PiperChat Security Portal

Overview

Powered by Middle Out Compression, PiperChat is the world's premier video chat platform.   At PiperChat, we value the security of your data above all.

Operations Management

Backups

Our solution is backed up to the Hooli Cloud and is personally guaranteed by Gavin Belson.  All data is encrypted using the impenetrable ROT13 standard.

Maintenance Schedule Downtime

Downtime is scheduled and communicated to customers via direct calls from Gilfoyle using our PiperChat platform.  Calls are made in 4k over 3G connections.  Very impressive?

Application Security

Change Control Documentation

Production Change Control

Software Development Lifecycle

Its best you don't ask about this.  We seldom are all on the same page with anything and push up code changes or even pivot the company on a whim.  

Production Data in Non-Production Environments

When production data is used in our test environment is goes through a strict sanitization process.

Secure Web Traffic

All web traffic uses HTTPS / TLS 1.2.

Privacy

Business Associate Contract (BAA)

No

Financial Information

Our platform stores the number of commas in your net worth and make it public if you have more than 2.

Personally Identifiable Information (PII)

User profiles are stored containing the following information:

  • First Name

  • Last Name

  • Email Address

  • Profile Photo

CCPA Compliance

PiperChat's platform was built after the GDPR was in place, and therefore we developed the product with the principles of Privacy by Design and GDPR compliance.

Protected Health Information (PHI)

We use AWS GuardDuty to continuously monitor and alert us to threats to our internal systems. Dunder-Mifflin performs monthly reviews of software dependencies and upgrade any outdated or vulnerable libraries. Additionally, EC2 instances are rotated on a regular basis to use the latest versions of Ubuntu and Amazon Linux. We also subscribe to updates from US-CERT for critical software security issues. We enforce strict firewall rules at the edges. All firewall (security group) changes are applied via Terraform and are subject to code review by a senior member of the engineering team. Employee workstations are protected by local agents running Crowdstrike Falcon.

GDPR Compliance

PiperChat's platform was built after the GDPR was in place, and therefore we developed the product with the principles of Privacy by Design and GDPR compliance.

Threat Management

Penetration Testing

We've been hacked by one of Dinesh's girlfriends.  While we did not hire her, she really made a mess of things and we learned a lot.

External Vulnerability Scanning

Anti-Malware Policy

We use AWS GuardDuty to continuously monitor and alert us to threats to our internal systems. Dunder-Mifflin performs monthly reviews of software dependencies and upgrade any outdated or vulnerable libraries. Additionally, EC2 instances are rotated on a regular basis to use the latest versions of Ubuntu and Amazon Linux. We also subscribe to updates from US-CERT for critical software security issues. We enforce strict firewall rules at the edges. All firewall (security group) changes are applied via Terraform and are subject to code review by a senior member of the engineering team. Employee workstations are protected by local agents running Crowdstrike Falcon.

Internal Vulnerability Scanning

Vulnerability Management Process

Vulnerabilities are managed based on risk level:

  • Critical - Resolved within 24 hours

  • High - Resolved within 7 days

  • Medium - Resolved within 30 days


Physical Security

Physical Security Policy

Solution Security

Customer Data Removal

Our compression algorithim is so good, we never need to delete your data.  Erlich says you're welcomed!

Data Encrypted in Transit

Our compression algorithm is so proprietary and indecipherable it also serves as encryption so we're good here.

Single Sign On

SAML and Hooli Identity can be used to support single sign-on.

Service Level Agreement

RPO - 24 hours, RTO - 12 hours

Data Encrypted at Rest

Data at Rest is protected by AES256, as provided by various AWS services like RDS and S3 utilizing keys managed by the KMS system.
Risk Management

Vendor Management Re-Assessment

Yes

Vendor Management Review

Action Plan Approval

Yes

Approved Risk Management Program

Yes

Vendor Policy Review

Yes

Privacy Risk Assessment

Yes

Risk Ownership

Yes

Action Plan Status

Yes
Human Resources

Employee Agreements

Yes

Security Awareness Training

Yes

Off-boarding Process

Yes

Human Resource Policy

Background Screening

Yes

Roles and Responsibilities

Disciplinary Process

End User Device Security

Log Review and Alerting

Logs are retained anywhere from 2 weeks to indefinitely depending on the type.

Log Collection and Storage

Logs are retained anywhere from 2 weeks to indefinitely depending on the type.
Network Security

Intrusion Prevention

We use AWS GuardDuty to continuously monitor and alert us to threats to our internal systems.

Network Device Hardening

Intrusion Detection

Asset and Data Management

Asset Management Policy

All assets housing sensitive data are managed by AWS

Data Classification

Yes

Removable Media Policy

No
Business Resiliency

Business Resiliency Plan

Yes

Business Continuity Plan

Yes

Recovery Time Objective

Yes

Recovery Point Objective

Access Control

Staff Scoped Data Access

Internally Shared User Accounts

We do not share user account as per our CyberSecurity policy.

Compliance

Internal Compliance Department

Yes
Incident Event and Communications Management

Formal Incident Response Plan

Security Policy

Policy Review Cadence

Information Security Policy

Organizational Security

Designated Security Point of Contact

Certifications
certification

FedRAMP

scheduled 11/17/2022
certification

SOC 2

completed 02/16/2022
certification

SOC 1

completed 03/01/2022

Powered By