context.ai-delve-soc2 - Pastebin.com

113 min read Original article ↗

  1. SSAE 21 – SOC 2 Type II Report

  2. Explore Interfaces

  23. For the Period April 2, 2025 - July 2, 2025

  24. ________________

  25. Table of Contents

  28. SECTION 1 3

  29. Independent Service Auditor’s Report 3

  30. SECTION 2 8

  31. Management Assertion 8

  32. SECTION 3 11

  33. System Description 11

  34. Principal Service Commitments and System Requirements 13

  35. Description of Control Environment, Control Activities, Risk Assessment, Monitoring, and Information and Communication 14

  36. SECTION 4 30

  37. Applicable Trust Services Criteria and Related Controls 31

  38. Tests of Controls and Results of Tests 59

  39. SECTION 5 82

  40. Other Information Provided by Context 82

  47. ________________

  81. SECTION 1

  82. Independent Service Auditor’s Report

  101. ________________

  104. Independent Service Auditor’s Report

  105. To: Management of Explore Interfaces

  108. Scope

  109. We have examined the attached Explore Interfaces description of the system titled “Automating Information Work” (description) throughout the period April 2, 2025 - July 2, 2025 included in Section 3, based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria) and the suitability of the design and operating effectiveness of controls included in the description throughout the period April 2, 2025 - July 2, 2025 to provide reasonable assurance that Context service commitments and system requirements would be achieved based on the trust service criteria for Security set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).

  110. The information included in Section 5, “Other Information Provided by Context” is presented by management of Context to provide additional information and is not a part of Context description of its system made available to user entities during the period April 2, 2025 - July 2, 2025. Information about Context business continuity planning etc. has not been subjected to the procedures applied in the examination of the description of the system and of the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description of the system.

  111. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of Context controls are suitably designed and operating effectively, along with related controls at the service organization. Our examination did not extend to such complementary user entity controls, and we have not evaluated the suitability of the design or operating effectiveness of such complementary user-entity controls.

  112. As indicated in the description, Context uses subservice organization Vercel for data center services. The description in Section 3 includes only the controls of Context and excludes controls of the various subservice organizations. The description also indicates that certain trust services criteria can be met only if the subservice organization’s controls, contemplated in the design of Context controls, are suitably designed and operating effectively along with related controls at the service organization. Our examination did not extend to controls of various subservice organizations for data center services.

  115. Service Organization's Responsibilities

  116. Context is responsible for its service commitments and system requirements and for designing, implementing, and operating effective controls within the system to provide reasonable assurance that the service commitments and system requirements were achieved.

  117. Context has provided the accompanying assertion titled, Management of Context Assertion (Assertion) about the presentation of the Description based on the Description Criteria and suitability of the design and operating effectiveness of the controls described therein to provide reasonable assurance that the service commitments and system requirement would be achieved based on the applicable trust services criteria if operating effectively. Context is responsible for (1) preparing the Description and Assertion; (2) the completeness, accuracy, and method of presentation of the Description and Assertion; (3) providing the services covered by the Description; (4) identifying the risks that would threaten the achievement of the service organization’s service commitments and system requirements; and (5) designing, implementing, and documenting controls that are suitably designed and operating effectively to meet the applicable trust services criteria stated in the Description.

  120. Service Auditor's Responsibilities

  121. Our responsibility is to express an opinion on the presentation of the description based on the description criteria set forth in Context assertion and on the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is presented in accordance with the description criteria and (2) the controls are suitably designed and operating effectively to meet the applicable trust services criteria stated in the description throughout the period April 2, 2025 - July 2, 2025.

  122. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

  125. Inherent Limitations

  126. The description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. Because of their nature, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, conclusions about the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria are subject to the risks that the system may change or that controls at a service organization may become ineffective.

  129. Opinion

  130. In our opinion, in all material respects, based on the description criteria described in Context assertion and the applicable trust services criteria:

  131. 1. The description fairly presents the system that was designed and implemented throughout the period April 2, 2025 - July 2, 2025.

  132. 2. The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period April 2, 2025 - July 2, 2025, and the subservice organization and user entities applied the controls contemplated in the design of Context controls throughout the period April 2, 2025 - July 2, 2025.

  133. 3. The controls operated effectively to provide reasonable assurance that the applicable trust services criteria were met throughout the period April 2, 2025 - July 2, 2025, and user entities and subservice organization applied the controls contemplated in the design of Context controls, and those controls operated effectively throughout the period April 2, 2025 - July 2, 2025.

  136. Description of Test of Controls

  137. The specific controls we tested, and the nature, timing, and results of our tests are presented in section 4 of our report titled "Independent Service Auditors' Description of Test of Controls and Results."

  140. Restricted Use

  141. This report, including the description of controls and results thereof in Section 4 of this report, is intended solely for the information, and use of Context; user entities of Context systems during some or all of the period April 2, 2025 - July 2, 2025; and those prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following:

  142. * The nature of the service provided by the service organization

  143. * How the service organization’s system interacts with user entities, subservice organizations or other parties

  144. * Internal control and its limitations

  145. * User entity responsibilities, Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria

  146. * The applicable trust services criteria

  147. * The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks

  148. This report is not intended to be and should not be used by anyone other than these specified parties.

  155. PAC-FIRM-LIC-47383

  156. ________________

  183. SECTION 2

  184. Management Assertion

  195. ________________

  203. Assertion by Management of Explore Interfaces

  204. July 2, 2025

  207. We have prepared the accompanying description of Explore Interfaces, system titled “Automating Information Work” throughout the period April 2, 2025 - July 2, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).

  208. The description is intended to provide users with information about the “Automating Information Work” that may be useful when assessing the risks arising from interactions with Explore Interfaces system, particularly information about the suitability of design and operating effectiveness of Explore Interfaces controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).

  209. Explore Interfaces uses Vercel as a subservice organization. The description in Section 3 includes only the controls of Explore Interfaces and excludes controls of the various subservice organizations. The description also indicates that certain trust services criteria can be met only if the subservice organization’s controls, contemplated in the design of Explore Interfaces controls, are suitably designed and operating effectively along with related controls at the service organization. Our examination did not extend to controls of various subservice organizations for data center services.

  210. The description also indicates that certain trust services criteria specified in the description can be met only if complementary user entity controls contemplated in the design of Explore Interfaces controls are suitably designed and operating effectively, along with related controls at the service organization. The description does not extend to controls of user entities.

  211. We confirm, to the best of our knowledge and belief, that

  212. 1. the description fairly presents the “Automating Information Work” the period April 2, 2025 - July 2, 2025 , based on the following description criteria:

  213. i. The description contains the following information:

  214. 1. The types of services provided

  215. 2. The components of the system used to provide the services, which are as follows:

  216. 1. Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and other telecommunications networks).

  217. 2. Software. The application programs and IT system software that support application programs (operating systems, middleware, and utilities).

  218. 3. People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers).

  219. 4. Procedures. The automated and manual procedures.

  220. 5. Data. Transaction streams, files, databases, tables, and output used or processed by the system.

  221. 3. The boundaries or aspects of the system covered by the description.

  222. 4. For information provided to, or received from, subservice organizations or other parties,

  223. 1. How such information is provided or received and the role of the subservice organization and other parties and

  224. 2. The procedures the service organization performs to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.

  225. 5. The applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, the following:

  226. 1. Complementary user entity controls contemplated in the design of the service organization’s system.

  227. 2. When the inclusive method is used to present a subservice organization, controls at the subservice organization

  228. 6. If the service organization presents the subservice organization using the carveout method,

  229. 1. The nature of the services provided by the subservice organization and

  230. 2. Each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria.

  231. 7. Any applicable trust services criteria that are not addressed by a control at the service organization or a subservice organization and the reasons.

  232. 8. In the case of a type 2 report, relevant details of changes to the service organization’s system during the period covered by the description.

  233. ii. The description does not omit or distort information relevant to the service organization’s system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs.

  234. 2. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated as described and if user entities applied the complementary user entity controls, and the subservice organization applied the controls contemplated in the design of Explore Interfaces controls throughout the period April 2, 2025 - July 2, 2025.

  235. 3. The Explore Interfaces controls stated in the description operated effectively throughout the period April 2, 2025 - July 2, 2025 to meet the applicable trust services criteria if user entities applied the complementary user entity controls, and the subservice organization applied the controls contemplated in the design of Explore Interfaces controls throughout the period April 2, 2025 - July 2, 2025.

  240. Signature: Derek Hsieh

  241. Signing Authority Name: Derek Hsieh

  242. Designation: CPO

  243. Date: July 2, 2025

  244. ________________

  274. SECTION 3

  275. System Description

  298. ________________

  301. Background and Overview of Services

  302. Explore Interfaces is a technology startup founded in 2024, focused on developing AI-powered productivity suites for enterprise environments. The company focuses on using AI to generate presentations, spreadsheets, and documents grounded in user files and data from external sources including web research and 3rd party app integrations.

  303. Services provided by Context includes below:

  304. Line of Products –

  305. The Context Platform consists of the following core services and features:

  306. 1. A secure, AI-powered productivity platform designed to help users efficiently create business deliverables, such as presentations, spreadsheets, and documents. The platform supports integrations with data storage providers, including Google Drive and OneDrive, enabling secure access and processing of user data. Additionally, Context facilitates user-initiated actions through operational integrations with third-party services such as Gmail, QuickBooks, and Jira.

  309. Significant Changes during the Review Period

  310. None

  313. Subservice Organizations

  314. Context utilizes the following subservice providers for data center services that are not included within the scope of this examination. However, Context responsibilities for the applications and services run at these cloud services are covered as part of the audit and in scope. Responsibility matrix is defined as part of the SLA and agreements with these sub-service organizations.

  317. Vercel

  318. Vercel has provided an Independent Service Auditors Report (SOC 2).

  319. The Criteria that relate to controls at the subservice organizations included all criteria related to the Trust Service Principles of Security. The types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at Context include:

  320. * The system is protected against unauthorized access

  321. * The system is available for operation and use and in the capacities as committed or agreed.

  322. * Policies and procedures exist related to security and availability and are implemented and followed.

  325. Principal Service Commitments and System Requirements

  328. Context designs its processes and procedures related to the System to meet its objectives. Those objectives are based on the service commitments, related Vercel and regulations of products and services, financial, operational, and other compliance requirements that have been established for such services. Security commitments to user entities are documented and communicated in customer agreements, as well as in the description of the service offering provided online.

  329. Context establishes operational requirements that support the achievement of security commitments, relevant Vercel and regulations, and other system requirements. Such requirements are communicated in Context's system policies and procedures, system design documentation, and contracts with customers.

  330. Information security policies define an organization-wide approach as to how the systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed and how employees are hired and trained. In addition to these policies, standard operating procedures have been documented on how to carry out specific manual and automated processes required in the operation and development of the System.

  331. Components of the System

  332. The System is comprised of the following components:

  333. * Infrastructure including the logical structures, Information Technology (IT) and other hardware.

  334. * Software including application programs and IT system software that support application programs.

  335. * People including executives, sales and marketing, client services, product support, information processing, software development, IT, Finance and Human resources.

  336. * Procedures (automated and manual).

  337. * Data including transaction streams, files, databases, tables, and output used or processed by the system.

  340. The System boundaries include the applications, databases and infrastructure required to directly support the services provided to Context's clients. Any infrastructure, software, people, procedures, and data that indirectly support the services provided to Context's customers are not included within the boundaries of its system.

  343. Boundaries of the System

  344. The specific products, services and locations that are included in the scope of the report are given below. All other products, services and locations are not included.

  347. Products and Services in Scope

  348. Products:

  349. * Context Workspace: A cloud-based office suite that enables users to generate professional deliverables including presentations, documents, and spreadsheets. Users can collaborate alongside AI to integrate data sources and 3rd party integrations.

  350. * Context Engine: A proprietary context understanding technology that processes and analyzes organizational data across connected systems to extract meaningful insights and automate information work.

  353. Services:

  354. * Implementation and Onboarding Enterprise Support: Assistance with integration, user onboarding to ensure smooth adoption of Context Workspace and Context Engine

  355. Geographic Locations in Scope

  356. No physical offices and related physical and availability specific controls are included since Context does not have any physical servers and all data is processed on cloud services.

  359. Description of Control Environment, Control Activities, Risk Assessment, Monitoring, and Information and Communication

  362. Control Environment

  363. Context’s internal control environment reflects the overall attitude, awareness, and actions of management concerning the importance of controls, and the emphasis given to controls in the Company's policies, procedures, methods, and organizational structure.

  364. The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. The Management is committed to the Information Security Management System, and ensures that IT Security policies are communicated, understood, implemented, and adhered at all levels of the organization and regularly reviewed for continual suitability.

  367. Integrity and Ethical Values

  368. Context requires directors, officers, and employees to observe high standards of business and personal ethics in conducting their duties and responsibilities. Honesty and integrity are core principles of the Company, and all employees are expected to fulfil their responsibilities based on these principles and comply with all applicable laws and regulations. Context promotes an environment of open communication and has created an environment where employees are protected from any kind of retaliation should a good faith report of an ethics violation occur. Executive management has the exclusive responsibility to investigate all reported violations and to take corrective action when warranted.

  371. Board of Directors

  372. Business activities at Context are under the direction of the Board of Directors. The company is governed by its Board of Directors headed by its chairperson. The chairperson is in charge of the company's operations playing a key role in strategy and client management.

  375. Management’s Philosophy and Operating Style

  376. The Executive Management team assesses risks prior to venturing into business ventures and relationships. The Executive Management team interacts with operating management on a daily basis.

  379. Risk Management and Risk Assessment

  380. Risk assessments are performed annually to identify current risk levels, with recommendations to minimize those risks that are determined to pose an unacceptable level of risk to Context As part of this process, security threats are identified and the risk from these threats is formally assessed.

  381. Context has operationalized a risk assessment process to identify and manage risks that could adversely affect their ability to provide reliable processing for User Organizations. This process consists of an Information Security team identifying significant risks in their areas of responsibility and implementing appropriate measures to address those risks.

  382. Following steps are involved in performing risk assessments

  383. * Risk identification for each asset in a process and at Organizational level.

  384. * Risk analysis & evaluation for each asset in a process & at Organizational level.

  385. * Risk treatment & residual risk.

  388. Risk assessment comprises calculating the level of risk associated with assets belonging to a particular business process. It is done in a manner to assess and evaluate the criticality of impact on business by a particular risk and to identify the areas where the organization needs to focus over information security. Apart from the asset-based risk assessment, the Company has also conducted organization-based risk assessment which is based on internal as well as external issues, needs and expectations of interested parties etc. The threats, vulnerabilities associated with every asset are evaluated along with threat impact, probability of occurrence and chances of detection (on a rating basis) of the threat. This determines the Risk Factor, which is then put into an equation to derive a risk value. The risk value is then compared to the organizational threshold (i.e., accepted risk value) which is treated appropriately (i.e., treat, transfer, avoid, accept). The identified risks will be treated (mitigated) so that risk levels are reduced. The output of a risk assessment will include a complete risk register and risk treatment plan. Any action plans are tracked to completion. Regular management meetings are held to discuss the security level, changes, technology trends, occurrence of incidents, and security initiatives.

  391. Information Security Policies

  392. Context has developed an organization-wide Information Security Policies. All the people impacting Security Policies (IS Policies) are made available to employees via an internal portal. Changes to the Information Security Policies are reviewed by the IS Team and approved by CEO/COO prior to implementation.

  395. Monitoring

  396. Monitoring is a critical aspect of internal control in evaluating whether controls are operating as intended and whether they are modified as appropriate for changes in business conditions. Management and Information Security personnel monitor the quality of internal control performance as a routine part of their activities. Performance monitoring reports cover server parameters such as disc space, incoming/outgoing network traffic, packet loss, CPU utilization etc. These system performance reports are reviewed by management on a periodic basis. In addition, a self-assessment scan of vulnerabilities is performed prior every release to the production or on yearly basis. Vulnerabilities are evaluated and remediation actions monitored and completed. Results and recommendations for improvement are reported to management.

  399. Information and Communication

  400. Context has documented procedures covering significant functions and operations for each major work group. Policies and procedures are reviewed and updated based upon suggestions from security personnel and approval by management. Departmental managers monitor adherence to policies and procedures as part of their daily activities. The management holds departmental status meetings, along with strategic planning meetings, to identify and address service issues, customer problems, and project management concerns. The CEO is the focal point for communication regarding the IT environment. Additionally, there are personnel that have been designated to interface with the customer if processing or systems development issues affect customer organizations. Electronic messaging has been incorporated into many of Context’s processes to provide timely information to employees regarding daily operating activities and to expedite management’s ability to communicate with employees.

  403. Electronic Mail (e-Mail)

  404. Communication to Customer organizations and project teams are done through e-mail. Important corporate events, employee news, and cultural updates are some of the messages communicated using e-mail. E-mail is also a means to draw the attention of employees towards adherence to specific procedural requirements. Context requires two factor authentication from employees to access their e-mails.

  407. Components of the System

  408. Infrastructure

  409. The infrastructure comprises cloud architecture including database, networking devices, virtual servers, etc.

  412. Network Segmentation Overview

  413. The system is hosted in Vercel in a virtual private cloud (VPC) environment which protects the network from unauthorized external access. The network topology includes segmented VPCs and access control lists (ACLs). Explore Interfaces employs IDS and IPS via Vercel to identify and protect against threats in conjunction with its security policy network settings.

  414. User requests to Explore Interfaces web-based systems are encrypted using Transport Layer Security (TLS) using certificates from an established third-party certificate authority. Remote access is done through a bastion host with a virtual private network (VPN). The hardware components that make up the aforementioned system include servers hosted, managed, and protected by Vercel. Production servers at Vercel maintain failover capabilities in the event of physical hardware or logical software failures. This infrastructure is hosted in high availability data centers with multiple availability zones.

  415. Network Diagram

  418. Network & Endpoint protection

  419. All systems and devices are protected by the comprehensive endpoint protection system. The endpoints include antivirus, anti-malware, and Trojan protection from any source. This also includes e-mail scanning of the systems which prevents malicious scripts and viruses from e-mails. Apart from which all systems are restricted to the internet with the content filtering system routed through the proxy server.

  422. Monitoring

  423. Context has implemented adequate monitoring controls to detect unauthorized information processing activities. Critical servers and systems are configured to log user activities, Exceptions, and information security events. System administrator and system operator activities are logged and reviewed on a periodic basis.

  424. Capacity Management

  425. Capacity management controls are put in place so as to monitor, tune and project certain Context’s resources to ensure system performance meets the expected service levels and minimize the risk of system failure and capacity related issues. Addition of new information systems and facilities, upgrades, new versions and changes are subject to formal system analysis, testing, and approval prior to acceptance.

  428. Patch Management

  429. The respective vertical team of Windows/Network team ensures that all patches to network device/servers operating systems are tested for stability & availability issues before deploying to the production environment. The patch management activity is done regularly or as and when any critical event occurs and required updates or patches are installed to ensure efficient working of the servers, desktops, and critical network devices. Operating system patches related and marked critical, and security are managed and applied as they become available, windows systems are managed through the patch management system and the network devices OS patching is managed automatically while renewing.

  432. Vulnerability Scans & Security Audits

  433. As per the Audit calendar, all the network devices and services are audited for vulnerabilities by doing periodic vulnerability scans. These scans are done by the internal IT Infrastructure team.

  436. Virus Scans and Endpoint Security

  437. An Endpoint Security Solution is installed with the feature of scanning the device automatically and log reports are reviewed by the IT Head. Anti-virus software has been installed on all desktops & laptops within the scope. Updates to the virus definition files are managed and downloaded by the software itself on a daily basis from the vendor website at specific intervals.

  440. People

  441. Organizational Structure

  442. The organizational structure provides the overall framework for planning, directing, and controlling operations. It has segregated personnel and business functions into functional groups according to their job responsibilities. This approach helps to enable the organization to define responsibilities, lines of reporting, and communication, and helps facilitate employees to focus on the specific business issues impacting clients.

  443. The management team meets regularly to review business unit plans and performances. Meetings with the CEO and department heads are held to review operational, security and business issues, and plans for the future.

  444. Context’s Information Security policies define and assign responsibility/accountabilities for information security. Regular management meetings are held to discuss the security level, changes, technology trends, occurrence of incidents, and security initiatives.

  447. Roles and Responsibilities

  448. The following are the responsibilities of key roles:

  451. Roles and Responsibilities

  452. The following are the responsibilities of key roles.

  453. * Chief Executive Officer (CEO): The CEO is responsible for the overall management of Explore Interfaces, providing strategic direction for the company and its operations. With experience in strategy, finance, and communications, the CEO ensures all company activities align with organizational goals.

  454. * Chief Product Officer (CPO): The CPO is responsible for overseeing all technological and product aspects of the company. They lead the development and implementation of technology strategies, manage the technical team, and ensure that the company's technology and product infrastructure aligns with business goals. The CPO works closely with the CEO to make informed decisions about technology investments and innovations.

  457. Assignment of Authority and Responsibility

  458. Management is responsible for the assignment of responsibility and delegation of authority within Context.

  461. Human Resources Policies and Procedures

  462. Context maintains written Human Resources Policies and Procedures. The policies and procedures describe practices relating to hiring, training and development, performance appraisal and advancement and the termination. Human Resource (“HR”) policies and practices are intended to inform employees on topics such as expected levels of integrity, ethical behaviour, and competence.

  463. The CEO and COO reviews these policies and procedures on a periodic basis to ensure they are updated to reflect changes in the organization and the operating environment. Employees are informed of these policies and procedures upon their hiring during Induction. Personnel policies and procedures are documented in the Human Resources Policy at HRMS Portal.

  466. New Hire Procedures

  467. New employees are required to read and accept HR corporate policies and procedures and are provided online access to these policies. Hiring procedures require that the proper educational levels have been attained along with required job-related certifications, if applicable, and industry experience. If a candidate is qualified, interviews are conducted with various levels of management and staff.

  468. Reference checks are completed for prospective employees. Employees are required to sign Employee Confidentiality Agreement which forms an integral part of the employee file. Discrepancies noted in background investigations are documented and investigated by the CEO, COO, or Head of Operations. Any discrepancies found in background investigations result in disciplinary actions, up to and including employee termination.

  471. New Joiner Trainings

  472. The COO and Head of Operations coordinate to provide HR training and information security awareness programs to all employees as part of induction. HR maintains the records of information security awareness training namely onboarding tracker and feedback forms from employees.

  473. Employees are required to complete security awareness training at the time of joining. Training is documented, monitored, and tracked by management.

  476. Employee Terminations

  477. Termination or change in employment is processed as per extant HR related procedures. There are clearly identified and assigned responsibilities with regard to termination or change in employment.

  478. Access privileges are revoked upon termination of employment, contract, or agreement. In case of change of employment/role, rights associated with prior roles are removed and new access privileges are created as appropriate for the current job roles and responsibilities.

  481. Code of Conduct and Disciplinary Action

  482. Context has put forward a Code of Conduct and Disciplinary Process in order to encourage and maintain standards of conduct and ensure consistent and fair treatment for all. An employee whose conduct does not comply with an element of the code of conduct and has been found to have breached the same is prosecuted as per defined process and policies

  485. Procedures

  486. IT policies and operating instructions are documented. Procedures described cover server management, server hardening, workstation security system, network management, security patch management, user creation, system audit, ID card activation, etc. Additionally, production and training standard operating procedures are available.

  489. Help Desk

  490. Context has put in place a helpdesk function to handle problems and support requirements of users, support users in case of incidents and manage them without disruption to business and ensures that changes to any component of Context’s information assets and infrastructure are controlled and managed in a structured manner. All requests are logged through helpdesk and resolved within the maximum resolution time as defined.

  493. Change Management

  494. Context has implemented a well-defined Change Management process to ensure that all changes to the information processing facilities, including equipment, supporting facilities and utilities, networks, application software, systems software and security devices are managed and controlled. The Change Management process describes a methodical approach to handle the changes that are to be made. All the changes need to be subjected to a formal Change Management process.

  495. Every change to such base lined components is governed by the change control and management procedures as outlined in the Change Management and Incident Response procedure. Context’s change management process requires all security patches and system and software configuration changes to be tested before deployment into Stage or Production environments.

  496. All changes are recorded, approved, implemented, tested and versioned before moving to the production environment. The impact of implementing all significant changes are analysed and approved by the IS team before such implementation. A sign-off obtained from the personnel who had requested for the change after implementation of the change.

  499. Incident Response and Management

  500. Procedures for the incident response including identification and escalation of security breaches and other incidents are included in the policy. Users or any other person log all incidents to the Helpdesk. For Network incidents, IT teams receive incident tickets via email and are resolved by them.

  501. The help desk personnel or IT team study and escalate all security incidents to the designated team for further escalation/resolution. All security incidents are reviewed and monitored by the IT Team. Corrective and preventive actions are completed for incidents.

  502. When an incident is detected or reported, a defined incident response process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures and the actions proposed are approved by CTO.

  505. Logical Access

  506. Security Authorization and Administration

  507. Email is sent from HR to the IT helpdesk for all new employees for a new workstation configured with minimum default access to company resources/applications required by an employee to perform the job duty. The default access levels for different departments are defined and documented in HR/Admin policy and IS policies. Any additional access is recommended by the line manager and Head of Engineering. The company has a standard configuration that is implemented across Desktops & laptops individually.

  508. Access to resources is granted to an authenticated user based on the user’s identity through a unique login ID that is authenticated by an associated password. Assets are assigned owners who are responsible for evaluating the appropriateness of access based on job roles.

  509. Roles are periodically reviewed and updated by asset owners regularly. Privileged access to sensitive resources is restricted to the IT team and authorized users of the DevOps team. Access to storage, backup data, systems, and media is limited to the IT team through the use of logical access controls.

  510. Security Configuration

  511. Employees establish their identity to the local network and remote systems through the use of a valid unique user ID that is authenticated with the associated password. Passwords are controlled through Password policy of Vercel and include periodic forced changes, password expiry and complexity requirements. User accounts are disabled after a limited number of unsuccessful logon attempts; the user is required to contact the IT Support team to reset the password. Local users do not have access to modify password rules. Guest and anonymous logins are not allowed on any machines. Unattended desktops are locked within a time of inactivity. Users are required to provide their password or biometrics to unlock the desktop.

  512. Administrative Level Access

  513. Administrative rights and access to administrative accounts are granted to individuals that require that level of access in order to perform their jobs. All administrative level access, other than to the IT team, must be justified to and approved by the IT team.

  516. Confidentiality

  517. Secure procedures are established to ensure safe and secure disposal of media when no longer required. The level of destruction or disposal of media would depend on the information or data stored in the media and the criticality of the information as per the information classification guideline.

  520. Backup and Recovery of Data

  521. Context has developed formal policies and procedures relating to backup and recovery. Backup procedures are defined in the Backup Policy. Suitable backups are taken and maintained. The backup processes are approved by the business owners and comply with the requirements for business continuity, and legal & regulatory requirements. All backup and restoration logs are maintained for retention periods as defined in the Backup Policy.

  524. Applicable Trust Services Criteria and related Controls

  525. The Security trust services category and related controls are included in section 4 of this report, “Independent Service Auditor's Description of Tests of Controls and Results.”

  526. Context has determined that Processing Integrity & Privacy trust services Categories are not relevant to the system.

  527. Context has determined that the following criteria are not included in the system description.

  528. CC6.4

  529. The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

  532. Vercel is responsible for ensuring the physical security of its data center and accordingly, the physical security controls under this criterion are not in scope.

  533. A1.2

  534. The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.

  537. Context does not have an office or operates from a working space which is managed by the building management. All environmental security controls are managed by the building management / Vercel.

  542. User-Entity Control Considerations

  543. Services provided by Context to user entities and the controls of Context cover only a portion of the overall controls of each user entity. Context controls were designed with the assumption that certain controls would be implemented by user entities. In certain situations, the application of specific controls at user entities is necessary to achieve relating to the services outlined in this report to be achieved solely by Context This section highlights those internal control responsibilities that Context believes should be present for each user entity and has considered in developing the controls described in the report. This list does not purport to be and should not be considered a complete listing of the controls relevant to user entities. Other controls may be required at user entities.

  544. * User Organizations are responsible for ensuring that complete, accurate and timely information is provided to Context for processing.

  545. * User Organizations are ultimately responsible to limit access to only those Context employees who are required to perform their job responsibilities and that all users are assigned unique accounts.

  546. * User Organizations are responsible for monitoring and reviewing their business processes.

  547. * User Organizations are responsible for ensuring end customer privacy.

  548. * User Entity should establish confidentiality procedures to ensure that all inputs have been authorized, have been accepted for processing, and are accounted for. Any missing or unaccounted source documents or input files have been identified and investigated. These processes require that exceptions be resolved within a specified time period.

  549. * User Organizations are responsible for defining criteria for processing and rejecting items input into their systems.

  550. * User Organizations are responsible for working with Context to resolve any input discrepancies or quality issues.

  551. * User Organizations are responsible for reviewing the completeness and accuracy of the inputs / processing services performed by Context

  552. * User Organizations are responsible for working with Context to jointly establish service levels and revise the same based on changes in business conditions.

  553. * User Organizations are responsible for initiating and implementing changes to the applications managed by User Organizations.

  558. ________________

  577. SECTION 4

  578. Applicable Trust Services Criteria and Tests of Controls

  601. ________________

  602. Applicable Trust Services Criteria and Related Controls

  605. CC1.0 Common Criteria Related to Control Environment

  606. Ref.#

  607. Trust Service Criteria

  608. Control No.

  609. Control Description

  610. CC1.1

  611. COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.

  612. CC1.1.1

  613. At the time of hire, company employees and contractors are required to read and accept the Employee Confidentiality Agreement that includes an intellectual property clause, code of business conduct, ethical standards, and Information Security Policy that includes appropriate use of information technology.

  616. The company maintains an up-to-date Employee Handbook and an (including) up-to-date Sanctions Policy. The sanctions policy mentions that a non compliance with the code of business conduct can lead to termination of employees.

  619. Personnel, including contractors, are required to formally reaffirm the understanding of the code of conduct and ethical standards on an annual basis.

  620. CC1.1.2

  621. Established goals and performance objectives for senior employees are reviewed on an annual basis and approved by Executive Management.

  624. Management performs annual performance evaluations based on established and approved measurable goals, Key Performance Indicators (KPIs), competency requirements and performance evaluation criteria for employees.

  627. During the annual performance evaluation the employees and their supervisor discuss the performance of the employee, their competence, skill matrix gaps and relevant training needs. The training plan is then incorporated within employees’ next year’s goals.

  630. Based on the annual performance evaluation, management identifies employees that are required to go through a performance improvement program. For employees that have not met the objectives or KPIs, management monitors the progress of the performance improvement program.

  631. CC1.2.1

  632. The Board of Directors' oversight responsibilities is defined and documented within the board of directors charter and is acknowledged by the board members on an annual basis.

  635. At least annually, the Board of Directors meet to review corporate governance issues, the company strategy, business objectives, capabilities and executions.

  650. CC1.2

  651. COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

  652. CC1.2.1

  653. The Board of Directors' oversight responsibilities is defined and documented within board of directors charter and is acknowledged by the board members on an annual basis.

  656. At least annually, the Board of Directors meet to review corporate governance issues, the company strategy, business objectives, capabilities and executions.

  657. CC1.4.1

  658. Management and the board of directors of organization meet on an annual basis to review the following:

  659. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  660. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  661. - Evaluate the business contingency plans

  662. - Evaluate succession plans for assignment of responsibility for key roles

  663. - Approve the budgets for the organization and

  664. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  665. - Access the need for a subcommittee, expert or consultant.

  666. - Evaluate the skill and expertise of board members.

  667. CC1.3

  668. COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

  669. CC1.3.1

  670. Organization has established an organization chart that defines organizational roles, reporting lines, and authorities as it relates to development, quality assurance, and security operations of its services. The organization structure is reviewed and updated on an as-needed basis or at least annually.

  671. CC1.3.2

  672. Roles and responsibilities of senior management and information security employees/contractors are defined in written job descriptions or contractual agreements.

  675. For senior management and security related roles, the job description includes duties such as proper oversight, management, and monitoring of security activities, and are communicated to the employees/contractors during the onboarding process.

  678. The job descriptions are reviewed and updated on an as needed basis or at least annually.

  679. CC1.4.1

  680. Management and the board of directors of organization meet on an annual basis to review the following:

  681. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  682. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  683. - Evaluate the business contingency plans

  684. - Evaluate succession plans for assignment of responsibility for key roles

  685. - Approve the budgets for the organization and

  686. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  687. - Access the need for subcommittee, expert or consultant.

  688. - Evaluate skill and expertise of board members.

  689. CC1.4

  690. COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

  691. CC1.1.2

  692. Established goals and performance objectives for senior employees are reviewed on an annual basis and approved by Executive Management.

  695. Management performs annual performance evaluations based on established and approved measurable goals, Key Performance Indicators (KPIs), competency requirements and performance evaluation criteria for employees.

  698. During the annual performance evaluation the employees and their supervisor discuss the performance of the employee, their competence, skill matrix gaps and relevant training needs. The training plan is then incorporated within employees’ next year’s goals.

  701. Based on the annual performance evaluation, management identifies employees that are required to go through a performance improvement program. For employees that have not met the objectives or KPIs, management monitors the progress of the performance improvement program.

  702. CC1.4.1

  703. Management and the board of directors of organization meet on an annual basis to review the following:

  704. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  705. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  706. - Evaluate the business contingency plans

  707. - Evaluate succession plans for assignment of responsibility for key roles

  708. - Approve the budgets for the organization and

  709. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  710. - Access the need for subcommittee, expert or consultant.

  711. - Evaluate skill and expertise of board members.

  712. CC1.4.2

  713. New employees and contractors are subjected to background and/or reference checks prior to joining the organization.

  714. CC1.4.3

  715. Management utilizes a pre-hire checklist to ensure that the hiring manager has assessed the qualification of candidates during the hiring process to confirm that they can perform the necessary job requirements.

  716. CC2.2.1

  717. The organization has policies and procedures for information security, business code of conduct and operating practices. Internal policy and procedure documents relating to security are maintained and made available to employees. The policies and procedure documents are reviewed and approved by management annually or during significant changes.

  718. CC1.5

  719. COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

  720. CC1.1.1

  721. At the time of hire, company employees and contractors are required to read and accept the Employee Confidentiality Agreement that includes an intellectual property clause, code of business conduct, ethical standards, and Information Security Policy that includes appropriate use of information technology.

  724. The company maintains an up-to-date Employee Handbook and an (including) up-to-date Sanctions Policy. The sanctions policy mentions that a non compliance with the code of business conduct can lead to termination of employees.

  727. Personnel, including contractors, are required to formally reaffirm the understanding of the code of conduct and ethical standards on an annual basis.

  728. CC1.1.2

  729. Established goals and performance objectives for senior employees are reviewed on an annual basis and approved by Executive Management.

  732. Management performs annual performance evaluations based on established and approved measurable goals, Key Performance Indicators (KPIs), competency requirements and performance evaluation criteria for employees.

  735. During the annual performance evaluation the employees and their supervisor discuss the performance of the employee, their competence, skill matrix gaps and relevant training needs. The training plan is then incorporated within employees’ next year’s goals.

  738. Based on the annual performance evaluation, management identifies employees that are required to go through a performance improvement program. For employees that have not met the objectives or KPIs, management monitors the progress of the performance improvement program.

  747. ________________

  750. CC2.0 Common Criteria Related to Information and Communication

  751. Ref.#

  752. Trust Service Criteria

  753. Control No.

  754. Control Description

  755. CC2.1

  756. COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

  757. CC2.1.3

  758. The company maintains an inventory of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis.

  759. CC2.2.1

  760. The organization has policies and procedures for information security, business code of conduct and operating practices. Internal policy and procedure documents relating to security are maintained and made available to employees. The policies and procedure documents are reviewed and approved by management annually or during significant changes.

  761. CC2.2.2

  762. The company has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting the organization's ethical and integrity requirements.

  763. CC2.3.2

  764. The company posts a contact form and office locations on its website for customers and other external users to communicate/ report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

  767. A ticket-tracking system is used for managing customer issues. Reported incidents are addressed by the organization’s support staff and tracked to resolution.

  768. ________________

  771. CC2.0 Common Criteria Related to Information and Communication

  772. Ref.#

  773. Trust Service Criteria

  774. Control No.

  775. Control Description

  776. CC2.2

  777. COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

  778. CC1.3.2

  779. Roles and responsibilities of senior management and information security employees/contractors are defined in written job descriptions or contractual agreements.

  782. For senior management and security related roles, the job description includes duties such as proper oversight, management, and monitoring of security activities, and are communicated to the employees/contractors during the onboarding process.

  785. The job descriptions are reviewed and updated on an as needed basis or at least annually.

  786. CC1.4.1

  787. Management and the board of directors of organization meet on an annual basis to review the following:

  788. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  789. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  790. - Evaluate the business contingency plans

  791. - Evaluate succession plans for assignment of responsibility for key roles

  792. - Approve the budgets for the organization and

  793. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  794. - Access the need for a subcommittee, expert or consultant.

  795. - Evaluate skill and expertise of board members.

  796. CC2.2.1

  797. The organization has policies and procedures for information security, business code of conduct and operating practices. Internal policy and procedure documents relating to security are maintained and made available to employees. The policies and procedure documents are reviewed and approved by management annually or during significant changes.

  798. CC2.2.2

  799. The company has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting the organization's ethical and integrity requirements.

  800. CC2.2.3

  801. Significant changes to people, roles and responsibilities for key personnel are internally communicated to all personnel via e-mail or the internal communication tool.

  802. CC2.2.4

  803. Employees are required to complete an information security and awareness training upon hire and at least annually.

  804. CC2.2.5

  805. The organization has developed documentation and user guides that describe relevant system components as well as the purpose and design of the system. These documents are made available to both internal and external users and updated as needed.

  807. The documentation also describes the organization and the product/service delivered.

  808. CC8.1.5

  809. A communication procedure is maintained that describes how employees and customers are notified of a potential application outage, planned or unplanned downtime, changes to application and its functionality, security events and major releases.

  811. The communication procedure is reviewed and updated as needed, however at minimum the procedure is updated annually.

  813. Internal and external system users are notified through email or internal communication tools for releases prior to system changes which will affect job responsibilities and commitments to the customers.

  814. CC2.3

  815. COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

  816. CC1.4.1

  817. Management and the board of directors of organization meet on an annual basis to review the following:

  818. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  819. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  820. - Evaluate the business contingency plans

  821. - Evaluate succession plans for assignment of responsibility for key roles

  822. - Approve the budgets for the organization and

  823. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  824. - Access the need for subcommittee, expert or consultant.

  825. - Evaluate skill and expertise of board members.

  826. CC2.2.2

  827. The company has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting the organization's ethical and integrity requirements.

  828. CC2.2.5

  829. The organization has developed documentation and user guides that describe relevant system components as well as the purpose and design of the system. These documents are made available to both internal and external users and updated as needed.

  831. The documentation also describes the organization and the product/service delivered.

  832. CC2.3.1

  833. The organization has formal agreements in place with customers which acknowledges compliance on security commitments by both parties. The customers' responsibilities including security commitments are documented within the formal agreement and agreed with the customers during the onboarding process.

  835. An up-to-date version of the company’s Master Service Agreements (MSA) or Terms of services (TOS) agreement with customers is maintained and reviewed at least annually.

  836. CC2.3.2

  837. The company posts a contact form and office locations on its website for customers and other external users to communicate/ report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

  840. A ticket-tracking system is used for managing customer issues. Reported incidents are addressed by the organization’s support staff and tracked to resolution.

  841. CC8.1.5

  842. A communication procedure is maintained that describes how employees and customers are notified of a potential application outage, planned or unplanned downtime, changes to application and its functionality, security events and major releases.

  844. The communication procedure is reviewed and updated as needed, however at minimum the procedure is updated annually.

  846. Internal and external system users are notified through email or internal communication tool for releases prior to system changes which will affect job responsibilities and commitments to the customers.

  855. ________________

  858. CC3.0 Common Criteria Related to Risk Assessment

  859. Ref.#

  860. Trust Service Criteria

  861. Control No.

  862. Control Description

  863. CC3.1

  864. COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  865. CC1.2.1

  866. The Board of Directors' oversight responsibilities is defined and documented within board of directors charter and is acknowledged by the board members on an annual basis.

  869. At least annually, the Board of Directors meet to review corporate governance issues, the company strategy, business objectives, capabilities and executions.

  870. CC1.4.1

  871. Management and the board of directors of organization meet on an annual basis to review the following:

  872. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  873. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  874. - Evaluate the business contingency plans

  875. - Evaluate succession plans for assignment of responsibility for key roles

  876. - Approve the budgets for the organization and

  877. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  878. - Access the need for subcommittee, expert or consultant.

  879. - Evaluate skill and expertise of board members.

  880. CC2.1.2

  881. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  882. CC2.3.3

  883. The company has defined a Risk Management Policy, which identifies and determines the risk of meeting operational, reporting and compliance objectives that align with organization's mission.

  886. Management performs a formal risk assessment (which includes risks related to security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes and information security) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization's executive management within the risk register which includes an inventory of "high" and "critical "risks that relate to the company, operating model, employees, and customers.

  889. Appropriate remediations are suggested and follow ups are performed to ensure that internal controls have been established to mitigate such risks. The status of all deficiencies along with residual risks that have been rated as high or critical for the organization are tracked until satisfactorily resolved.

  890. CC3.1.1

  891. Management reviews and evaluates activities and processes that are key in meeting organization’s security commitment. On an annual basis management reviews operations, issues relating to internal controls and delivery on key performance metrics.

  892. CC3.2

  893. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

  894. CC2.3.3

  895. The company has defined a Risk Management Policy, which identifies and determines the risk of meeting operational, reporting and compliance objectives that align with organization's mission.

  898. Management performs a formal risk assessment (which includes risks related to security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes and information security) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization's executive management within the risk register which includes an inventory of "high" and "critical "risks that relate to the company, operating model, employees, and customers.

  901. Appropriate remediations are suggested and follow ups are performed to ensure that internal controls have been established to mitigate such risks. The status of all deficiencies along with residual risks that have been rated as high or critical for the organization are tracked until satisfactorily resolved.

  902. CC7.1.2

  903. An automated tool is implemented to perform vulnerability assessment on infrastructure and applications. Vulnerability scans are performed monthly with the scan frequency adjusted, as required, to meet ongoing and changing commitments and requirements.

  906. Management reviews the vulnerabilities and takes necessary actions on vulnerabilities identified as high and critical.

  909. A remediation plan is developed, and changes are implemented to remediate critical and high vulnerabilities at a minimum.

  912. The resolution of such vulnerabilities follows the incident response plan.

  913. CC9.2.1

  914. The company has a vendor management policy in place. The policy requires management to maintain critical third-party vendor inventory, baseline of vendor security requirements and periodic evaluation of the performance of critical third-party vendors.

  916. On an annual basis, management performs reviews of SOC reports from service providers/vendors to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.

  918. For critical vendors that do not have a SOC report and have access to data or impact the security of the system, a quarterly vendor risk assessment is performed. During this assessment performance, service delivery and compliance with security commitments is also assessed.

  920. Corrective actions are taken as required based on the results of the assessments.

  921. CC3.3

  922. COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.

  923. CC2.3.3

  924. The company has defined a Risk Management Policy, which identifies and determines the risk of meeting operational, reporting and compliance objectives that align with organization's mission.

  927. Management performs a formal risk assessment (which includes risks related to security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes and information security) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization's executive management within the risk register which includes an inventory of "high" and "critical "risks that relate to the company, operating model, employees, and customers.

  930. Appropriate remediations are suggested and follow ups are performed to ensure that internal controls have been established to mitigate such risks. The status of all deficiencies along with residual risks that have been rated as high or critical for the organization are tracked until satisfactorily resolved.

  931. CC3.4

  932. COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.

  933. CC1.4.1

  934. Management and the board of directors of organization meet on an annual basis to review the following:

  935. - Evaluate the need for additional people, processes, tools, and technologies to achieve the business objectives.

  936. - Evaluate the results of annual risk assessment and relevant information resulting from assessments conducted by internal and external parties

  937. - Evaluate the business contingency plans

  938. - Evaluate succession plans for assignment of responsibility for key roles

  939. - Approve the budgets for the organization and

  940. - Review the Organization's compensation and performance evaluation programs to retain competent individuals and to identify potential incentives and pressures for employees to commit fraud.

  941. - Access the need for subcommittee, expert or consultant.

  942. - Evaluate skill and expertise of board members.

  943. CC2.1.2

  944. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  945. CC2.3.3

  946. The company has defined a Risk Management Policy, which identifies and determines the risk of meeting operational, reporting and compliance objectives that align with organization's mission.

  949. Management performs a formal risk assessment (which includes risks related to security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes and information security) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization's executive management within the risk register which includes an inventory of "high" and "critical "risks that relate to the company, operating model, employees, and customers.

  952. Appropriate remediations are suggested and follow ups are performed to ensure that internal controls have been established to mitigate such risks. The status of all deficiencies along with residual risks that have been rated as high or critical for the organization are tracked until satisfactorily resolved.

  953. CC9.2.1

  954. The company has a vendor management policy in place. The policy requires management to maintain critical third-party vendor inventory, baseline of vendor security requirements and periodic evaluation of the performance of critical third-party vendors.

  956. On an annual basis, management performs reviews of SOC reports from service providers/vendors to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.

  958. For critical vendors that do not have a SOC report and have access to data or impact the security of the system, a quarterly vendor risk assessment is performed. During this assessment performance, service delivery and compliance with security commitments is also assessed.

  960. Corrective actions are taken as required based on the results of the assessments.

  969. ________________

  972. CC4.0 Common Criteria Related to Monitoring Activities

  973. Ref.#

  974. Trust Service Criteria

  975. Control No.

  976. Control Description

  977. CC4.1

  978. COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

  979. CC2.1.2

  980. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  981. CC4.1.1

  982. External penetration testing is conducted annually by an independent third-party. The results of the test are reviewed by the IT management. If applicable, all high and / or critical findings of penetration tests are remediated in a timely manner added as risks to risk register along with risk treatment plan.

  984. High risk items are tracked to resolution following the incident management process.

  985. CC4.2

  986. COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

  987. CC2.1.2

  988. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  989. CC3.1.1

  990. Management reviews and evaluates activities and processes that are key in meeting organization’s security commitment. On an annual basis management reviews operations, issues relating to internal controls and delivery on key performance metrics.

  999. ________________

  1002. CC5.0 Common Criteria Related to Control Activities

  1003. Ref.#

  1004. Trust Service Criteria

  1005. Control No.

  1006. Control Description

  1007. CC5.1

  1008. COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

  1009. CC2.1.2

  1010. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  1011. CC8.1.3

  1012. Source code changes are logged, time-stamped, and attributed to their author in a source code management tool. Access to the source code tool is restricted to authorized users using multi-factor authentication.

  1013. CC5.2

  1014. COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.

  1015. CC2.1.3

  1016. The company maintains an inventory of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis.

  1017. CC3.1.1

  1018. Management reviews and evaluates activities and processes that are key in meeting organization’s security commitment. On an annual basis management reviews operations, issues relating to internal controls and delivery on key performance metrics.

  1019. CC5.2.1

  1020. IT team continuously monitors system capacity and performance through the use of monitoring tools to identify and detect anomalies that could compromise availability of the system operations.

  1022. Additionally, the monitoring tool generates alerts when specific predefined thresholds are met. Incident management process is invoked for confirmed events and anomalies. Logs and alert are tracked until resolved within the change-management/ticketing application.

  1023. CC5.2.2

  1024. Access to privileged and generic administrator accounts on the network, databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

  1025. CC5.3

  1026. COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

  1027. CC2.1.2

  1028. Management and the board of directors of organization meet on an annual basis to review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud.

  1029. CC2.2.1

  1030. The organization has policies and procedures for information security, business code of conduct and operating practices. Internal policy and procedure documents relating to security are maintained and made available to employees. The policies and procedure documents are reviewed and approved by management annually or during significant changes.

  1039. ________________

  1042. CC6.0 Common Criteria Related to Logical and Physical Access Controls

  1043. Ref.#

  1044. Trust Service Criteria

  1045. Control No.

  1046. Control Description

  1047. CC6.1

  1048. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

  1049. CC2.1.3

  1050. The company maintains an inventory of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis.

  1051. CC2.3.4

  1052. A formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management.

  1053. CC5.2.2

  1054. Access to privileged and generic administrator accounts on the network, databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

  1055. CC6.1.1

  1056. Multi-factor authentication (MFA) is enforced for user accounts with administrative access to the company's production platform.

  1057. CC6.1.2

  1058. Unique user IDs and passwords are required to gain access to the application production environment and infrastructure supporting the application (i.e., Active Directory, server, and database accounts).

  1060. Password settings for applications that store, or handle business critical systems are in accordance with the corresponding password requirements defined in the policy.

  1061. CC6.1.3

  1062. System components are configured such that the company and its customers' access is appropriately segmented from other customer accounts.

  1063. CC6.1.4

  1064. Management notifies security administrators of terminations of employees or consultants resulting in respective user accounts being disabled within one business day upon termination of employment as per the offboarding procedures.

  1067. Management utilizes an employee termination checklist to ensure that the termination process is consistently executed, and access is revoked for terminated employees within one business day.

  1068. CC6.1.5

  1069. The organization uses its cloud provider key management service to encrypt data at rest and to store and manage encryption keys. Access to production environment's access keys is restricted to authorized individuals.

  1070. CC6.1.6

  1071. Encryption technologies are used to protect communication and transmission of data over public networks.

  1072. CC6.2.1

  1073. A ticketing system and/or access request form is used to record granting of new or modified access to the system account based on authorization by the management.

  1074. CC7.1.1

  1075. Production systems and servers have been hardened to ensure an appropriate level of security against an established entity standard.

  1077. Baseline configurations are retained within the infrastructure as a code and a configuration management tool is used for implementation and for rollback capability anytime an approved configuration change is made.

  1079. Baseline configurations are reviewed and updated annually or when required due to reviews and system changes, and anytime integral system components are added.

  1080. CC6.2

  1081. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

  1082. CC6.1.4

  1083. Management notifies security administrators of terminations of employees or consultants resulting in respective user accounts being disabled within one business day upon termination of employment as per the offboarding procedures.

  1086. Management utilizes an employee termination checklist to ensure that the termination process is consistently executed, and access is revoked for terminated employees within one business day.

  1087. CC6.2.1

  1088. A ticketing system and/or access request form is used to record granting of new or modified access to the system account based on authorization by the management.

  1089. CC6.2.2

  1090. Management performs a quarterly user access review for all user accounts (including users with administrative privileges) for in-scope system components to ensure that access is restricted appropriately and to identify unauthorized or terminated users. Access is modified or removed in a timely manner based on the results of the review and are tracked to completion.

  1091. ________________

  1094. CC6.0 Common Criteria Related to Logical and Physical Access Controls

  1095. Ref.#

  1096. Trust Service Criteria

  1097. Control No.

  1098. Control Description

  1099. CC6.3

  1100. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

  1101. CC5.2.2

  1102. Access to privileged and generic administrator accounts on the network, databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

  1103. CC6.1.4

  1104. Management notifies security administrators of terminations of employees or consultants resulting in respective user accounts being disabled within one business day upon termination of employment as per the offboarding procedures.

  1107. Management utilizes an employee termination checklist to ensure that the termination process is consistently executed, and access is revoked for terminated employees within one business day.

  1108. CC6.2.1

  1109. A ticketing system and/or access request form is used to record granting of new or modified access to the system account based on authorization by the management.

  1110. CC6.2.2

  1111. Management performs a quarterly user access review for all user accounts (including users with administrative privileges) for in-scope system components to ensure that access is restricted appropriately and to identify unauthorized or terminated users. Access is modified or removed in a timely manner based on the results of the review and are tracked to completion.

  1112. CC6.4

  1113. The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

  1114. CC6.1.4

  1115. Management notifies security administrators of terminations of employees or consultants resulting in respective user accounts being disabled within one business day upon termination of employment as per the offboarding procedures.

  1118. Management utilizes an employee termination checklist to ensure that the termination process is consistently executed, and access is revoked for terminated employees within one business day.

  1119. CC6.2.1

  1120. A ticketing system and/or access request form is used to record granting of new or modified access to the system account based on authorization by the management.

  1121. CC6.2.2

  1122. Management performs a quarterly user access review for all user accounts (including users with administrative privileges) for in-scope system components to ensure that access is restricted appropriately and to identify unauthorized or terminated users. Access is modified or removed in a timely manner based on the results of the review and are tracked to completion.

  1123. CC6.4.1

  1124. All production systems are hosted in a cloud environment which is equipped with appropriate physical security controls and is the responsibility of subservice organization. Physical security and environmental controls have been implemented to protect systems inside the server room by the subservice organization. The SOC 2 report of subservice organization is reviewed on an annual basis to evaluate the effectiveness of the controls at the subservice organization.

  1125. CC6.5

  1126. The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.

  1127. CC6.5.1

  1128. Formal data retention and disposal policy and procedure are in place to guide the secure retention and disposal of information.

  1130. After termination of contract, all customer data is retained in accordance with the contractual agreement between the organization and customer.

  1133. CC6.6

  1134. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

  1135. CC6.1.1

  1136. Multi-factor authentication (MFA) is enforced for user accounts with administrative access to the company's production platform.

  1137. CC6.1.6

  1138. Encryption technologies are used to protect communication and transmission of data over public networks.

  1139. CC6.6.1

  1140. The company uses firewalls and intrusion detection tools and configures them to prevent unauthorized access and detect external security threats.

  1142. System firewalls are configured on the application gateway and production network to limit unnecessary ports, protocols and services. Firewall rules are reviewed on an annual basis by IT management.

  1143. ________________

  1146. CC6.0 Common Criteria Related to Logical and Physical Access Controls

  1147. Ref.#

  1148. Trust Service Criteria

  1149. Control No.

  1150. Control Description

  1151. CC6.7

  1152. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

  1153. CC5.2.2

  1154. Access to privileged and generic administrator accounts on the network, databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

  1155. CC6.1.5

  1156. The organization uses its cloud provider key management service to encrypt data at rest and to store and manage encryption keys. Access to production environment's access keys is restricted to authorized individuals.

  1157. CC6.1.6

  1158. Encryption technologies are used to protect communication and transmission of data over public networks.

  1159. CC6.8.1

  1160. Anti-virus and Malware protection software is installed and configured on all production servers to prevent or detect and act upon the introduction of unauthorized or malicious software. The Anti-virus is set up to automatically scan on a continuous basis

  1162. For production servers, the Anti-virus definitions are updated on a weekly basis.

  1164. Anti-virus and Malware protection software is installed and configured for Mac based workstations and laptops.

  1165. CC7.2.1

  1166. Logging is enabled to monitor activities such as administrative activities, logon attempts, data deletions at the application and infrastructure level, changes to functions, security configurations, permissions, and roles.

  1168. Automated alerts are configured to notify IT management of high and critical risk events. The issues identified are resolved in a timely manner through the incident management process.

  1170. Access to change the log configuration and access to modify logs is restricted.

  1171. CC7.5.1

  1172. A patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner. Chief Product Officer (CPO) / Management has set up automatic patch management and performs monthly patch management reviews.

  1174. Workstations are configured to receive automatic updates. In addition, workstations are scanned to test patch compliance on a daily basis.

  1175. ________________

  1178. CC6.0 Common Criteria Related to Logical and Physical Access Controls

  1179. Ref.#

  1180. Trust Service Criteria

  1181. Control No.

  1182. Control Description

  1183. CC6.8

  1184. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

  1185. CC5.2.2

  1186. Access to privileged and generic administrator accounts on the network, databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.

  1187. CC6.8.1

  1188. Anti-virus and Malware protection software is installed and configured on all production servers to prevent or detect and act upon the introduction of unauthorized or malicious software. The Anti-virus is set up to automatically scan on a continuous basis

  1190. For production servers, the Anti-virus definitions are updated on a weekly basis.

  1192. Anti-virus and Malware protection software is installed and configured for Mac based workstations and laptops.

  1193. CC8.1.1

  1194. A formal change management policy is established that governs the development, implementation, changes, and maintenance of application(s) and supporting infrastructure. System development lifecycle documentation also addresses regular and emergency change processes.

  1195. The change management process requires that:

  1196. • Change requests are authorized

  1197. • Changes are tested prior to migration to production

  1198. • Changes are reviewed and approved prior to promotion to the production environment.

  1200. All changes are documented in the internal tool and tracked from initiation through deployment and validation.

  1202. Emergency changes follow an accelerated timeline and prior to initiating an emergency change, appropriate approval is obtained and documented.

  1203. CC8.1.3

  1204. Source code changes are logged, time-stamped, and attributed to their author in a source code management tool. Access to the source code tool is restricted to authorized users using multi-factor authentication.

  1213. ________________

  1216. CC7.0 Common Criteria Related to System Operations

  1217. Ref.#

  1218. Trust Service Criteria

  1219. Control No.

  1220. Control Description

  1221. CC7.1

  1222. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

  1223. CC2.1.3

  1224. The company maintains an inventory of production information assets including details on asset ownership, data classification and location. The asset inventory listing is reviewed and updated by management on an as-needed basis.

  1225. CC7.1.1

  1226. Production systems and servers have been hardened to ensure an appropriate level of security against an established entity standard.

  1228. Baseline configurations are retained within the infrastructure as a code and a configuration management tool is used for implementation and for rollback capability anytime an approved configuration change is made.

  1230. Baseline configurations are reviewed and updated annually or when required due to reviews and system changes, and anytime integral system components are added.

  1231. CC7.1.2

  1232. An automated tool is implemented to perform vulnerability assessment on infrastructure and applications. Vulnerability scans are performed monthly with the scan frequency adjusted, as required, to meet ongoing and changing commitments and requirements.

  1235. Management reviews the vulnerabilities and takes necessary actions on vulnerabilities identified as high and critical.

  1238. A remediation plan is developed, and changes are implemented to remediate critical and high vulnerabilities at a minimum.

  1241. The resolution of such vulnerabilities follows the incident response plan.

  1242. CC7.2.1

  1243. Logging is enabled to monitor activities such as administrative activities, logon attempts, data deletions at the application and infrastructure level, changes to functions, security configurations, permissions, and roles.

  1245. Automated alerts are configured to notify IT management of high and critical risk events. The issues identified are resolved in a timely manner through the incident management process.

  1247. Access to change the log configuration and access to modify logs is restricted.

  1248. CC7.2

  1249. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

  1250. CC7.1.2

  1251. An automated tool is implemented to perform vulnerability assessment on infrastructure and applications. Vulnerability scans are performed monthly with the scan frequency adjusted, as required, to meet ongoing and changing commitments and requirements.

  1254. Management reviews the vulnerabilities and takes necessary actions on vulnerabilities identified as high and critical.

  1257. A remediation plan is developed, and changes are implemented to remediate critical and high vulnerabilities at a minimum.

  1260. The resolution of such vulnerabilities follows the incident response plan.

  1261. CC7.2.1

  1262. Logging is enabled to monitor activities such as administrative activities, logon attempts, data deletions at the application and infrastructure level, changes to functions, security configurations, permissions, and roles.

  1264. Automated alerts are configured to notify IT management of high and critical risk events. The issues identified are resolved in a timely manner through the incident management process.

  1266. Access to change the log configuration and access to modify logs is restricted.

  1267. CC7.3

  1268. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

  1269. CC7.3.1

  1270. A formal incident management process has been established and implemented which requires incidents to be tracked, documented and resolved in a complete, accurate and timely manner. The process document is reviewed by management on an annual basis and updated as required.

  1272. All critical security (including data breaches) incidents are logged and tracked in the ticketing system and communicated to affected parties. Communication is also conducted with senior management for each security incident, to evaluate the root causes, remediation steps, and lessons learned to be able to prevent similar incidents in the future.

  1274. Incidents are resolved in a timely manner in accordance with the formal incident management process to meet organization's commitments.

  1275. ________________

  1278. CC7.0 Common Criteria Related to System Operations

  1279. Ref.#

  1280. Trust Service Criteria

  1281. Control No.

  1282. Control Description

  1283. CC7.4

  1284. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

  1285. CC2.1.4

  1286. The company management has established defined roles and responsibilities to oversee the design and implementation of information security policies and controls including incident response and have assigned such roles to the Chief Information Security Officer.

  1287. CC7.3.1

  1288. A formal incident management process has been established and implemented which requires incidents to be tracked, documented and resolved in a complete, accurate and timely manner. The process document is reviewed by management on an annual basis and updated as required.

  1290. All critical security (including data breaches) incidents are logged and tracked in the ticketing system and communicated to affected parties. Communication is also conducted with senior management for each security incident, to evaluate the root causes, remediation steps, and lessons learned to be able to prevent similar incidents in the future.

  1292. Incidents are resolved in a timely manner in accordance with the formal incident management process to meet organization's commitments.

  1293. CC7.4.1

  1294. A BCDR (Business Continuity and Disaster Recovery) policy, Business Continuity plan and Disaster Recovery plan is documented and reviewed annually. The plan includes the alternative working plans, the roles and responsibilities of key personnel in executing the continuity strategy. There are communication plans in the policy in order to notify of any disaster. The plan also includes the incident response plan.

  1296. Company conducts testing of the BCDR (Business Continuity and Disaster Recovery) plans, per the defined testing schedule for different loss scenarios. Each loss scenario is tested at least annually. Test results are reviewed and consequently contingency plans are updated.

  1298. Issues identified during testing are resolved and plans are updated accordingly.

  1299. CC7.5

  1300. The entity identifies, develops, and implements activities to recover from identified security incidents.

  1301. CC7.3.1

  1302. A formal incident management process has been established and implemented which requires incidents to be tracked, documented and resolved in a complete, accurate and timely manner. The process document is reviewed by management on an annual basis and updated as required.

  1304. All critical security (including data breaches) incidents are logged and tracked in the ticketing system and communicated to affected parties. Communication is also conducted with senior management for each security incident, to evaluate the root causes, remediation steps, and lessons learned to be able to prevent similar incidents in the future.

  1306. Incidents are resolved in a timely manner in accordance with the formal incident management process to meet organization's commitments.

  1307. CC7.4.1

  1308. A BCDR (Business Continuity and Disaster Recovery) policy, Business Continuity plan and Disaster Recovery plan is documented and reviewed annually. The plan includes the alternative working plans, the roles and responsibilities of key personnel in executing the continuity strategy. There are communication plans in the policy in order to notify of any disaster. The plan also includes the incident response plan.

  1310. Company conducts testing of the BCDR (Business Continuity and Disaster Recovery) plans, per the defined testing schedule for different loss scenarios. Each loss scenario is tested at least annually. Test results are reviewed and consequently contingency plans are updated.

  1312. Issues identified during testing are resolved and plans are updated accordingly.

  1321. ________________

  1324. CC8.0 Common Criteria Related to Change Management

  1325. Ref.#

  1326. Trust Service Criteria

  1327. Control No.

  1328. Control Description

  1329. CC8.1

  1330. The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

  1331. CC7.1.1

  1332. Production systems and servers have been hardened to ensure an appropriate level of security against an established entity standard.

  1334. Baseline configurations are retained within the infrastructure as a code and a configuration management tool is used for implementation and for rollback capability anytime an approved configuration change is made.

  1336. Baseline configurations are reviewed and updated annually or when required due to reviews and system changes, and anytime integral system components are added.

  1337. CC7.5.1

  1338. A patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner. Chief Technology Officer (CTO) / Management has set up automatic patch management and performs monthly patch management reviews.

  1340. Workstations are configured to receive automatic updates. In addition, workstations are scanned to test patch compliance on a daily basis.

  1341. CC8.1.1

  1342. A formal change management policy is established that governs the development, implementation, changes, and maintenance of application(s) and supporting infrastructure. System development lifecycle documentation also addresses regular and emergency change processes.

  1343. The change management process requires that:

  1344. • Change requests are authorized

  1345. • Changes are tested prior to migration to production

  1346. • Changes are reviewed and approved prior to promotion to the production environment.

  1348. All changes are documented in the internal tool and tracked from initiation through deployment and validation.

  1350. Emergency changes follow an accelerated timeline and prior to initiating an emergency change, appropriate approval is obtained and documented.

  1351. CC8.1.2

  1352. Developers do not make changes to application code in the production environment without additional approval. Code repository branch rules have been configured to ensure that every merge request, to move change to production environment, requires additional approval.

  1353. CC8.1.3

  1354. Source code changes are logged, time-stamped, and attributed to their author in a source code management tool. Access to the source code tool is restricted to authorized users using multi-factor authentication.

  1355. CC8.1.4

  1356. Changes to application and system infrastructure are developed and tested in a separate development or test environment before implementation.

  1365. ________________

  1368. CC9.0 Common Criteria Related to Risk Mitigation

  1369. Ref.#

  1370. Trust Service Criteria

  1371. Control No.

  1372. Control Description

  1373. CC9.1

  1374. The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

  1375. CC7.4.1

  1376. A BCDR (Business Continuity and Disaster Recovery) policy, Business Continuity plan and Disaster Recovery plan is documented and reviewed annually. The plan includes the alternative working plans, the roles and responsibilities of key personnel in executing the continuity strategy. There are communication plans in the policy in order to notify of any disaster. The plan also includes the incident response plan.

  1378. Company conducts testing of the BCDR (Business Continuity and Disaster Recovery) plans, per the defined testing schedule for different loss scenarios. Each loss scenario is tested at least annually. Test results are reviewed, and consequently contingency plans are updated.

  1380. Issues identified during testing are resolved and plans are updated accordingly.

  1381. CC9.2

  1382. The entity assesses and manages risks associated with vendors and business partners.

  1383. CC9.2.1

  1384. The company has a vendor management policy in place. The policy requires management to maintain critical third-party vendor inventory, baseline of vendor security requirements and periodic evaluation of the performance of critical third-party vendors.

  1386. On an annual basis, management performs reviews of SOC reports from service providers/vendors to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.

  1388. For critical vendors that do not have a SOC report and have access to data or impact the security of the system, a quarterly vendor risk assessment is performed. During this assessment performance, service delivery and compliance with security commitments is also assessed.

  1390. Corrective actions are taken as required based on the results of the assessments.

  1391. CC9.2.2

  1392. A vendor management process has been implemented whereby management performs risk assessments of potential new vendors prior to their onboarding.

  1394. The vendors' responsibilities, which includes security commitments and responsibilities are documented and agreed with the vendors during the onboarding process.

  1395. CC9.2.3

  1398. Vendor management process has been implemented that includes security procedures to be followed in case of vendor terminations.

  1400. The Company has clauses in its agreements with vendors and service providers to terminate relationships when necessary. Vendor and service provider access is removed upon termination through a termination checklist and access is revoked as part of the termination process.

  1403. ________________

  1406. Tests of Controls and Results of Tests

  1409. Control

  1410. Description of Controls

  1411. Tests of Controls

  1412. Test Results

  1413. CC1.1.1

  1414. Employees are required to acknowledge the Code of Conduct at least annually, which is enforced to ensure ethical behavior and compliance with organizational policies. Moreover, a Sanctions Policy mentions that non- compliance with the Code of Conduct can lead to termination of employees.

  1415. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1416. Selected a sample of active employees. For the selected samples inspected evidence to observe that employees are required to acknowledge the Code of Conduct at least annually, which is enforced to ensure ethical behavior and compliance with organizational policies.

  1417. Further inspected evidence to observe that the Sanctions Policy mentions that non-compliance with the Code of

  1418. Conduct can lead to termination of employees.

  1419. No exceptions noted

  1420. CC1.1.2

  1421. Contractors are required to acknowledge and sign a confidentiality agreement to ensure the protection of sensitive information.

  1422. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1423. Selected a sample of new contractors. For the selected samples, inspected evidence to observe that contractors are required to acknowledge and sign a confidentiality agreement to ensure the protection of sensitive

  1424. information.

  1425. No exceptions noted

  1426. CC1.1.3

  1427. Contractors are required to acknowledge the Code of Conduct at least annually, which is enforced to ensure ethical behavior and compliance with organizational policies. Moreover, a Sanctions Policy mentions that non- compliance with the Code of Conduct can lead to termination of contractors.

  1428. Inquired of the control owner to confirm the requirements for contractors regarding the acknowledgment of the Code of Conduct.

  1429. Selected a sample of active contractors. For the selected samples, inspected evidence to observe that contractors are required to acknowledge the Code of Conduct at least annually, which is enforced to ensure ethical behavior and compliance with organizational policies.

  1430. Further, inspected evidence to observe that the Sanctions Policy mentions that non-compliance with the Code of Conduct can lead to

  1431. termination of contractors.

  1432. No exceptions noted

  1433. CC1.1.4

  1434. Employees are required to acknowledge and sign a confidentiality agreement to ensure the protection of sensitive information.

  1435. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1436. Selected a sample of new employees. For the selected samples, inspected evidence to observe that employees are required to acknowledge and sign a confidentiality agreement to ensure

  1437. the protection of sensitive information.

  1438. No exceptions noted

  1439. CC1.2.1

  1440. The board charter is documented and outlines the responsibilities, structure, and processes of the board to ensure effective governance and oversight. Ensure the Board of Directors has members who are independent from management to promote objective evaluations and decision making.

  1441. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1442. Inspected evidence to observe that the board charter is documented and outlines the responsibilities, structure, and processes of the board to ensure effective governance and oversight.

  1443. Further, inspected evidence to observe that the Board of Directors has members who are independent from management to promote

  1444. objective evaluations and decision making.

  1445. No exceptions noted

  1446. CC1.2.2

  1447. Board meetings are conducted regularly to review and oversee the entity's strategic direction, risk management, and compliance with regulatory requirements.

  1448. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1449. Inspected evidence to observe that the Board meetings are conducted regularly to review and oversee the entity's strategic direction, risk management, and compliance with

  1450. regulatory requirements.

  1451. No exceptions noted

  1452. CC1.4.1

  1453. The board of directors possesses the necessary expertise to oversee and guide the entity's information security and compliance programs effectively.

  1454. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1455. Inspected evidence to observe that the board of directors possesses the necessary expertise to oversee and guide the entity's information security

  1456. and compliance programs effectively.

  1457. No exceptions noted

  1458. CC1.4.2

  1459. The board of directors is regularly briefed on the status of the entity's information security program, including risk management, compliance, and incident response activities.

  1460. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1461. Inspected evidence to observe that the board of directors is regularly briefed on the status of the entity's information security program, including risk management, compliance, and incident response

  1462. activities.

  1463. No exceptions noted

  1464. CC1.3.1

  1465. The organization has established and documented its structure, including roles, responsibilities, and reporting lines, to support the achievement of its objectives and compliance with relevant requirements.

  1466. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1467. Inspected evidence to observe that the organization has established and documented its structure, including roles, responsibilities, and reporting lines, to support the achievement of

  1468. its objectives and compliance with relevant requirements.

  1469. No exceptions noted

  1470. CC1.3.2

  1471. Roles and responsibilities for the security of systems and data are clearly defined, documented, and communicated to relevant personnel, which includes all employees with security- related roles.

  1472. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1473. Selected a sample of employees. For the selected samples, inspected evidence to observe that roles and responsibilities for the security of systems and data are clearly defined, documented, and communicated to relevant personnel, which includes all

  1474. employees with security-related roles.

  1475. No exceptions noted

  1476. CC1.3.3

  1477. Management roles and responsibilities are established, documented, and communicated to ensure accountability and proper execution of tasks related to the entity's information, infrastructure, and software.

  1478. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1479. Inspected evidence to observe that management roles and responsibilities are established, documented, and communicated to ensure accountability and proper execution of tasks related to the entity's information, infrastructure,

  1480. and software.

  1481. No exceptions noted

  1482. CC1.1.5

  1483. Performance evaluations are conducted, documented, and reviewed regularly to ensure that personnel meet the established criteria and contribute effectively to the entity's objectives. These evaluations include discussions on training needs and the development of a performance development plan to support continuous improvement and professional growth.

  1484. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1485. Selected sample of active employees. For the selected samples, inspected evidence to observe that performance evaluations are conducted, documented, and reviewed regularly to ensure that personnel meet the established criteria and contribute effectively to the entity's objectives. Further observed that these evaluations included discussions on training needs and the development of a performance development plan to support continuous improvement and

  1486. professional growth.

  1487. No exceptions noted

  1488. CC1.4.3

  1489. Background checks are conducted on employees and contractors prior to employment to ensure the integrity and reliability of individuals accessing sensitive information and systems.

  1490. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1491. Selected a sample of new employees. For the selected samples, inspected the evidence to observe that background checks are conducted on employees and contractors prior to employment to ensure the integrity and reliability of individuals accessing

  1492. sensitive information and systems.

  1493. No exceptions noted

  1494. CC1.4.4

  1495. Management utilizes a pre-hire checklist to ensure that hiring manager has assessed the qualifications of candidates during the hiring process to confirm that they can perform the necessary job requirements.

  1496. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1497. Selected a sample of new employees. For the selected samples, inspected the evidence to observe that management utilizes a pre-hire checklist to ensure that hiring manager has assessed the qualification of candidates during the hiring process to confirm that they

  1498. can perform the necessary job requirements.

  1499. No exceptions noted

  1500. CC2.1.1

  1501. An intrusion detection system is utilized to monitor and detect unauthorized access or anomalies within the network, ensuring timely identification and response to potential security incidents.

  1502. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1503. Inspected evidence to observe that an intrusion detection system is utilized to monitor and detect unauthorized access or anomalies within the network, ensuring timely identification and response to

  1504. potential security incidents.

  1505. No exceptions noted

  1506. CC2.1.2

  1507. The Board of Directors has empowered the Risk and Governance Executive Committee ("RGEC") to provide oversight of management's system and supplement its expertise related to security and governance.

  1508. The RGEC Charter has been established to define the responsibilities of the RGEC members. The Charter is reviewed and updated as necessary and is approved on an annual basis and made available to relevant personnel.

  1509. The RGEC Committee meets semiannually review and evaluate the key internal control measures such as alignment and approval of the organization's policies, performance of internal controls assessment, review the organization wide risk assessment based on the identified needs and corrective action, identification of any opportunities for improvements, review resources and budget needs related to information security and compliance frameworks, review assessments conducted by internal and external parties, approve new controls ensuring appropriate mix of both manual and automated controls and preventive and detective controls and consider various ways that fraud and misconduct can occur within the organization, measures to mitigate the risk of fraud and succession planning for

  1510. identified key roles/personnel.

  1511. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1512. Inspected evidence to observe that the board has empowered the Risk and Governance Executive Committee ("RGEC") to provide oversight of management's system and supplement its expertise related to security and governance.

  1513. Inspected evidence to observe that the charter includes responsibilities of the RGEC members. Further observed that the charter is reviewed and updated as necessary and is approved on an annual basis and made available to relevant personnel.

  1514. Selected meeting minutes of sample RGEC meeting to observe that the Risk and Governance Committee met quarterly to review and evaluate key internal control measures.

  1515. No exceptions noted

  1516. CC2.1.3

  1517. A data classification policy is established, documented, and implemented to categorize data based on sensitivity and criticality, ensuring appropriate handling and protection measures are applied.

  1518. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1519. Inspected evidence to observe that the data classification policy is established, documented, and implemented to categorize data based on sensitivity and criticality,

  1520. ensuring appropriate handling and protection measures are applied.

  1521. No exceptions noted

  1522. CC2.1.4

  1523. The organization maintains an inventory of production information assets including details on asset ownership and location. The asset inventory listing is reviewed and updated by management on an as- needed basis.

  1524. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1525. Inspected evidence to observe that the organization maintains an inventory of production information assets including details on asset ownership and location.

  1526. Inspected evidence to observe that the asset inventory listing was reviewed and updated by

  1527. management on an as-needed basis.

  1528. No exceptions noted

  1529. CC2.2.1

  1530. Security policies are established, documented, and periodically reviewed to ensure they remain effective and aligned with organizational objectives and regulatory requirements. These policies are made available to and acknowledged by employees and contractors.

  1531. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1532. Inspected evidence to observe that security policies are established, documented, and periodically reviewed to ensure they remain effective and aligned with organizational objectives and regulatory requirements.

  1533. Selected sample of employees. For the selected samples, inspected evidence to observe that these policies are made available to and acknowledged by employees and

  1534. contractors.

  1535. No exceptions noted

  1536. CC2.2.2

  1537. The company has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting the organization's ethical and integrity requirements.

  1538. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1539. Inspected evidence to observe that the company has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues

  1540. impacting the organization's ethical and integrity requirements.

  1541. No exceptions noted

  1542. CC2.2.3

  1543. Significant changes to people, roles and responsibilities for key personnel are internally communicated to all personnel via an internal communication tool.

  1544. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1545. Selected a sample of changes to key personnel, roles, and responsibilities. For the selected samples, inspected evidence to observe that significant changes to people, roles and responsibilities for key personnel are internally communicated to all personnel via an internal communication tool.

  1546. No exceptions noted. The operating effectiveness of the control related to significant changes to people, roles and responsibilities could not be tested because there were no significant changes made during the engagement

  1547. period.

  1548. CC2.2.4

  1549. Security awareness training is implemented, documented, and conducted regularly to ensure that all personnel are aware of security policies, procedures, and their responsibilities in protecting the entity's information and systems.

  1550. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1551. Selected a sample of active employees. For the selected samples, inspected evidence to observe that security awareness training is implemented, documented, and conducted regularly to ensure that all personnel are aware of security policies, procedures, and their responsibilities in protecting the

  1552. entity's information and systems.

  1553. No exceptions noted

  1554. CC2.3.1

  1555. Company commitments to security are clearly communicated to external stakeholders through established channels, ensuring transparency and alignment with trust services criteria.

  1556. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1557. Inspected evidence to observe that company commitments to security are clearly communicated to external stakeholders through established channels, ensuring transparency and alignment with trust services criteria.

  1558. No exceptions noted

  1559. CC2.3.2

  1560. External support resources are identified, documented, and made available to ensure timely and effective resolution of issues and continuity of operations.

  1561. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1562. Inspected evidence to observe that external support resources are identified, documented, and made available to ensure timely and effective resolution of issues and

  1563. continuity of operations.

  1564. No exceptions noted

  1565. CC2.3.3

  1566. A support system is available to assist users with issues related to the entity's information, infrastructure, and software, ensuring timely resolution and maintaining system integrity.

  1567. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1568. Inspected evidence to observe that a support system is available to assist users with issues related to the entity's information, infrastructure, and software. Further selected sample of incidents. For the selected samples, inspected evidence to observe timely resolution for maintenance of system integrity.

  1569. No exceptions noted

  1570. CC2.3.4

  1571. Risk assessment objectives are established, documented, and communicated to identify, analyze, and manage risks associated with the achievement of the entity's objectives. Risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and information security.

  1572. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1573. Inspected evidence to observe that risk assessment objectives are established, documented, and communicated to identify, analyze, and manage risks associated with the achievement of the entity's objectives. Further, observed that risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and

  1574. information security.

  1575. No exceptions noted

  1576. CC2.3.5

  1577. A risk management program is established, documented, and maintained to identify, assess, and respond to risks that could impact the achievement of the entity's objectives. Risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and information security.

  1578. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1581. Inspected evidence to observe that a risk management program is established, documented, and maintained to identify, assess, and respond to risks that could impact the achievement of the entity's objectives. Further, observed that risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and

  1582. information security.

  1583. No exceptions noted

  1584. CC2.3.6

  1585. Risk assessments are conducted periodically to identify potential threats and vulnerabilities to the entity's information systems and data, ensuring appropriate risk mitigation strategies are implemented. Risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and information security.

  1586. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1587. Inspected evidence to observe that risk assessments are conducted periodically to identify potential threats and vulnerabilities to the entity's information systems and data, ensuring appropriate risk mitigation strategies are implemented. Further, observed that risks are ranked according to priority levels and cover areas like security, fraud, legal, regulatory, economic, physical and business environment, competition, customer, vendor relationship, technology changes, and

  1588. information security.

  1589. No exceptions noted

  1590. CC2.3.7

  1591. A formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management.

  1592. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1593. Inspected evidence to observe that a formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management.

  1594. No exceptions noted

  1595. CC3.1.1

  1596. The Organization has implemented an IT Leadership Committee which is governed by IT Leadership Committee Charter that provide support to the Risk and Governance Executive Committee (RGEC).

  1597. The IT Leadership Committee Charter includes roles and responsibilities relevant to security and is reviewed annually.

  1598. IT leadership team meets weekly to review and evaluate activities and processes that are key in meeting organization’s security commitment The organization's executive team meets on a weekly basis to discuss operations, issues relating to internal controls and delivery on key performance metrics.

  1599. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1600. Inspected evidence to observe that the company has implemented an IT Leadership Committee which is governed by IT Leadership Committee Charter that provide support to the Risk and Governance Executive Committee (RGEC).

  1601. Inspected evidence to observe that the charter includes roles and responsibilities of the ITLC members relates to security. Further observed that the charter is reviewed on an annual basis.

  1602. Selected meeting minutes of sample ITLC meeting to observe that that the Risk and Governance Committee met weekly to review and evaluate activities and processes that are key in meeting organization’s security commitment. Further, observed that the company's executive team meets on a weekly basis to discuss operations, issues relating to internal controls and delivery on key

  1603. performance metrics.

  1604. No exceptions noted

  1605. CC3.2.1

  1606. Cybersecurity insurance is maintained to provide financial protection and support in the event of a cyber incident or data breach.

  1607. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1608. Inspected evidence to observe that Cybersecurity insurance is maintained to provide financial protection and support in the event of a cyber incident or data breach.

  1609. No exceptions noted. The operating effectiveness of the control related to cybersecurity incidents could not be tested because there no cyber incidents reported during the engagement

  1610. period.

  1611. CC5.2.1

  1612. Infrastructure performance is continuously monitored to ensure the availability, efficiency, and reliability of systems and services.

  1613. Additionally, the monitoring tool generates alerts when specific predefined thresholds are met. An incident management process is invoked for confirmed events and anomalies, with logs and alerts tracked until resolved within the change- management/ticketing application.

  1614. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1615. Inspected evidence to observe that Infrastructure performance is continuously monitored to ensure the availability, efficiency, and reliability of systems and services. Further observed that the monitoring tool generates alerts when specific predefined thresholds are met.

  1616. Selected sample alerts. For selected sample inspected evidence to observe that an incident management process was invoked for confirmed events and anomalies, with logs and alerts tracked until resolved within the change-management/ticketing

  1617. application.

  1618. No exceptions noted

  1619. CC5.2.2

  1620. Access to the production operating system is restricted to authorized personnel to ensure system integrity and security. Generic accounts with administrative privileges are carefully managed and monitored to ensure access to these accounts is limited.

  1621. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1622. Inspected evidence to observe that access to the production operating system is restricted to authorized personnel to ensure system integrity and security. Further observed that generic accounts with administrative privileges are carefully managed and monitored to ensure access to these accounts is limited.

  1623. No exceptions noted

  1624. CC5.2.3

  1625. Access to the production database is restricted to authorized personnel based on their roles and responsibilities, ensuring that only those with a legitimate need can access sensitive data.

  1626. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1627. Inspected evidence to observe that access to the production database is restricted to authorized personnel based on their roles and responsibilities, ensuring that only those with a legitimate need can

  1628. access sensitive data.

  1629. No exceptions noted

  1630. CC5.2.4

  1631. Access to the production network is restricted to authorized personnel, ensuring that only individuals with a legitimate business need can access sensitive systems and data.

  1632. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1633. Inspected evidence to observe that access to the production network is restricted to authorized personnel, ensuring that only individuals with a legitimate business need can access

  1634. sensitive systems and data.

  1635. No exceptions noted

  1636. CC5.2.5

  1637. Access to production deployment is restricted to authorized personnel to ensure the security and integrity of the production environment.

  1638. Additionally, source code changes are logged, time- stamped, and attributed to their author in a source code management tool.

  1639. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1640. Inspected evidence to observe that access to production deployment was restricted to authorized personnel to ensure the security and integrity of the production environment.

  1641. Selected sample changes. For the selected samples, inspected evidence to observe that source code changes were logged, time-stamped, and

  1642. attributed to their author in a source code management tool.

  1643. No exceptions noted

  1644. CC5.2.6

  1645. Access to production applications is restricted to authorized personnel based on their roles and responsibilities, ensuring that only individuals with a legitimate need can access sensitive systems and data.

  1646. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1647. Inspected evidence to observe that access to production applications is restricted to authorized personnel based on their roles and responsibilities, ensuring that only individuals with a legitimate need can

  1648. access sensitive systems and data.

  1649. No exceptions noted

  1650. CC6.1.1

  1651. Multi-factor authentication (MFA) is enforced for all remote access to ensure that only authorized individuals can access the entity's information systems.

  1652. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1653. Inspected evidence to observe that multi-factor authentication (MFA) is enforced for all remote access to ensure that only authorized individuals can access the entity's

  1654. information systems.

  1655. No exceptions noted

  1656. CC6.1.2

  1657. Access control procedures are established, documented, and enforced to ensure that only authorized individuals have access to systems and data.

  1658. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1659. Inspected evidence to observe that access control procedures are established, documented, and enforced properly.

  1660. Further, selected sample of employees. For the selected samples, inspected evidence to observe that only authorized individuals have

  1661. access to systems and data.

  1662. No exceptions noted

  1663. CC6.1.3

  1664. Unique network system authentication mechanisms are enforced, documented, and managed to ensure that only authorized individuals and systems can access the network infrastructure.

  1665. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1666. Inspected evidence to observe that unique network system authentication mechanisms are enforced, documented, and managed to ensure that only authorized

  1667. individuals and systems can access the network infrastructure.

  1668. No exceptions noted

  1669. CC6.1.4

  1670. Unique account authentication is enforced to ensure that each user accessing the system is individually identified and authenticated, preventing unauthorized access and ensuring accountability.

  1671. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1672. Inspected evidence to observe that unique account authentication is enforced to ensure that each user accessing the system is individually identified and authenticated, preventing unauthorized access and

  1673. ensuring accountability.

  1674. No exceptions noted

  1675. CC6.1.5

  1676. Policy and procedures are established, documented, and enforced to ensure the strength and confidentiality of passwords used to access systems and data.

  1677. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1678. Inspected evidence to observe that policy and procedures are established, documented, and enforced to ensure the strength and confidentiality of passwords used to

  1679. access systems and data.

  1680. No exceptions noted

  1681. CC6.1.6

  1682. Unique authentication mechanisms are enforced for accessing the production database to ensure that only authorized individuals can gain access.

  1683. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1684. Inspected evidence to observe that unique authentication mechanisms are enforced for accessing the production database to ensure that only authorized individuals can gain

  1685. access.

  1686. No exceptions noted

  1687. CC6.1.7

  1688. Network segmentation is implemented to separate systems and data based on sensitivity and criticality, thereby reducing the risk of unauthorized access and potential breaches.

  1689. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1690. Inspected evidence to observe that Network segmentation is implemented to separate systems and data based on sensitivity and criticality, thereby reducing the risk of

  1691. unauthorized access and potential breaches.

  1692. No exceptions noted

  1693. CC6.1.8

  1694. Access to the entity's information systems and data is promptly revoked upon termination of an individual's employment or contractual relationship.

  1695. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1696. Selected sample of terminated employees. For the selected samples, inspected evidence to observe that access to the entity's information systems and data is promptly revoked upon termination of an individual's employment or

  1697. contractual relationship.

  1698. No exceptions noted

  1699. CC6.1.9

  1700. Access to encryption keys is restricted to authorized personnel only, ensuring that keys are protected from unauthorized access and misuse.

  1701. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1702. Inspected evidence to observe that access to encryption keys is restricted to authorized personnel only, ensuring that keys are protected from unauthorized access and misuse.

  1703. No exceptions noted

  1704. CC6.1.10

  1705. Data encryption is implemented to protect sensitive information both at rest and in transit, ensuring confidentiality and integrity are maintained.

  1706. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1707. Inspected evidence to observe that Data encryption is implemented to protect sensitive information both at rest and in transit, ensuring confidentiality and integrity were

  1708. maintained.

  1709. No exceptions noted

  1710. CC6.2.1

  1711. Access requests are required, documented, and approved prior to granting access to systems and data to ensure that only authorized individuals can access sensitive information.

  1712. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1713. Selected sample of access request received during the period. For the selected sample, inspected the evidence to observe access requests are required, documented, and approved prior to granting access to systems and data to ensure that only authorized individuals can access

  1714. sensitive information.

  1715. No exceptions noted

  1716. CC6.2.2

  1717. Access reviews are conducted periodically to ensure that only authorized individuals have access to systems and data, and any discrepancies are promptly addressed.

  1718. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1719. Inspected evidence to observe that access reviews are conducted periodically to ensure that only authorized individuals have access to systems and data, and any

  1720. discrepancies are promptly addressed.

  1721. No exceptions noted

  1722. CC6.4.1

  1723. All in-scope production systems are hosted in a cloud environment which is equipped with appropriate physical security controls and is the responsibility of subservice organization.

  1724. Physical security and environmental controls have been implemented to protect systems inside the server room by the subservice organization. The SOC 2 report of subservice organization is reviewed on an annual basis to evaluate the effectiveness of the controls at the subservice organization.

  1725. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1726. Inspected evidence to observe that all in-scope production systems are hosted in a cloud environment which was equipped with appropriate physical security controls and was the responsibility of subservice organization.

  1727. Inspected evidence to observe that the SOC 2 report of the subservice organization was reviewed by management on an annual basis to evaluate the effectiveness of the controls at the subservice

  1728. organization.

  1729. No exceptions noted

  1730. CC6.5.1

  1731. Data retention procedures are established, documented, and implemented to ensure that data is retained in accordance with regulatory, legal, and business requirements.

  1732. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1733. Inspected evidence to observe that Data retention procedures were established, documented, and implemented to ensure that data is retained in accordance with regulatory, legal, and business

  1734. requirements.

  1735. No exceptions noted

  1736. CC6.5.2

  1737. Customer data is securely deleted from all systems and storage locations upon termination of the customer relationship.

  1738. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1739. Inspected evidence to observe that customer data is securely deleted from all systems and storage locations upon termination of the customer relationship.

  1740. No exceptions noted. The operating effectiveness of the control related to customer data deletion upon termination could not be tested because there were no customer terminations during the engagement

  1741. period.

  1742. CC6.6.1

  1743. Firewall access is restricted to authorized personnel to ensure that only approved individuals can modify firewall settings and rules.

  1744. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1745. Inspected evidence to observe that firewall access is restricted to authorized personnel to ensure that

  1746. only approved individuals can modify firewall settings and rules.

  1747. No exceptions noted

  1748. CC6.6.2

  1749. Network firewalls are implemented, configured, and managed to control and monitor incoming and outgoing network traffic based on predetermined security rules.

  1750. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1751. Inspected evidence to observe that network firewalls are implemented, configured, and managed to control and monitor incoming and outgoing network traffic based on

  1752. predetermined security rules.

  1753. No exceptions noted

  1754. CC6.6.3

  1755. Network firewall configurations and rules are regularly reviewed and updated to ensure they effectively protect the entity's information and systems from unauthorized access and other security threats.

  1756. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1757. Inspected evidence to observe that network firewall configurations and rules are regularly reviewed and updated to ensure they effectively protect the entity's information and systems from unauthorized access

  1758. and other security threats.

  1759. No exceptions noted

  1760. CC6.8.1

  1761. Anti-malware technology is implemented, maintained, and regularly updated to protect the entity's information systems, including production servers and workstations, from malicious software.

  1762. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1763. Inspected evidence to observe that anti-malware technology has been implemented, maintained, and regularly updated to protect the entity's information systems, including production servers, from malicious software.

  1764. Selected sample workstations. For the selected sample inspected evidence to observe that anti-virus technology has been implemented, maintained, and regularly updated to protect the entity's information systems from

  1765. malicious software.

  1766. No exceptions noted

  1767. CC7.1.1

  1768. Network and system hardening standards are established, documented, and maintained to protect against unauthorized access and vulnerabilities.

  1769. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1770. Inspected evidence to observe that network and system hardening standards have been established, documented, and maintained to protect against unauthorized access

  1771. and vulnerabilities.

  1772. No exceptions noted

  1773. CC7.1.2

  1774. The service infrastructure is maintained to ensure it remains secure, reliable, and available to support the entity's operations and meet its commitments. This includes regular vulnerability scanning, penetration testing, and patch management to identify and address security weaknesses. Monitoring systems with defined thresholds are in place to ensure the availability and reliability of the infrastructure.

  1775. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1776. Inspected evidence to observe that a patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner. Inspected evidence to observe that Chief Technology Officer (CTO) / Management, has set up automatic patch management.

  1777. Selected ITLC meeting minutes for sample months.

  1778. For the selected samples inspected evidence to observe that CTO / Management during ITLC meeting performs patch management reviews Selected sample of workstations. For the selected samples inspected evidence to observe that the workstations were configured to receive automatic updates. Further observed that the workstations were scanned to test patch compliance on

  1779. a daily basis

  1780. No exceptions noted

  1781. CC7.1.3

  1782. Vulnerability and system monitoring procedures are established, documented, and implemented to detect, assess, and remediate potential threats to the entity's information systems.

  1783. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1784. Inspected evidence to observe that vulnerability and system monitoring procedures have been established, documented, and implemented to detect, assess, and remediate

  1785. potential threats to the entity's information systems.

  1786. No exceptions noted

  1787. CC7.1.4

  1788. Vulnerability scans are conducted regularly to identify security weaknesses, and remediation efforts are promptly implemented to address identified vulnerabilities.

  1789. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1790. Inspected evidence to observe that vulnerability scans are conducted regularly to identify security weaknesses, and remediation efforts are promptly implemented to address

  1791. identified vulnerabilities.

  1792. No exceptions noted

  1793. CC7.2.1

  1794. Log management processes are established, documented, and maintained to ensure the proper collection, retention, and analysis of logs for monitoring and auditing purposes. Logging is enabled to monitor activities such as administrative activities, log- on attempts, data deletions at the application and infrastructure level, changes to functions, security configurations, permissions, and roles. Automated alerts are configured to notify IT management of high and critical risk events. Access to change the log configuration and access to modify logs is restricted.

  1795. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1796. Inspected evidence to observe that log management processes have been established, documented, and maintained to ensure the proper collection, retention, and analysis of logs for monitoring and auditing purposes.

  1797. Inspected onscreen configuration to observe that logging is enabled to monitor activities such as administrative activities, logon attempts, changes to functions, security configurations, permissions, and roles.

  1798. Inspected onscreen configuration to observe that automated alerts are configured to notify IT management of high and critical risk events

  1799. Inspected evidence to observe that access to change the log configuration and access to modify

  1800. logs is restricted.

  1801. No exceptions noted

  1802. CC7.3.1

  1803. Incident response policies are established, documented, and communicated to ensure timely and effective response to security incidents. Security incidents are documented and include root causes and lessons learned from the incident.

  1804. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1805. Inspected evidence to observe that Incident response policies are established, documented, and communicated to ensure timely and effective response to security incidents. Further, observed that security incidents are documented and include root causes and lessons learned from the incident.

  1806. No exceptions noted. The operating effectiveness of the control related to security incidents could not be tested because there no security incidents reported during the engagement

  1807. period.

  1808. CC7.3.2

  1809. Incident management procedures are established, documented, and followed to identify, respond to, and remediate security incidents in a timely manner. These procedures include the evaluation of root causes, and the incorporation of lessons learned.

  1810. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1811. Inspected evidence to observe that Incident management procedures are established, documented, and followed to identify, respond to, and remediate security incidents security incidents in a timely manner.

  1812. Inspected evidence to observe that the company's Incident Management Procedures include the evaluation of root causes, and the incorporation of

  1813. lessons learned.

  1814. No exceptions noted

  1815. CC7.3.3

  1816. The incident response plan is tested periodically to ensure its effectiveness and the organization's preparedness to respond to security incidents. These tests include the evaluation of root causes, and the incorporation of lessons learned.

  1817. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1818. Inspected evidence to observe that the incident response plan is tested periodically to ensure its effectiveness and the organization's preparedness to respond to security incidents.

  1819. Further, inspected evidence to observe that these tests include the evaluation of root causes, and the

  1820. incorporation of lessons learned.

  1821. No exceptions noted

  1822. CC7.4.1

  1823. Continuity and Disaster Recovery plans are established, documented, and tested to ensure the entity can recover and resume operations in the event of a disruption.

  1824. These plans include alternative working plans, the roles and responsibilities of key personnel in executing the continuity strategy, and communication plans to notify relevant stakeholders of any disaster.

  1825. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1826. Inspected evidence to observe that Continuity and Disaster Recovery plans are established, documented, and tested to ensure the entity can recover and resume operations in the event of a disruption. Further observed that these plans include alternative working plans, the roles and responsibilities of key personnel in executing the continuity strategy, and communication plans to notify relevant stakeholders of any disaster.

  1827. No exceptions noted

  1828. CC7.4.2

  1829. Backup processes are established, documented, and managed to ensure the availability and integrity of data in the event of a system failure or data loss. Backups are taken daily, multi- availability zones are configured, and alerts are in place to notify operating personnel in case of a backup failure and its remediation.

  1830. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1831. Inspected evidence to observe that backup processes are established, documented, and managed to ensure the availability and integrity of data in the event of a system failure or data loss.

  1832. Inspected onscreen evidence to observe that Backups are taken daily, multi-availability zones are configured, and alerts are in place to notify operating personnel in case of

  1833. a backup failure and its remediation.

  1834. No exceptions noted

  1835. CC7.5.1

  1836. A patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner. Chief Technology Officer (CTO) / Management has set up automatic patch management and performs monthly patch management reviews.

  1837. Workstations are configured to receive automatic updates. In addition, workstations are scanned to test patch compliance on a daily basis.

  1838. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1839. Selected sample of operating system level vulnerabilities. For the selected samples, inspected evidence to observe that a patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner.

  1840. Further, inspected evidence to observe that Chief Technology Officer (CTO) / Management has set up automatic patch management and performs monthly patch management reviews. .

  1841. Selected sample of workstations. For the selected samples inspected evidence to observe that workstations are configured to receive automatic updates. Further observed that workstations are scanned to test

  1842. patch compliance on a daily basis.

  1843. No exceptions noted

  1844. CC8.1.1

  1845. A development lifecycle is established, documented, and managed to ensure that system changes are properly controlled, tested, and approved before implementation.

  1846. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1847. Inspected evidence to observe that a development lifecycle is established, documented, and managed to ensure that system changes are properly controlled, tested, and approved

  1848. before implementation.

  1849. No exceptions noted

  1850. CC8.1.2

  1851. Change management procedures are established, documented, and enforced to ensure that all changes to systems and applications are properly reviewed, tested, and approved before implementation. The company ensures that environments are segregated, system changes are communicated with external and internal stakeholders, an approval process is followed prior to merging to the master branch, and procedures are in place to implement emergency changes.

  1852. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1853. Inspected evidence to observe that change management procedures are established, documented, and enforced properly.

  1854. Selected sample of changes to system. For the selected sample, inspected evidence to observe that all changes to systems and applications are properly reviewed, tested, and approved before implementation.

  1855. Further, observed that the company ensures that environments are segregated, system changes are communicated with external and internal stakeholders, and an approval process is followed prior to merging to the master branch.

  1856. Further, inspected evidence to observe that procedures are in place

  1857. to implement emergency changes.

  1858. No exceptions noted

  1859. CC8.1.3

  1860. Developers are not permitted to make changes to application code in the production environment without obtaining additional approval, as outlined in the organization's change management policy.

  1861. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1862. Selected sample changes. For the selected samples inspected evidence to observe that developers do not make changes to application code in the production environment without

  1863. additional approval.

  1864. No exceptions noted

  1865. CC8.1.4

  1866. System changes are documented, approved, and communicated to external stakeholders to ensure they are informed of any modifications that might impact their operations or interactions with the system.

  1867. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1868. Selected sample of system changes during the period. For the selected samples, inspected evidence to observe that system changes are documented, approved, and communicated to external stakeholders to ensure they are informed of any modifications that might impact their operations or

  1869. interactions with the system.

  1870. No exceptions noted

  1871. CC8.1.5

  1872. System changes are documented, reviewed, and communicated to relevant stakeholders to ensure awareness and understanding of modifications to the system.

  1873. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1874. Selected sample of system changes during the period. For the selected samples, inspected evidence to observe that system changes are documented, reviewed, and communicated to relevant stakeholders to ensure awareness

  1875. and understanding of modifications to the system.

  1876. No exceptions noted

  1877. CC9.2.1

  1878. A vendor management program is established, documented, and maintained to ensure that third-party service providers meet the entity's security requirements.

  1879. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1880. Inspected evidence to observe that a vendor management program is established, documented, and maintained to ensure that third-party service providers meet the entity's security requirements.

  1881. No exceptions noted

  1882. CC9.2.2

  1883. Third-party agreements are established, documented, and reviewed to ensure that third parties comply with the entity's security requirements.

  1884. Inquired of the control owner to ascertain the appropriateness of the control performed.

  1885. Selected sample of vendors. For the selected samples, inspected evidence to observe that Third-party agreements are established, documented, and reviewed to ensure that third parties comply with the

  1886. entity's security requirements.

  1887. No exceptions noted

  1888. ________________

  1909. SECTION 5

  1910. Other Information Provided by Context

  1919. ________________

  1922. Other Information Provided by Context

  1923. The information provided in this section is provided for informational purposes only by Context. The Independent Auditor has performed no audit procedures in this section.

  1926. Disaster and Recovery Services

  1927. The AICPA has published guidance indicating that business continuity planning, which includes disaster recovery, is a concept that addresses how an organization mitigates future risks as opposed to actual controls that provide user auditors with a level of comfort surrounding the processing of transactions. As a result, a service organization should not include in its description of controls any specific control procedures that address disaster recovery planning. Therefore, Context disaster recovery plan descriptions of control procedures are presented in this section.

  1928. In addition to the physical controls, Context has implemented logical controls to safeguard against interruption of service. Context has developed a number of procedures that provide for the continuity of operations in the event of an availability zone failure by spinning up multiple servers across all availability zones in Vercel.

  1929. The disaster recovery plan defines the roles and responsibilities and identifies the critical IT application programs, operating systems, personnel, data files, and time frames needed to ensure high availability and system reliability based on a business impact analysis.

  1933. Page

  1934. Confidentiality Warning: This document is confidential and concerns the security of the organization’s property, personnel, and information, as well as the systems and procedures established by the organization for the protection of such property, individuals, and data. This document is intended solely for the use of authorized recipients. If you are not an authorized recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation, reliance on, or other use of this document is strictly prohibited.