NowVertical Group Inc. and our subsidiary entity, NowVertical Group, Inc., (collectively, “NowVertical”, “we”, “us” and “our”) are committed to sound information security practices, including cybersecurity, in ensuring the confidentiality, integrity, and availability of assets, and protection against both external and internal threats.
Information Security Policy
NowVertical maintains a written Information Security policy that defines employee’s responsibilities and acceptable use of information system resources. This policy is periodically reviewed and updated as necessary. Also, we receive signed acknowledgements from users indicating that they have read, understand, and agree to abide by the rules of behaviour, before providing authorized access to NowVertical information systems.
Our security policies cover important security-related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.
Information security roles and responsibilities are defined within the organization. The security team focuses on information security, global security auditing, compliance, and defining the security controls to protect NowVertical’s assets (People, Processes, and Technology). The security team receives information system security notifications regularly and distributes security alerts and advisory information to the organization on a routine basis after assessing the risk and impact as appropriate.
NowVertical’s data and information system assets typically do not contain customer or end-user assets. Our corporate assets are managed under our security policies and procedures. NowVertical authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by NowVertical security policies. In rare and exceptional cases where end-user assets are contained within our Information technology ecosystem, the same corporate assets security policies and procedures apply.
NowVertical employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees must sign confidentiality agreements and acknowledge the NowVertical code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
Employees are provided with regular security awareness training as part of new hire orientation. In addition, each NowVertical employee is required to read, understand, and take a training course on the company’s code of conduct.
Physical & Environmental Security
NowVertical has policies, procedures, and infrastructure to handle both the physical security of its data centers as well as the environment from which the data centers operate.
Our information systems and infrastructure are hosted in world-class data centers (Azure, AWS and Digital Ocean) that are geographically dispersed to provide high availability and redundancy to NowVertical and its customers. We make full use of the security products embedded within these ecosystem. At a minimum, these data centers have successfully completed ISO 27001 and SOC 2 Type II audits.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.
Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business needs.
NowVertical maintains separate development and production environments. We ensure adequate network segmentation through the establishment of security zones that control the flow of network traffic. Strict firewall security policies define these traffic flows.
Automated tools are deployed within the network to support near-real-time analysis of events to support detection of system-level attacks.
Software Development Lifecycle
We follow a defined methodology for developing secure software designed to increase our products’ resiliency and trustworthiness. Our products are deployed on an iterative, rapid-release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle, and security best practices are a mandated aspect of all development activities.
Our secure development lifecycle follows standard security practices, including vulnerability testing, regression testing, penetration testing, and product security assessments. The NowVertical architecture teams review our development methodology regularly to incorporate evolving security awareness and industry practices and to measure its effectiveness.
Supplier and Vendor Relationships
NowVertical likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that NowVertical does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data.
We perform audits from time to time on NowVertical suppliers and vendors in an effort to ensure the confidentiality, integrity, and availability of data that our third-party suppliers or vendors may handle.
NowVertical maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process.
Auditing and Logging
We maintain audit logs on systems. These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals. Security events are logged, monitored, and addressed by trained security team members. Network components, workstations, applications, and relevant monitoring tools are enabled to monitor user activity.
Organizational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change. Retention schedules for the various logs are defined in our security control guidelines.
Antivirus and Malware Protection
Anti-virus (XDR) tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Antivirus (XDRs) and malicious code protection are centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Laptop and remote users are covered under virus protection.
NowVertical has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Although we typically do not house customer data as our products are deployed on the customer premise, we can support and advise our customers on appropriate back-up mechanisms to employ for our deployed solutions. Controls are established to help safeguard backed-up data (onsite and off-site). Periodic tests are conducted to test whether data can be safely recovered from backup devices.
NowVertical continually works to develop products that support the latest recommended secure cipher suites and protocols to encrypt traffic while in transit. We monitor the changing cryptographic landscape closely and work to upgrade our products to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures. Any non-public information NowVertical may process, handle or store is encrypted at rest.
Security assessments are done to identify vulnerabilities and to determine the effectiveness of the patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for remediation.
NowVertical strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patches are tested before being deployed into production. Patch management processes are in place to implement security patch updates as vendors release them.
NowVertical has a formalized incident response plan (Incident Response Plan) and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
An incident response team is responsible for providing an incident handling capability for security incidents, including preparation, detection and analysis, containment, eradication, and recovery.
Business Continuity and Disaster Recovery
We implement a disaster recovery program to minimize service interruptions due to hardware failure, natural disasters, or catastrophes. This program includes multiple components to minimize the risk of any single point of failure. Also, we leverage the redundancy built into the tools we use.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords.
NowVertical employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job functions. Requests for additional access follow a formal process that involves a request and approval from a data or system owner, manager, or other executives, as defined by our security guidelines.
Role-based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behaviour of any user within our information systems, and security policies limit them to authorized behaviours.