Protecting reporters, cases and companies

Ethicontrol hosts its servers within data centers located elsewhere, depending on client needs. Ethicontrol's Data Center in the U.S. is compliant with SSAE 16 Type II and ISO 27001 standard, and is located in San Jose, California.

Ethicontrol's European Data Center is hosted in Frankfurt, Germany, and is also compliant with ISO 27001 and ISAE 3402 standards (equivalent to SSAE 16). This data center is isolated and retains customer and sensitive data within the EU only.

In addition, Ethicontrol has data centers in the UAE and other locations which require national data isolation.

We track the uptime by several services and commit to SLA with our enterprise clients. For tracking, we use UptimeRobot and Honeybadger. Access to uptime.ethicontrol.com page can be provided by request.

There is an option to enable additional one-time password codes for two-step authorization in Ethicontrol. Even if your password is stolen, your account will not be accessible to a would-be hacker.

Proactive Web Application Firewall, which categorically blocks the vast majority of attacks on web applications.

All cloud assets must have a defined owner, security classification, and purpose.

To better protect the data in our care, Ethicontrol classifies data into different levels and species the labeling and handling requirements for each of those classes.

Customer data is classified at the highest level. Data classifications are maintained as part of the asset management process. Ethicontrol inventories of hardware, software, and data assets at least annually to maintain correct data classification.

The publicly accessible part of the Ethicontrol system - Ethicontrol intake and web-feedback application are separated from the Ethicontrol incident and case management application, which is for client internal use only.

The data assembled during investigations is isolated so that there is no possibility of receiving access to investigation data once the intake system is compromised.

Regarding DDOS or other attacks against the Ethicontrol intake application, the case management application will remain fully operational and protected by more conservative tools and methods that cannot be used for public portals and applications.

User data (data of each company/customer) is separated at the database and cloud storage levels. The data of different companies is isolated in such a way that there is no possibility of receiving access to access of another user by accident.

Ethicontrol's production environment, where all customer data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC). Production and non-production networks are segregated. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.

Network access to Ethicontrol's production environment from open, public networks (the internet) is restricted. Only some production servers are accessible from the internet.

Each user in Ethicontrol has a unique account with a verified email address and is protected with a password, which is validated against password policies and stored securely using a strong hashing algorithm with unique salt for every password.

Administrative access to systems within the production network is limited to CTO only.

Customer data, including tasks and folders, can only be accessed by other users within your Ethicontrol account if those items were specifically shared with them. Otherwise, your cases and tasks are not accessible by other Ethicontrol users.

• We use Guidelines documented in corporate Confluence pages.
• We use brakeman, Bundler, and RuboCop to run manually and by Circle CI.
• We engage security experts to do white box testing such as fault injection (manual), penetration testing (manual), and vulnerability testing (both automatic and manual)

Ethicontrol also has a responsible disclosure program.

Ethicontrol has a formal change management process where all changes are tracked and approved. A change is reviewed before being moved into a staging environment where it is further tested before finally being deployed to production.

Defined in-house security requirements and policies, and well-known security best practices applied in every stage of the lifecycle.

Security review of architectures, design of features, and solutions.

Iterative manual and automated (using static code analysers) source code review for security weaknesses, vulnerabilities, and code quality, and providing sufficient advice and guidance to the development team.

Regular manual assessment and dynamic scanning of the pre-production environment.
Security training is conducted for IT teams according to their respective job roles.

Continuously running a bug bounty program.

Continuously running internal and external security tests.

Every action within the case management system is logged (managers, not reporters).

Ethicontrol offers the possibility to get a report with up-to-date account activity information, including authentication events, changes in the authorization and access controls, sharing cases, materials and tasks, and other security activities.

Ethicontrol is running daily backups. All backups are encrypted in transit and at rest using strong encryption. Backup files are stored redundantly across multiple availability zones and are encrypted.

1. Data Ownership: Ethicontrol acknowledges and respects that all data generated and stored within the whistleblowing software and case management system belongs solely to the Client. The Vendor holds no ownership rights over the Client's data.

   
   
   

2. Data Portability Process:

   2.1 Exit Strategy: The Vendor has established a comprehensive exit strategy to facilitate the smooth transfer of data upon termination of the contractual relationship. This strategy ensures that the Client retains control and accessibility to their data.

   2.2 Data Export Options: The Vendor offers data export options to the Client for portability purposes. (A) XLS table of exported cases available in case archive for client admin. This will include summary information and key attributes, but will not contain attachments. (B)  Downloadable file formats CSV or JSON for databases and ZIP for case materials attachments, which can be prepared per request. The exported data will include all relevant information, such as case files, attachments, and associated metadata.

   2.3 Timely Data Transfer: Upon receipt of the termination notice from the Client, the Vendor will initiate the data transfer process promptly. The Vendor will make every effort to complete the data transfer within a reasonable timeframe (up to 30 days), minimizing disruption to the Client's operations.

   2.4 Data Privacy and Security: The Vendor is committed to maintaining the privacy and security of the Client's data during the transfer process. All data will be handled in accordance with applicable data protection laws and regulations. The Vendor will utilize industry-standard encryption protocols and secure data transmission methods to protect the confidentiality and integrity of the data.

   2.5 Support and Assistance: Throughout the data transfer process, the Vendor will provide ongoing support and assistance to the Client. A dedicated point of contact will be assigned to address any questions or concerns that may arise, ensuring a seamless experience for the Client.

   
   
   

3. Contractual Agreement: The data portability process described in this document is subject to the terms outlined in the contractual agreement between the Vendor and the Client. The Client may refer to this agreement for a detailed understanding of their rights, responsibilities, and the steps involved in data transfer.

   
   
   

4. If you have any further questions or require additional information, please contact our support team.