Explorium’s Commitment to Security
At Explorium, security and regulation is one of our top priorities. We ensure security in every step of our product development and implementation processes as well as with our employee protocol. As part of our commitment to compliance and regulation, you will find below an outline of our main security framework:
- ISO 27001 certificate
- SOC 2 Type 2 certificate
- Internal security audit managed by the Explorium internal security team, which is performed once per year. Risk assessment is managed on a daily basis.
- External security audit, which is performed once per year by an external cybersecurity company.
- External infrastructure penetration tests and application penetration tests are performed annually or after any major release in the product code or architecture.
SOC 2 Type 2 and ISO27001 Compliance
As part of Explorium’s compliance with SOC 2 Type 2 and ISO27001 we align with the following points:
- Information security policy
- Information risk assessment process
- Information risk treatment process
- Information security objectives
- Evidence of the competence of the people working in information security
- Evidence of the monitoring and measurement of information security
- The ISMS internal audit program and the results of audits conducted
- Evidence of top management reviews of the ISMS
1. How does Explorium perform encryption in rest and transit?
For encryption at rest, Exploirum uses AES 256 algorithm. For encryption in transit, Explorium uses TLS 1.1 and higher versions. Explorium uses the AWS KMS mechanism to encrypt critical information.
2. Does Explorium perform penetration testing?
Yes. External infrastructure penetration tests and application penetration tests are performed annually or after any major change in the platform code or architecture by an external cybersecurity company.
3. How does Explorium handle risk assessment and management?
Risk assessment and risk treatment are applied to the entire scope of the Information Security Management System (ISMS), i.e. to all assets which are used within the organization or which could have an impact on information security within the ISMS. Risk assessment and treatment is an ongoing process implemented in Explorium using internal and external risk assessments. The assessments and risks are recorded in the Risk ManagementSpreadsheet. The process is coordinated by CISO, identification of threats and vulnerabilities is performed by asset owners, and assessment of severity and probability is performed by risk owners.
4. What cloud provider does Explorium use?
Explorium uses AWS for control and confidence to securely run business. As an AWS customer, Explorium benefits from AWS data centers and a network architected to protect your information, identities, applications, and devices. With AWS, we improve the ability to meet core security and compliance requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.
5. Does Explorium perform vulnerability scans?
Yes, Explorium uses multiple VA scanners in order to provide a secure environment for customers. The risks are categorized, monitored, and fixed according to the risk treatment program.
6. What kind of awareness and training does Explorium perform?
An Information Security (IS) awareness program is implemented in Explorium. Explorium uses different sources for awareness training. As part of Explorium’s commitment to compliance and regulation, Explorium performs multiple awareness training to employees including but not limited to:
- Information security awareness and training
- Security development awareness and training
7. What type of secure coding (SDLC) does Explorium use?
Explorium works with the agile SDLC model framework. This methodology produces a succession of releases. Testing of each release feeds back info that’s incorporated into the next version. The static code analysis process is implemented in the SDLC process.