TRUST & SECURITY

Deutsch | Français

The following outlines Sourcepoint’s approach to privacy, security and compliance for the Sourcepoint portfolio of products. Included are details of  our privacy and security practices including our organizational and technical controls to protect confidentiality, integrity, availability, and resilience  of corporate and customer data. 

Dedicated Team 

Sourcepoint’s Chief Privacy Counsel and Information Security Director bring an excess of thirty five years of professional experience and are  committed to ensuring Sourcepoint maintains a culture of Privacy and Security beyond mere compliance. 

Training and Awareness 

Security and privacy awareness are conducted at least once per calendar year. Sourcepoint staff participate in training as part of onboarding and  as often as quarterly thereafter. Specialized role-based training is provided for key stakeholders including, but not limited to, software developers  and senior leadership. 

Vulnerability and Patch Management 

Sourcepoint’s vulnerability and patch management program consists of annual penetration testing conducted by independent third party, network  and application vulnerability scanning, and monthly patching of high and critical severity vulnerabilities. 

Malware Prevention 

User endpoints are configured to run with corporate approved anti-malware solutions that are regularly updated.

Logging and Monitoring 

Except where adherence to regulatory guidelines suggests otherwise, logs from production systems are retained for a minimum of 90 days. Logs  are protected from unauthorized access, alteration or destruction. Logs are periodically reviewed and configured to generate alerts when  immediate mitigation may be necessary. 

Incident Management 

Sourcepoint has a documented Incident Response program that includes at least annual training of all staff on their responsibilities to report  security weaknesses and vulnerabilities. The process provides guidance on notification requirements for customers that will meet or exceed all  regulatory requirements. 

Access control 

The principles of least privilege and need to know access form the foundation of the Sourcepoint access control practices. Strong authentication  including multi-factor authentication, breached password detection and quarterly access reviews, minimize the chance for unauthorized access to  protected resources. 

Third party risk management 

Sourcepoint vendors and suppliers are evaluated in accordance with Sourcepoint’s security and privacy standards, always considering use cases  and data accessed or processed. Sourcepoint will only conduct business with vendors or suppliers who can meet these standards. 

Software development 

Sourcepoint utilizes an agile software development methodology where the phases include Design, Development, QA and Deployment. All  application code is peer reviewed for quality and security. Web applications developed with secure coding best practices including, but not limited  to, preventing the OWASP Top 10 application security risks. Production and non-production environments are logically and/or physically  segregated. 

Change Management 

All system, application or network changes at Sourcepoint are subject change management review and approval. All changes are evaluated for  their value/impact to the business and potential risk. 

Backups and Business Continuity 

At least once per day full backups of databases are conducted. Backups are stored encrypted and retained for no more than thirteen months.  Business Continuity plans are reviewed and tested at least once annually. Production environments are often hosted across multiple availability  zones to ensure continuity of services should one zone or datacenter become unavailable. 

Third Party Attestation 

As part of the ongoing commitment to support customers with the highest level of information security and privacy management,  Sourcepoint maintains certification to ISO/IEC 27001 and 27701 standards, of which it is audited against annually. 

Data Minimization/Retention 

Sourcepoint makes every effort to limit collection and retention of PII to the minimum elements required. Sourcepoint leverages anonymization  and de-identification techniques to reduce the risk of unauthorized or unintended disclosure. PII is only retained for as long as required and in  accordance with applicable regulatory guidelines.

Sourcepoint’s Role as Processor 

Sourcepoint in its role as a Data Importer and Processor will process IP addresses for the purpose of determining the location of our clients  property visitors. Processing of location information of client website visitors is strictly for the purpose of ensuring geographic specific messaging  can be displayed. Client property visitors will be assigned a randomly generated UUID utilized for the purpose of mapping consent decisions only. 

Contact 

All security related inquiries should be directed to informationsecurity@sourcepoint.com and privacy related inquiries should be directed to privacy@sourcepoint.com.