Client Related Policies for Ethicontrol Platform

 

 

Why do we have a Fair Usage Policy?

Ethicontrol SaaS product is a multi-tenant service. This means that SaaS services are used concurrently by a number of subscribers. If a single customer places very high demands on the service then it is possible that this will affect the experience for other users.

 

The vast majority of our customers use their service considerately and their usage levels during peak hours don’t disproportionately affect the shared network and service capacity. Even though only a very small number of our customers may use the service inappropriately, their activity has the potential to affect the service for others.

 

Our Fair Use Policy manages the inappropriate use and makes sure the service can be used fairly by everyone.

 

 

Support

Support is typically provided free of charge as part of the Services we offer. To ensure that all customers have equal access to support, we may restrict or suspend access to support for any customer that consuming more support time, or logging more support issues than a typical customer with similar users and a similar subscription.

 

 

Storage

Within your SaaS environment you can store documents to record correspondence as well as data and transactions in the database. To make sure that there is enough storage for everyone, we may limit the amount of data you can save. By default it is 10 GB.

 

The amount of storage may depend on your type of contract and number of users. We've made sure that almost all customers have plenty of disk space when the solutions are used normally. You can always request the actual size of your data storage from our service desk. You can also free up more storage by removing data yourselves, or asking us to help you with our clean-up-service.

 

If we detect that your organisation structurally saves more data than we consider to be fair and normal, we'll contact you to discuss the situation. It's possible to expand your storage and, if appropriate we will only charge a maximum of the published and publicly available Microsoft Azure / AWS / Linode storage charge for the relevant storage solution plus 20%. At that point we'll contact you to discuss alternative storage options.

 

 

Network Traffic and Bandwidth

To prevent a negative effect of excessive network traffic on your user experience or that of others, we monitor the traffic. We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the network bandwidth available to you. If we detect a situation that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available bandwidth.

 

 

Amount of sent and received emails

To prevent spam, we use worldwide blacklists, and spam blockers among other things. To guarantee smooth email traffic from our SaaS products for you and our other customers, we monitor the mail servers.

 

Spam and blacklisting could happen when excessive amounts of emails are sent from the SaaS environments, for example. We maintain very broad margins based on the average use of our SaaS customers with similar contracts. With normal use, you won't notice a thing.

 

When we detect abnormal values that could negatively impact the service, we may limit the number of emails you can send, or take other action as appropriate. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

 

 

Compute and Load

To prevent a negative effect of excessive use of compute resources, on your user experience or that of others, we monitor the compute resources.

 

We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the compute services available to you.

 

Where increased usage is caused by the normal growth of users and customers, we will scale the resources available. If we detect a situation that reflects abnormal use or that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available compute resource.

 

 

Urgent and Extreme Cases

In an urgent or extreme case, for example where services are likely to be significantly impacted, or where we believe your system or ours is under attack (a DDOS - denial of service attack for instance) or where we believe your system or ours has been compromised (for example a hacker or potential a security breach) we may stop the services, or temporarily block your access to them. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

 

In some cases, even without an attack or breach, if your use of the services continues to impact other users, is expected to do so, or is generating costs to us that are not normal when compared to other customers on the same contract and make our service to you unprofitable to maintain, we may isolate your services from the multi-tenanted environments and pass the costs onto you. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

 

 

Legal use only

The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that:

 

(a) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;

 

(b) facilitates illegal activity;

 

(c) in a manner that is otherwise illegal or causes damage or injury to any person or property; and Ethicontrol reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause.

 

 

Law enforcement

Ethicontrol shall fully co-operate with any law enforcement authorities or court order requesting or directing Ethicontrol to disclose the identity or locate anyone posting any material in breach of clause LEGAL USE clause.

 

 

Respect for intellectual property

The Customer shall not:

 

(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:

(i) and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services or Product Description (as applicable) in any form or media or by any means; or

(ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or

 

(b) access all or any part of the Services and Product Description in order to build a product or service which competes with the Services and/or the Product Description; or

 

(c) use the Services and/or Product Description to provide services to third parties; or

 

(d) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Product Description available to any third party, or

 

(e) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Product Description.

 

 

Unauthorised use prevention

The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Product Description and, in the event of any such unauthorised access or use, promptly notify Ethicontrol.

 

The rights provided under this Service Agreement are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer. Only one subscription to the Services may be activated by any company, person or other entity. Duplicate subscriptions for any company, person or entity shall be considered a material breach of the Service Agreement.

 

The Customer undertakes to ensure that all Users comply with this Agreement and acknowledge that Customer shall remain responsible and liable for the acts or omissions of all Users to the same extent as if Customer had carried out such acts or omissions itself.

 

Responsibility for the security of any usernames and passwords issued (including those of any Users) rests with Customer. If Customer has reason to believe that their credentials or User account details have been obtained by another without consent, the Customer should contact Ethicontrol immediately to suspend the account.

 

This policy defines what qualifies as a breach of user data, what actions will be taken in the event of user data exposure or compromise, and the timeline for action.

This policy applies to user data stored on Ethicontrol.com. It does not apply to self-hosted / on-premises instances or instances hosted with other providers than Ethicontrol.com

 

 

Data Classification - What information is covered by this policy

This policy covers "private user data" stored by Ethicontrol.com, and includes:

• Client's database
• Client's files
• Encrypted Passwords
• Private Email Addresses

Note: Ethicontrol.com does not store any "personally identifiable information" (PII) such as (i) Private Addresses, (ii) Credit Card Numbers, (iii) Bank Account Information, (iv) ID numbers (e.g. passport, driver's license, social security, national identification, etc.). Ethicontrol.com and subdomains also does not store any "personal health information" (PHI). Therefore, laws and regulations relating to PII and PHI do not apply.

 

 

What qualifies as a breach?

A breach of user data is the unintended or accidental exposure of private user data. This can be caused by accidents, misconfigurations, or malicious actions performed by an external attacker or team member.

 

An event is considered a data breach when there is evidence that private user data has been exposed to the public or to an untrusted third party.

 

Trusted third parties may have authorized access to user data under a signed Non-Disclosure Agreement (NDA). Such trusted third parties include but are not limited to:

• Cloud service providers
• Database consultants
• Security auditors
• Financial auditors

Some examples of a user data breach would include:

• Compromise of a database server that contains private user data with evidence that an attacker may have had access to or copied the data off-site.
• Compromise of an application server account that has access to private user data and evidence that the attacker has downloaded or accessed private data.
• Theft of a device known to contain private user data.
• Web application attack used to download a list of all user emails and encrypted passwords.

 

What is not considered a breach?

Examples of security incidents that would not be considered a breach of private user data:

• Compromise of an application server that does not contain or have access to private user data.
• Compromise of a team member application account that does not have access to private user data.
• Malware infection on a server or team member computer system that does not contain private user data.
• Compromise of non-sensitive user data such as login IP addresses, login history, project permissions.
• Unintentional disclosure of project names, group names, issue titles, or project or user metadata unless this data can cause damage to the user or their business.
• Discovery of a vulnerability that could have been used to compromise private data, but for which there is no evidence of exploitation.
• Theft of a team member's mobile device that does not contain private user data.
• Theft of a team member's private keys, tokens, or other credentials provided there is no evidence they were used to access private user data.

You can check out these common non-vulnerabilities that will not be considered as a breach.

 

 

Who will be notified in the event of a data breach

If Ethicontrol has detected evidence of a breach of Ethicontrol.com or Ethicontrol Hosted private user data, all affected users will be notified via the configured email address for their accounts. Emails will contain information on what data was exposed or compromised, when, and for how long (to the extent this information is available).

 

For a breach that exposes private data for a large number of users, the public will also be informed via the configured email addresses for their accounts, and additional means of communication will be considered (e.g. press release, the blog, etc.) on a case by case basis.

 

 

Notification timing

Ethicontrol will endeavor to notify users within 24 hours of breach discovery. This may be delayed when necessary to comply with requests by law enforcement.

 

 

Report security issue

We know how much work goes in to pen testing!

 

To avoid frustration, you can check out these common non-vulnerabilities that don't qualify for rewards.

 

Got a valid issue? Awesome! Please include:

• A summary of the problem
• A severity rating of 1 — 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
• A PoC or breakdown of how to replicate the issue
• The operating system name and version as well as the web browsers name and version that you used to replicate the issue

Send to security (at) ethicontrol.com

 

 

Rewards

We're eternally grateful for all of those who put in hard work to identify weaknesses within Ethicontrol.

 

For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.

 

Whisky and biscuits can be also provided during one to one meeting.

 

Acknowledgements

We appreciate the work that goes into finding and disclosing security flaws in Ethicontrol and would like to thank the following individuals and organisations:

• Alexey Yankovsky, ISACA
• Yyriy Lysak

 

 

Web intake users

• Computer and processor 1 gigahertz (GHz) or faster
• Memory 2 GB RAM
• Hard disk 3 GB available disk space
• Display - any screen resolution
• Operating system - for the best experience, use the latest version of any operating system.
• Browser - any

 

Incident and case management users

Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with SSE2 instruction set

 

Memory 4 GB RAM

 

Hard disk 3 GB available disk space

 

Display - for the better experience use displays with resolution starting from 768 px width (medium sized tablets and bigger)

 

Operating system - any

 

Browser

• Chrome 21+ (recommended)
• Firefox 28+
• Edge 12+
• Safari 7+
• Opera 17+
• Android 6.0+

Internet Explorer in NOT supported.

 

 

Version: 30/05/2023

 

 

Service Level Terms

 

SaaS 

The Services shall be available 99%, measured monthly, excluding holidays and weekends and scheduled maintenance. If the Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance.  Further, any downtime resulting from outages of third-party connections or utilities or other reasons beyond the Company’s control will also be excluded from any such calculation. Customer's sole and exclusive remedy, and Company's entire liability, in connection with Service availability, shall be that for each period of downtime lasting longer than five hours, Company will credit Customer 5% of Service fees for each period of 30 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day.

 

Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place, and continues until the availability of the Services is restored.  To receive downtime credit, the Customer must notify the Company in writing within 24 hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit.

 

Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in any one (1) calendar month in any event.  The company will only apply a credit to the month in which the incident occurred.  Company’s blocking of data communications or other Services by its policies shall not be deemed to be a failure of the Company to provide adequate service levels under this Agreement.

 

 

Call centre

Service Availability: The Call Center commits to a service availability of 99% uptime, excluding scheduled maintenance windows, which shall be communicated to the Client in advance.

 

Response Time: The Call Center shall ensure that 80% of calls are answered within 40 seconds (excluding automatic welcome messages).

 

 

Support

Our Support portal help.ethicontrol.com is available 24/7 and is multilingual. There is a Knowledge base with user manual articles. Users can create support tickets using chatbots, email, or support portals.

 

Besides, Help widgets are visible in the client user interface. The widgets are connected to the Support portal and our support team.

 

By default, we provide technical support during working hours from Monday to Friday.  The standard support level is included in all tariff plans. 

 

Our normal support level is up to 24h for the first response and up to 40h to resolve the issue. The exact timing should depend on the severity of the issue.

 

 

Suggested severity levels:

Emergency — impacts human wellbeing; Very High level of associated risk; Anything related to breach/loss of data.

 

Critical — clients cannot use/access the Ethicontrol platform or services; the phone line (or any other intake channel) is busy or not working. Major Service Outage – contributing to the loss of day-to-day business operations. Major interruption in the functionality, resulting in a capacity decrease of more than 70% (of the entire system).

 

Moderate — some Ethicontrol services are unavailable, but reporters/whistleblowers can still communicate with a client and the client’s users can access case management, respond to reporters, and document cases; some cases are inaccessible; workflows/statuses issues; access rights issues; notification/reminder/emails issues.

• Service outage resulting in loss of business operation 
• Service incapacity requiring immediate action results in a capacity decrease of more than 30%. 
• The defect does not fail but causes failures in some components 
• Operation of an existing network, system, or services is severely degraded or significant aspects of hotline services are negatively affected by inadequate performance.

Low  — everything else which does not require immediate or expedite resolution and can “wait” at least a week.

• No outage or loss of functionality of the component(s) or services 
• Minimal operational impact.
• Operational performance of the network, system, or services is impaired while most of the hotline services remain functional. 

The severity level is used to rank the service requests.

 

The service level commitment “Maximum response time” and “Maximum resolution time” are measured from the time a client contacts the Ethicontrol support or account manager (for critical issues).

 

 

Default Response objectives

Incident Severity Definition (Helpdesk)	Response	Resolution
Emergency	4 business hours	2-8 business Hrs.
Critical	8 business hours	24 hours
Medium	16 business hours	5 business days
Low	24 business hours	10 business days

 

Escalation Management (Critical Incident)

• Alert appropriate client personnel that an emergency (critical incident) has occurred, which may require their urgent attention. 
• Escalation process for clients – 
  • 1st line of defence — Support portal, email support@ethicontrol.com. 
  • 2nd line of defence — Support engineer email supportteam@ethicontrol.com, which should deal with 90% of cases. CC — account manager.
  • 3rd line of defence — Ethicontrol engineers. CC — CTO, account manager
  • Ultimate escalation — CEO, CC — CTO, account manager
• Default Point of Contact — support@ethicontrol.com 

 

Disclaimer for on-premise Solution 

The Vendor accepts no responsibility for issues that are NOT the responsibility of the vendor and should be cared for by the Customer:

• Deficiencies/issues caused by the Customer infrastructure or Customer’s servers where Ethicontrol applications are hosted.
• Behaviour of Customer equipment, facilities, or applications. Customer network maintenance or any other issues within the Customer infrastructure
• Circuits provided by telephone companies or other common carriers
• Tampering of Ethicontrol applications either by customer, Customer’s agents, or by unauthorized third parties, including but not limited to property owners and their agents.
• Any external Internet supplier, Service Provider, or an Internet exchange point.
• The customer’s network is being compromised by unauthorized access.
• The deliverability of emails to recipients.
• The redundancy and continuity of the services.
• Acts of God, acts of nature, acts of civil or military authority, governmental actions, fires, civil disturbances, terrorism, and interruptions of power or transportation problems.
• Any delay or performance failure caused by Customer’s failure to perform any obligations under this Agreement. 

The compliance with local data privacy and Information/IT Security rules, laws, and regulations applicable to federal government entities is the Customer's responsibility. The vendor accepts no responsibility for breaches of reporters’ anonymity or confidentiality for reasons that are under the control of the Customer's network and server infrastructure.

 

 

Version: 12/10/2024

 

Purpose

This policy defines the stages and classifications for feature development in our system, ensuring clarity and alignment between client needs and development capabilities.

 

Scope

The policy applies to all requests for new features, modifications, or enhancements within the Ethicontrol system. It outlines how features are assessed, prioritized, and implemented to effectively meet client requirements.

 

Definitions

1. Feature Development: The process of designing, coding, testing, and implementing new functionalities or enhancements.
2. Change Management: The structured approach to modifying existing features, systems, or processes to achieve a desired outcome.
3. Critical Changes: Changes with a significant impact on operations, security, or compliance.
4. Standard Changes: Pre-approved routine changes with minimal risk.

 

Policy Statement

1. Governance

• All feature development and change requests must align with the organization's strategic goals and compliance requirements.
• A designated Product Committee (CTO + CEO + Product) will oversee high-impact changes and feature development approvals.

2. Feature Development

• Requirement Gathering: All features must have documented business requirements, functional specifications, and success criteria.
• Agile Practices: Feature development must follow Agile or an approved project management methodology.
• Quality Assurance (QA): All features must undergo rigorous QA testing, including unit, integration, and user acceptance testing (UAT).

3. Change Management Process

• Initiation: Submit a change request using the designated Change Request Form or tool.
• Risk Assessment: Evaluate the change for potential risks to security, operations, or compliance.
• Approval: Obtain necessary approvals based on the change's impact and risk category (e.g., CAB for critical changes).
• Implementation: Follow a documented process to deploy changes in production, including rollback procedures.
• Documentation: Maintain detailed records of all changes, including configuration, testing results, and approvals.

4. Emergency Changes

• Emergency changes must follow a streamlined process with immediate notification to stakeholders and post-implementation review.

5. Training and Communication

• Train relevant staff how to use the updated systems or features before they are launched. 
• Communicate changes to all stakeholders, including end users, with clear instructions and timelines.

6. Monitoring and Review

• Post-implementation reviews must be conducted to evaluate the success of feature deployments or changes.
• Continuous improvement practices should be followed to enhance the change management process.

 

Roles and Responsibilities

Change Requestor	Submits the initial feature or change request with detailed requirements.
Product Owner/Manager	Oversees feature prioritization and ensures alignment with business goals.
Product committee	Reviews and approves critical changes; provides risk mitigation guidance.
Development Team	Designs, develops, and tests features or changes.
QA Team	Conducts testing to ensure the quality of functionalities or changes.
Operations Team	Deploys changes to production and monitors systems post-implementation.
End Users	Provide feedback on features or changes during UAT or post-implementation.

 

Compliance

Non-compliance with this policy may result in disciplinary actions, up to and including termination, and may impact contractual agreements with third parties.

 

References

• ISO/IEC 27001
• ITIL Change Management Framework
• Agile Development Guidelines

 

Policy Review and Updates

This policy will be reviewed annually or as needed to ensure alignment with organizational needs and regulatory requirements.

 

Feature Availability Classifications

Status	Description	Next Steps	Timeline
Available as is	The requested feature is already integrated into the system and meets client requirements without need for modifications. Consult - https://ethicontrol.com/en/pricing	Activate or configure the feature to align with your requirements.	Immediately available.
Available with notice	The feature exists and is operational but requires specific client input or adjustments to align with client requirements.	Contact our team to initiate the setup process.	Available upon notice, pending mutual agreement on the necessary considerations.
Available with adjustments	The feature is present but may require minor configuration changes to match client expectations. Adjustments are superficial (e.g., appearance or interface changes).	Our team will make the necessary changes during implementation at no additional cost.	Adjustments are completed during the initial setup phase with no added development effort.
Low-Hanging fruit	The feature is not immediately available but can be implemented with minor development efforts, typically within a short timeframe (e.g., one month).	Discuss priorities with our team to schedule delivery.	Expected delivery within one month, depending on development schedules.
Not available but feasible (Short-Term or Long-Term)	The feature is planned within the development roadmap. Acceleration may require additional investment.	Engage in a roadmap consultation to explore timelines and options for acceleration.	Development within 12–24 months or sooner if expedited.
Not available, Not feasible	The feature does not align with the development strategy and is not planned for implementation within the foreseeable future.	Explore alternative solutions with our team.	No implementation is expected.

 

Development Process

1. Request Evaluation

• Analyze the request against the classification above.
• Assess feasibility based on technical, resource, and strategic considerations.

2. Backlog review

3. Prioritization by Product

• Features are prioritized using criteria such as:
  • Strategic alignment.
  • Client demand and impact.
  • Development effort versus value.
• Priority of features already on our roadmap will rise due to other clients' requests. 

4. Approval by CTO + CEO

5. Task assignments and sprint planning

6. Delivery to staging

7. Quality check by the Product and QA

8. Review by CTO

9. Release planning

10. Release

11. Final check

 

Exceptions and Custom Requests

We recognize unique needs that may fall outside standard classifications. Custom feature development or expedited delivery can be arranged on a case-by-case basis, subject to technical and resource constraints. These requests may incur additional fees.

 

Feature request decision tree