technology Utilized | The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. | ✅ |
| Employee Background Checks Performed | The company performs background checks on new employees. | ✅ |
| Code of Conduct Acknowledged by Contractors | The company requires contractor agreements to include a code of conduct or reference to the company code of conduct. | ✅ |
| Code of Conduct Acknowledged by Employees and Enforced | The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy. | ✅ |
| Confidentiality Agreement Acknowledged by Contractors | The company requires contractors to sign a confidentiality agreement at the time of engagement. | ✅ |
| Confidentiality Agreement Acknowledged by Employees | The company requires employees to sign a confidentiality agreement during onboarding. | ✅ |
| Performance Evaluations Conducted | The company managers are required to complete performance evaluations for direct reports at least annually. | ✅ |
| Password Policy Enforced | The company requires passwords for in-scope system components to be configured according to the company’s policy. | ✅ |
| Visitor Procedures Enforced | The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas. | ✅ |
| Security Awareness Training Implemented | The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter. | ✅ |
Product
| Control | Details | Status |
|---|---|---|
| Data Encryption Utilized | The company’s datastores housing sensitive customer data are encrypted at rest. | ✅ |
| Control Self-Assessments Conducted | The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. | ✅ |
| Data Transmission Encrypted | The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | ✅ |
| Vulnerability Monitoring Procedures Established | The product is scanned for vulnerabilities as part of each release cycle. | ✅ |
Internal security
| Control | Details | Status |
|---|---|---|
| Configuration Management System Established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | ✅ |
| Change Management Procedures Enforced | The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. | ✅ |
| Production Deployment Access Restricted | The company restricts access to migrate changes to production to authorized personnel. | ✅ |
| Development Lifecycle Established | The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements. | ✅ |
| Board Oversight Briefings Conducted | The company’s board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company’s cybersecurity and privacy risk. The board provides feedback and direction to management as needed. | ✅ |
| Board Charter Documented | The company’s board of directors has a documented charter that outlines its oversight responsibilities for internal control. | ✅ |
| Board Expertise Developed | The company’s board members have sufficient expertise to oversee management’s ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed. | ✅ |
| Backup Processes Established | The company’s data backup policy documents requirements for backup and recovery of customer data. | ✅ |
| System Changes Externally Communicated | The company notifies customers of critical system changes that may affect their processing. | ✅ |
| Management Roles and Responsibilities Defined | The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls. | ✅ |
| Organization Structure Documented | The company maintains an organizational chart that describes the organizational structure and reporting lines. | ✅ |
| Roles and Responsibilities Specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | ✅ |
| Security Policies Established and Reviewed | The company’s information security policies and procedures are documented and reviewed at least annually. | ✅ |
| Support System Available | The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. | ✅ |
| System Changes Communicated | The company communicates system changes to authorized internal users. | ✅ |
| Access Requests Required | The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. | ✅ |
| Incident Response Policies Established | The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users. | ✅ |
| Incident Management Procedures Followed | The company’s security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company’s security incident response policy and procedures. | ✅ |
| Physical Access Processes Established | The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners. | ✅ |
| Data Center Access Reviewed | The company reviews access to the data centers at least annually. | ✅ |
| Company Commitments Externally Communicated | The company’s security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS). | ✅ |
| External Support Resources Available | The company provides guidelines and technical support resources relating to system operations to customers. | ✅ |
| Service Description Communicated | The company provides a description of its products and services to internal and external users. | ✅ |
| Risk Assessment Objectives Specified | The company specifies its objectives to enable the identification and assessment of risk related to the objectives. | ✅ |
| Third-party Agreements Established | The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity. | ✅ |
| Vendor Management Program Established | The company has a vendor management program in place to evaluate and monitor third-party vendors, and reviews their security and privacy posture at least annually. | ✅ |
Data and privacy
| Control | Details | Status |
|---|---|---|
| Data Retention Procedures Established | The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data. | ✅ |
| Customer Data Deleted Upon Leaving | The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service. | ✅ |
| Data Classification Policy Established | The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel. | ✅ |
AI
HowdyGo’s AI features are built on Amazon Bedrock and run within the same AWS environment and controls described above.
| Control | Details | Status |
|---|---|---|
| Customer Data Not Used for Training | The company does not use customer data to train or fine-tune AI or machine learning models. | ✅ |
| AI Provider Does Not Train on Inputs | The company processes AI requests through Amazon Bedrock, where prompts and outputs are not used to train the underlying foundation models or shared with model providers. | ✅ |
| AI Processing Within Trust Boundary | AI requests are processed within the company’s existing AWS environment, subject to the same access, encryption, and monitoring controls as the rest of the service. | ✅ |
| Human Oversight of AI Output | AI features are assistive; generated content is reviewed and approved by the user before it is applied. The company does not use AI to make automated decisions about viewers. | ✅ |
| AI Subprocessors Disclosed | The third parties engaged to process AI requests are documented on the company’s public subprocessors list and subject to the company’s vendor and confidentiality controls. | ✅ |
| AI Conversations Reviewed for Quality | The company may review conversations between editors and its AI assistant to improve prompt quality. Reviews are limited to authorized personnel under the company’s confidentiality controls and are not used to train models. | ✅ |
Last updated on