7Sigma Security and Compliance Policy
As of October 2024
We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards.
​
Industry Compliance
PCI DSS
7Sigma does not accept, transmit or store any cardholder data, so PCI DSS is not applicable to our organization.
​
GDPR
7Sigma is committed to upholding GDPR standards by ensuring that all personal data is collected, processed, and stored in accordance with the principles of lawfulness, transparency, and security to protect individual privacy and comply with regulatory requirements.
​
CCPA
7Sigma adheres to CCPA regulations by ensuring that personal information collected from California residents is managed with transparency, providing individuals with the right to access, delete, and control their data in compliance with industry standards and privacy requirements.
Data Center Physical Security
Facilities
7Sigma hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS. AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at AWS.
On-Site Security
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS security.
Data Hosting Location
7Sigma leverages AWS data centers in the United States. Requirements for other jurisdictions are handled on a case-by-case basis.
Network Security
Dedicated Security Team
Our distributed Security Team is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected through the use of key AWS security services, web application firewall, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, 7Sigma employs third-party security experts to perform a broad penetration test across the 7Sigma Production and Corporate networks.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
7Sigma participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
DDoS Mitigation
7Sigma has architected a multi-layer approach to DDoS mitigation. The use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services. Our web application firewall also employs DDoS detection and mitigation.
Logical Access
Access to the 7Sigma Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the 7Sigma Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
​
Encryption
Encryption in Transit
All communications with 7Sigma Software, UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and 7Sigma is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Availability and Continuity
Uptime
7Sigma maintains a publicly available system-status webpage which includes system availability details.
Redundancy
7Sigma employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
​
Disaster Recovery
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
​
Application Security
Secure Development (SDLC)
Secure Code Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and 7Sigma security controls.
Framework Security Controls
7Sigma leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance
Our Quality Assurance (QA) team reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate Environments
Development, Testing, and staging environments are logically separated from the Production environment.
Vulnerability Management
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis
The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, 7Sigma employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
​
Product Security
Authentication Security
​
Authentication Options
Customers can enable native 7Sigma authentication or Single sign-on (SSO) (Google, Microsoft).
Configurable Password Policy
7Sigma native authentication for our Software requires use of secure passwords. This is not configurable or able to be modified.
Service Credential Storage
7Sigma follows secure credential storage best practices.
Additional Software Security Features
Role-Based Access Controls
Access to data within 7Sigma applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. 7Sigma recommends various permission levels for users (owner, admin, help desk, end-user, etc.).
Device Tracking
7Sigma tracks the devices used to sign in to each user account. When someone signs into an account from a new device, it is added to the device list.
Human Resources Security
Security Awareness
Policies
7Sigma has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to 7Sigma information assets.
Training
All employees attend a Security Awareness Training. All engineers receive Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Employee Vetting
Background Checks
7Sigma performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors. The background check includes criminal, education, and employment verification.
Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.