Compliance
Security and compliance matters to us because it matters to our customers.
As a security company, the security and integrity of our systems is paramount. We accept the responsibility of safeguarding data that our customers, employees, and partners have entrusted to us.
Security
Each day we rigorously ensure the security, availability, and resilience of our systems. We have implemented policies that follow best-in-class practices for building and managing cloud environments, including application, network and physical security.
OpenSSL v3.0.0 to 3.0.6 Vulnerability Update (November 2022)
Cequence Security has determined that none of our production customers is impacted by the recently announced OpenSSL v3.0.0 to 3.0.6 vulnerability. Cequence software components in production today do not use the affected OpenSSL versions and are hence not impacted by the vulnerability. Customers can track vulnerability updates and changes here.
SolarWinds Response for Cequence Customers and Prospects
The SolarWinds cyberattack that was caused by malware deployed within their (signed) source code and then delivered to their customers continues to impact organizations around the world. For our customers, Cequence Security does not use SolarWinds in our deployed (customer environment) or corporate endpoints. Going one step further, at the direction of our leadership, we performed an internal review of our security practices to confirm that an attack like the SolarWinds incident would not impact our business and our customers.
Responsible Disclosure
A key part of our security program is responsible disclosure. We encourage and greatly appreciate security researchers to contact us to report any potential vulnerabilities found in our products or other digital assets.
If you have identified a potential security vulnerability, please follow the process outlined to engage with our security team.
Compliance Certifications
PCI DSS 3.2
The PCI DSS is an information security standard created by the major credit card companies and managed by the PCI Standards Security council. The PCI DSS sets a baseline of technical and operational requirements needed to protect credit card account information that is shared across systems including card number, verification number, and expiration date. The Cequence systems do not process or store credit card data. However, incoming cardholder data may be decrypted and forwarded on to the client application if it is in the data stream for the protected website.
SOC 2
Our examination for the SOC 2 Type II was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The examination was designed for the purpose of expressing an opinion about whether, in all material respects, the description of the Cequence systems and corresponding security controls is presented in accordance with the SOC 2 description criteria and whether the controls stated therein were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. The opinion of the Auditor was based on the examination and the procedures performed in the examination were limited to those that were considered necessary.
ISO 27001
Cequence has achieved ISO 27001 certification for the information security management system in support of its Software-as-a-Service (SaaS). ISO 27001 is the international standard for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. To receive this certification, Cequence Security demostrated a strong understanding of the risks unique to its business. ISO 27001 certification gives our customers peace of mind that our policies, processes, and standards fulfill the stringent security and compliance criteria for protecting customer data.
