Certifications & Policies
Cyber Essentials
CreateShift Ltd maintains Cyber Essential certification backed by the National Cyber Security Centre.
AWS
AWS maintains various certifications including ISO 27001, 27017 and 27018. Their SOC1 report is available here. Their SOC2 report is available by signing an NDA and requesting a copy via AWS Artifacts service. For further details and full list of certifications held by AWS see this resource.
Policies & Procedures
We have a full set of policies and procedures which govern risk management, business continuity, information security, network security, physical security, remote access and HR etc. We have designed our policies and procedures around the requirements specified within the ISO27001 and SOC 2 standard. All policies are reviewed at least annually and approved by the CTO / Policy Owner.
- Acceptable Encryption Policy
- Acceptable Use Policy
- Access Management Policy
- Anti-Bribery Policy
- Asset Management Policy
- Bring Your Own Device Policy
- Clean Desk Policy
- Data Breach Policy
- Disaster Recovery Plan Policy
- Dogs in the Workplace Policy
- HR Policy
- Password Construction Guidelines
- Password Protection Policy
- Procurement Policy
- Proprietary Information Classification Policy
- Remote Access Policy
- Removable Media Policy
- Risk Assessment and Management Policy
- Security Awareness Guide
- Security Response Plan Policy
- Social Engineering Awareness Policy
- Social Media Policy
- Software Development Life Cycle Policy
- Software / Tool Procurement Request Process
- System Change Management Policy
- Vulnerability and Threat Management Policy
- Whistleblowing Policy
The Security Awareness Guide states the expectations for security within the organization. All employees (and contractors) are required to review and sign to indicate that they have done so during the onboarding process and on an annual basis.
We have privacy and confidentiality agreements in place with our suppliers including Data Processing Addendums, Standard Contract Clauses, Privacy Shield and contracts. There are a couple of sub-processors (as defined by General Data Protection Regulation) used by CreateShift to deliver ProdPad. These sub-processors are described here.
The retention and deletion of personal data is outlined in our Privacy policy: https://www.prodpad.com/privacy-policy/
Additional Resources
- ProdPad Service Level Agreement
- ProdPad Terms of Service (includes Data Processing Schedule, Data Processing Information and Security Measures)
- ProdPad Cookie Policy
- ProdPad Privacy Policy