Information Security Program

SOMA Global maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets.

Compliance

SOMA Global policies, procedures, and standards are in accordance with the SOC 2 Trust Service principles and criteria.

In addition, we hire an accredited third party to audit our compliance to the SSAE 18 SOC 2 standard on an annual basis.

Encryption and Logical Separation

The Cloud Service (AWS) stores content encrypted at rest. This is done leveraging enterprise grade encryption industry standards employed on the storage backend.

Communications between Customer’s endpoints and the Cloud Service (AWS) are encrypted in-transit with appropriate encryption standards for data in motion.

The Cloud Service (AWS) includes logical separation of data between customers. In all cases, SOMA Global has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.

SOMA Global Service Infrastructure Access Management

Least Privilege

Access to the systems and infrastructure that support the Cloud Service (AWS) is restricted to individuals who require such access as part of their job responsibilities.

Unique User Identification

Unique User IDs are assigned to such individuals as part of their hiring and onboarding process.

Password Requirements

The password policy for the Cloud Service adheres to SOMA Global password requirements and is in accordance with industry standards, and best practices.

Access Reviews

Access reviews are performed on a periodic basis, Access privileges of terminated SOMA Global personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.

Remote Access Review & Networking

Appropriate security measures and controls are utilized for remote administration points of access to the Cloud Service (AWS) production environment.

All access to the Cloud Service networks and sensitive information requires authentication and other access related security controls such as MFA and regularly rotated keys. 

Vulnerability Management

The Cloud Service (AWS) stores content encrypted at rest. This is done leveraging enterprise grade encryption industry standards employed on the storage backend.

Communications between Customer’s endpoints and the Cloud Service (AWS) are encrypted in-transit with appropriate encryption standards for data in motion.

The Cloud Service (AWS) includes logical separation of data between customers. In all cases, SOMA Global has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.

Secure Software Development

SOMA Global Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the SOMA Global systems.

Risk Management

SOMA Global maintains a risk management program based on industry guidance.

SOMA Global conducts risk assessments of various scope throughout the year, including self and third-party assessments and tests, automated scans, and manual reviews.

Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

Security Training and Personnel

SOMA Global maintains a security awareness program for SOMA Global personnel, which provides initial education, ongoing awareness, and individual personnel acknowledgment of intent to comply with SOMA Global’s corporate security policies. 

New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the SOMA Global information security policy.

All SOMA Global personnel are required to satisfactorily complete security training annually.

Notification of Security Breach

SOMA Global will notify customers in writing within seventy-two (72) hours of confirmed security breach.

Notifications will summarize the known details of the Security Breach and the status of SOMA Global’s investigation.

SOMA Global will take appropriate actions to contain, investigate, and mitigate any such Security Breach.

Availability and Disaster Recovery

SOMA Global maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually.

SOMA Global also maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency and data redundancy for the SOMA Global Cloud service.

Vulnerability Reporting

In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform.

To submit a bug for review, please complete the form below: