Terms of business:
Client related policies

Terms of use

Data breach notification

Integrity

Environment

System requirements

Fair usage policy

Integrity Policy

Ethicontrol Integrity Policy aims to conduct business on the basis of honest and ethical conduct in relations with employees and third parties. We pursue a policy of absolute intolerance to bribery and corruption and strive to act professionally, responsibly and honestly in all business relations and areas of our practice, with observance and provision of effective mechanisms to prevent corruption and combat bribery.

The company complies with all regulations related to bribery and corruption prevention both in EU, Ukraine and in other jurisdictions in which it operates (US FCPA, UK Bribery Act and others).

In this policy, the term "Third Party" means any individual or entity with whom we come into contact in the provision of services and business management, and includes existing and potential customers and clients, intermediaries, suppliers, contractors, agents, consultants, as well as government agencies and organisations, local authorities, including their representatives and officials, politicians and political parties.

This policy applies to everybody working in the company at all levels (working both on a permanent and temporary basis, or part-time), consultants, contractors, trainees, volunteers, agents, or any other person associated with Ethicontrol (employees).

Bribe (illegal benefit) - money, material things, benefits, privileges, services, intangible assets which are promised, offered, provided without legal grounds to a person endowed with certain powers to stimulate him/her using such powers to act in the interests of the person who transmits or offers.

Bribery is a criminal offense and consists in offering or giving a bribe, receiving or requesting / demanding a bribe.

The Company is aware of its responsibilities in combating corruption and bribery, and the risks associated with the possible involvement of employees in such illegal activities.

This policy does not prohibit normal ethical conduct, which requires appropriate hospitality, friendliness, courtesy, including the transmission and reception of gifts, treats and free services. However, we have specific internal policies and procedures that ensure that employees have a correct and unambiguous understanding of what should be considered normal ethical conduct, taking into account the financial constraints and principles set out below (the basic principles), namely that any gifts:

should not be made to induce certain acts or inactivity, or would not give rise to preferences or prejudices, or could not be regarded as a bribe;
must comply with local laws and business etiquette traditions;
should be donated on behalf of the organization and not on behalf of the individual;
should not be in the form of cash or other cash equivalent;
must be acceptable and appropriate in the circumstances;
should correspond to the generally accepted understanding (not to cause surprise) concerning characteristics of such gifts including value and the reason for the gift;
should be donated openly, not secretly.

In any case, gifts must not be offered or accepted by persons empowered by public authorities or local governments, or their representatives, or politicians or political parties, without the prior consent of the Director of the Company.
The following is not acceptable to any employee (or a person acting on his behalf):

to transfer, promise to transfer, or offer money, a gift, or to show excessive hospitality with the expectation that this will give an advantage or that such an advantage has already been given;
to transfer, promise to transfer, or offer money, a gift or to show excessive hospitality towards civil servants, subjects of power, or their representatives for "facilitating" or accelerating routine procedures;
to accept a payment from third parties, in respect of which it is known in advance or it can be reasonably assumed that such payment implies the receipt of benefits by them;
to accept a gift from a third party in respect of which it is known in advance or it can be reasonably assumed that the gift was offered with the expectation that the Company will give some advantage to such third party;
threaten or harass an employee who refuses to engage in bribery, or exposes such bribery, or expresses concern about compliance with this policy;
participate in any activity that may violate this policy.

We do not pay or accept payments aimed at simplifying formalities, informal acceleration of formal procedures or "kickbacks" in any form, including in the form of small informal payments.

The company may make donations and pay charitable contributions that comply with local laws and morals.

All persons who work for us or are under our control are responsible for preventing, detecting and reporting bribery and other forms of corruption. Employees should avoid any activity that could violate this policy.

An employee must notify the Company as soon as possible if he or she believes that a situation that does not comply with this policy arises or may arise in the future, if he or she is required to or is offered a bribe, or if he or she believes he or she is involved in another illegal activity.

An employee who violates this policy may be subject to disciplinary action that may result in his or her dismissal. We reserve the right to terminate our contractual relationship with Third Parties if their actions are corrupt and could damage the Company's business reputation.

If any person becomes aware of the circumstances regarding the actions of our Employees or the activities of Third Parties that show signs of corruption or violation of this policy, they may report such facts directly to one of the directors or co-founders of the Company or by email: trust (at) ethicontrol.com

Group trainings and individual explanatory work on proper observance of this policy and compliance with its requirements have been introduced for all Employees. We also inform third parties, in an appropriate manner, of our use of approaches that involve absolute intolerance of bribery and corruption.

The Company constantly monitors and controls the implementation of this policy at regular intervals, analyzing its application for relevance, adequacy and effectiveness. Internal control systems and procedures are also regularly reviewed to ensure that they are effective in combating bribery and corruption.
All our employees are aware that they are responsible for the success of this policy and must use it to uncompromisingly expose and combat corruption.

All possible cases of ambiguity and uncertainty in this Policy should be interpreted by Employees in a stricter direction and subject to conservative interpretation.
In case of detection of incidents and situations with the Company's employees, which arose as a result of incorrect or original interpretation of the ambiguities of the Policy, such incidents will be resolved not in favor of the employee.

Environmentally Preferable Purchasing (EPP) Policy

Ethicontrol is committed to the stewardship of the environment and to reducing the company's dependence on nonrenewable energy. This Environmentally Preferable Purchasing Policy (EPP) fortifies our commitment to sustainability.

The goal of this policy is to reduce the unfavourable environmental and social impacts of our purchasing decisions by buying goods and services from manufacturers and vendors who share our commitment to the environment.

Environmentally preferable purchasing is the method whereby environmental and social considerations are given equal weight to the price, availability, and performance criteria that colleges and universities use to make purchasing decisions.

The products purchased by Ethicontrol should embody the following principles:

High Content from Post-Consumer Recycled Materials
Low Embodied Energy (consumed to extract, manufacture, distribute and dispose)
Recyclable, Compostable and Biodegradable
Non-toxic
Energy Efficient
Durable and/or Repairable
Produced in a Manner that Demonstrates Environmental, Social, and Ethical Values
Minimal Packaging (packaging should also abide by the above principles)
Afterlife Reuse/Regeneration Potential through the Company (carpeting, furniture, etc.)

System requirements for users

Computer and processor 1 gigahertz (GHz) or faster
Memory 2 GB RAM
Hard disk 3 GB available disk space
Display - any screen resolution
Operating system - for the best experience, use the latest version of any operating system.
Browser - any

Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with SSE2 instruction set

Memory 4 GB RAM

Hard disk 3 GB available disk space

Display - for the better experience use displays with resolution starting from 768 px width (medium sized tablets and bigger)

Operating system - any

Browser

Chrome 21+ (recommended)
Firefox 28+
Edge 12+
Safari 7+
Opera 17+
Android 6.0+

Internet Explorer in NOT supported.

Data breach notification

This policy defines what qualifies as a breach of user data, what actions will be taken in the event of user data exposure or compromise, and the timeline for action.
This policy applies to user data stored on Ethicontrol.com. It does not apply to self-hosted / on-premises EthiBox instances or instances hosted with other providers than Ethicontrol.com

This policy covers "private user data" stored by Ethicontrol.com, and includes:

Client's database
Client's files
Encrypted Passwords
Private Email Addresses

Note: Ethicontrol.com does not store any "personally identifiable information" (PII) such as (i) Private Addresses, (ii) Credit Card Numbers, (iii) Bank Account Information, (iv) ID numbers (e.g. passport, driver's license, social security, national identification, etc.). Ethicontrol.com also does not store any "personal health information" (PHI). Therefore, laws and regulations relating to PII and PHI do not apply.

A breach of user data is the unintended or accidental exposure of private user data. This can be caused by accidents, misconfigurations, or malicious actions performed by an external attacker or team member.

An event is considered a data breach when there is evidence that private user data has been exposed to the public or to an untrusted third party.

Trusted third parties may have authorized access to user data under a signed Non-Disclosure Agreement (NDA). Such trusted third parties include but are not limited to:

Cloud service providers
Database consultants
Security auditors
Financial auditors

Some examples of a user data breach would include:

Compromise of a database server that contains private user data with evidence that an attacker may have had access to or copied the data off-site.
Compromise of an application server account that has access to private user data and evidence that the attacker has downloaded or accessed private data.
Theft of a device known to contain private user data.
Web application attack used to download a list of all user emails and encrypted passwords.

Examples of security incidents that would not be considered a breach of private user data:

Compromise of an application server that does not contain or have access to private user data.
Compromise of a team member application account that does not have access to private user data.
Malware infection on a server or team member computer system that does not contain private user data.
Compromise of non-sensitive user data such as login IP addresses, login history, project permissions.
Unintentional disclosure of project names, group names, issue titles, or project or user metadata unless this data can cause damage to the user or their business.
Discovery of a vulnerability that could have been used to compromise private data, but for which there is no evidence of exploitation.
Theft of a team member's mobile device that does not contain private user data.
Theft of a team member's private keys, tokens, or other credentials provided there is no evidence they were used to access private user data.

You can check out these common non-vulnerabilities that will not be considered as a breach.

If Ethicontrol has detected evidence of a breach of Ethicontrol.com or Ethicontrol Hosted private user data, all affected users will be notified via the configured email address for their accounts. Emails will contain information on what data was exposed or compromised, when, and for how long (to the extent this information is available).

For a breach that exposes private data for a large number of users, the public will also be informed via the configured email addresses for their accounts, and additional means of communication will be considered (e.g. press release, the blog, etc.) on a case by case basis.

Ethicontrol will endeavor to notify users within 24 hours of breach discovery. This may be delayed when necessary to comply with requests by law enforcement.

We know how much work goes in to pen testing!
To avoid frustration, you can check out these common non-vulnerabilities that don't qualify for rewards.
Got a valid issue? Awesome! Please include:

A summary of the problem
A severity rating of 1 — 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
A PoC or breakdown of how to replicate the issue
The operating system name and version as well as the web browsers name and version that you used to replicate the issue

Send to security (at) ethicontrol.com

If you plan to provide access tokens, secure cookies or sensitive data as an example, we kindly ask you GPG encrypt your email. Here is our public GPG key.

Download
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFvaxloBEAC88nEMGv8ZlZ0EfFiSuJBlNaVzKf2XVGfz7FFY9Z1q2mHABzuL
weNy9P52VlFl7b5cmmMvCmyOQ0TJJMVGSJInG2UW4XV10ZFYppqipS3q4Dn8rXHH
CSgTISSff+GV6Ksfcw0+JEKG65vRW4AcC5gAkIgfEYM0ASAYx8JyhQQgAtlZ62q+
PjkTt48T17q+ZQ3tUF+EtvE8RStWz7DL6ONpvgP88QvLM2ejE7mCDENgshjkcJOT
kgih7oZWMiBuAexrgeYAtJwOO1NP5Ltv4sBs2kdogwUtQac5839SbgnMej1niWEL
+8aZ+WIBl44Q38okjPM9EHpVB0fub9ujtn/hp5WE4EsGeM/ivjKTl3CoNfWJhGED
ZM/0Yq1hTyZOE4oIMdlaHoCQKAYC/2VCcpwerljNnWMv27cVEIca1aNeVzU6kQCF
/1LHd3qp0H6w8GqqobIta/zaZzZ/fDtPbZgoDEvOLAxy0q2ADV1U+M9e7djWhjZ4
uHx3PyvT58ROBMXnhPV6hyB5LKEtVUWAx2O8YJTClg5QXZxKS70dncHPkMgFcVp7
duWY7NWrV8mVYjfQw22tPl+OXGFD9zzzZoHd8do9qCYvrTjBzo8tQrw4IWK/oqwT
Wcv4UTLRUqOLSF5GmnUgy0o+lbIsPg7xLHBnWnFpmufZ2X8xTAupm3C4HQARAQAB
tCtPbGVnIExhZ29kaXllbmtvIDxzZWN1cml0eUBldGhpY29udHJvbC5jb20+iQJU
BBMBCAA+FiEE2g4mqS9MF/18A+3NCGf4JnXRz+sFAlvaxloCGwMFCQeGH4AFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQCGf4JnXRz+tWxRAAqh09eA4EgmjVTFuv
Bmjk1H4DFWoBFq5gTRXgpibSfD3Qh1dkiLqrN9P28JCiG+OmaizfJS6X5BcBPO/S
AkTSjphe5zgnIpBsASc73SOGtsjocLiul/Odq6NqP3u0zbRt7155GqhVhODbGT0B
A2ydWlzRd9TwGuHNL1aCUF5r3QemsiV0kMVW9e/2PAqn6CKF64FJb3zG4gj6WTKA
xPhLNHFzwE+J2c3iAjtLKm4uGznnjxFIOhfaaWJMIORS9rMMj+c+uyp7r/xBxO+T
pTUEvRz6eFO9VIT9OmnozorXXeZXHNz2CEhfG/NcqLxwO9COkd570RPvUo/i6m4l
wwH49aZq0rqz5i7wHAY4JrkIAz8ZeTc+OwEqTLdUXbDqN+xP4kIixliASQ3Eqx65
9EZcvc0zenVE7s6K8XKMGf4bkAu0cXDd29fe4wLgi6CrMgm+WG8MddgNDE6dQl0Y
liM+Cnile9iCM6zMqg9bVRCGU9sxuMYrq1L0ZvKArH+uqXnrenK3x7wmkqSMyTVU
le4S00z3LT/GHVUzoK3TBVbf2mLhtPifRxY6wjwA+kZTFsNz4U+t4f6qkcJETcN7
1YbARrKP3zcRU1uB3LDplRJcJ7FmBsijUau62vwLFAbCP+ac0uxdV4ts+ynpX44e
HL8ZjHIHqV0WGFNPc6BAHP8oTce5Ag0EW9rGWgEQAOoCu86qsSajwt0xLlvpYDKQ
xozrYryj4bF9n9YWEU/wHtFE/3A425+VIHRcTr5DuI9nf/TV5PzrxsOetV1uFSzw
sauIQ+fjY1XOfTOVi4Cfe/CuZqmRe0aniQClsknjJdnbroUwZr5f73EPXAxTTUDV
Axgr2XRY8nVDns5ehz2/xzPbNP+ZVVBksE4K0nCS2mdYIvBrPGxLqqjsIX3p0PFa
K7vQu3JZNdjlBr2bse9Hv6zu3twnIXY5gl6zdR6blp18dPj/Qv04zV0m1SKmnB5l
IakagKJClYBzj4hFGgcwp5+H2S0kQ8mEgED9mNODC2IFFNK8ptKUSKDraKnXqoBC
h9Owm46VgeabWeW5lYJDXELZ8iyGMA9bqqcH5DsjOdieUescVYdvDySeM6KyzyI1
BFbgnkpUmE44rQwjuBZR+kcgNwBUmS01/TUAL0wzV15hwxfALPBNZR26wWVa80rv
ky1Dfy+PCvFhReeJ7bsiL8U8KiZ9Is6ujQir884sDh+x6qbhoRFPArbfEoV5+uCR
1eMxPxtgmZ4oJ+58EzFANCCjK4Mld081YQQCNhzL8sisiti16kOjR8qWiBuoVlmb
y4RaYBEB8u8AzVD+187i0IIIUXI+MaGefmIgmM1DhL1qM20Bpp8K2hXs127OersQ
jmDXZGOhEdqlee1VKjbTABEBAAGJAjwEGAEIACYWIQTaDiapL0wX/XwD7c0IZ/gm
ddHP6wUCW9rGWgIbDAUJB4YfgAAKCRAIZ/gmddHP6waRD/0bj/rbMhG+i6iW8Nmn
NP+DPfUHWKEuUXwJjpo6eFwNGYoQEiMrMMQ/6kGMpRGXqS1jCBoZEvtoYg655dIj
sHariZnXMTfAKCDRIhVbAzWcpejSCFTQ+Ysv7//ZQr2/RMSZBQhg8MNFVm/MRbw9
vtnxJ1GQ4d10S6kBQmZrit4tieLerhMJ4Zju8Lq+XFh8uiLtYGbIJfwBOqcF02ar
WZUiUolZa8UDZH4tQb7XkTOsXACsekZxplTYyUTEdboXEo3+nihwFRr6tES4+t6D
jk27ldzmkCzZCmV4NFE76Lgvsy0kBijvp7/WmacvBJVaP0YQCFkcyM46Tya/K9/x
fb+k70imH/U9CsqEOKjohTd6Y5Fu6SRrfj+Libit5Rn35AIytkdCNgnHYsUNE8/w
CW+83u/JZ6ia0GDNgg8ZLXYd34e4ve6vBHJgH+c+p94mQ2PkRVlzMlHi9CQU860V
/H6uImcdTGSYP3/KM9Gpkb/1e4vrzD4tEkbCmeYNeMVkVbua1KSR2/9Bqk45ufvr
dEVLKz+dE/t5mVThcm7QBLIYpZS7l7VoTNqtovVXBsP1EQC1LF0f9VIAOwYa82jG
CVICeQWIjTbH6O3och46R+eKhp7ilyzn6cC4U9A/cOhbztCp7W/Ax/BAqyb4M2SP
Xmpem1wxkG1QZf3IMPmLl3+sSg==
=GHMz
-----END PGP PUBLIC KEY BLOCK-----

We're eternally grateful for all of those who put in hard work to identify weaknesses within Ethicontrol.
For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.
Whisky and biscuits can be also provided during one to one meeting.

We appreciate the work that goes into finding and disclosing security flaws in Ethicontrol and would like to thank the following individuals and organisations:

Alexey Yankovsky, ISACA
We've been working closely with Alexey and his team at ISACA Kyiv Chapter to identify key weaknesses within our app. They've continuously proven to be experts in identifying weaknesses. They have helped us identify and resolve potential security holes such as account hijacking, access token leaks, XSS and CSRF exploits.

Fair usage policy

Ethicontrol SaaS product is a multi-tenant service. This means that SaaS services are used concurrently by a number of subscribers. If a single customer places very high demands on the service then it is possible that this will affect the experience for other users.

The vast majority of our customers use their service considerately and their usage levels during peak hours don’t disproportionately affect the shared network and service capacity. Even though only a very small number of our customers may use the service inappropriately, their activity has the potential to affect the service for others.

Our Fair Use Policy manages the inappropriate use and makes sure the service can be used fairly by everyone.

Support is typically provided free of charge as part of the Services we offer. To ensure that all customers have equal access to support, we may restrict or suspend access to support for any customer that consuming more support time, or logging more support issues than a typical customer with similar users and a similar subscription.

Within your SaaS environment you can store documents to record correspondence as well as data and transactions in the database. To make sure that there is enough storage for everyone, we may limit the amount of data you can save. By default it is 10 GB.

The amount of storage may depend on your type of contract and number of users. We've made sure that almost all customers have plenty of disk space when the solutions are used normally. You can always request the actual size of your data storage from our service desk. You can also free up more storage by removing data yourselves, or asking us to help you with our clean-up-service.

If we detect that your organisation structurally saves more data than we consider to be fair and normal, we'll contact you to discuss the situation. It's possible to expand your storage and, if appropriate we will only charge a maximum of the published and publicly available Microsoft Azure / AWS / Linode storage charge for the relevant storage solution plus 20%. At that point we'll contact you to discuss alternative storage options.

To prevent a negative effect of excessive network traffic on your user experience or that of others, we monitor the traffic. We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the network bandwidth available to you. If we detect a situation that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available bandwidth.

To prevent spam, we use worldwide blacklists, and spam blockers among other things. To guarantee smooth email traffic from our SaaS products for you and our other customers, we monitor the mail servers.

Spam and blacklisting could happen when excessive amounts of emails are sent from the SaaS environments, for example. We maintain very broad margins based on the average use of our SaaS customers with similar contracts. With normal use, you won't notice a thing.

When we detect abnormal values that could negatively impact the service, we may limit the number of emails you can send, or take other action as appropriate. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

To prevent a negative effect of excessive use of compute resources, on your user experience or that of others, we monitor the compute resources.

We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the compute services available to you.

Where increased usage is caused by the normal growth of users and customers, we will scale the resources available. If we detect a situation that reflects abnormal use or that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available compute resource.

In an urgent or extreme case, for example where services are likely to be significantly impacted, or where we believe your system or ours is under attack (a DDOS - denial of service attack for instance) or where we believe your system or ours has been compromised (for example a hacker or potential a security breach) we may stop the services, or temporarily block your access to them. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

In some cases, even without an attack or breach, if your use of the services continues to impact other users, is expected to do so, or is generating costs to us that are not normal when compared to other customers on the same contract and make our service to you unprofitable to maintain, we may isolate your services from the multi-tenanted environments and pass the costs onto you. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.

Terms of use

The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that:

(a) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;

(b) facilitates illegal activity;

(c) in a manner that is otherwise illegal or causes damage or injury to any person or property; and Ethicontrol reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause.

Ethicontrol shall fully co-operate with any law enforcement authorities or court order requesting or directing Ethicontrol to disclose the identity or locate anyone posting any material in breach of clause LEGAL USE clause.

The Customer shall not:

(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:

(i) and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services or Product Description (as applicable) in any form or media or by any means; or

(ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or

(b) access all or any part of the Services and Product Description in order to build a product or service which competes with the Services and/or the Product Description; or

(c) use the Services and/or Product Description to provide services to third parties; or

(d) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Product Description available to any third party, or

(e) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Product Description.

The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Product Description and, in the event of any such unauthorised access or use, promptly notify Ethicontrol.

The rights provided under this Service Agreement are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer. Only one subscription to the Services may be activated by any company, person or other entity. Duplicate subscriptions for any company, person or entity shall be considered a material breach of the Service Agreement.

The Customer undertakes to ensure that all Users comply with this Agreement and acknowledge that Customer shall remain responsible and liable for the acts or omissions of all Users to the same extent as if Customer had carried out such acts or omissions itself.

Responsibility for the security of any usernames and passwords issued (including those of any Users) rests with Customer. If Customer has reason to believe that their credentials or User account details have been obtained by another without consent, the Customer should contact Ethicontrol immediately to suspend the account.

Security and Trust Center

Visit our security page check additional policies and practices.

More info

Company

Products

Solutions

Services

Resources

Whistleblowers

Ethicontrol (ethical control) is a global ethics hotline outsourcing service and software for internal investigations. Our integrated platform supports full life-cycle of a report: from registration via contact-center and web-intake up to management conclusions in case management system (SaaS).

Corporate surveys

Anti fraud

Code of ethics

Compliance programmes

Who are whistleblowers

Informer vs whistleblower

How to stay anonymous

Anonymity protection

FAQ

Events

Researches

About us