Greencopper Security Guide
- We do not sell personal information of our customers to third parties.
- We have a full time staff focused on privacy and security issues.
- Greencopper processes user personal data in accordance to GDPR’s data protection principles.
- Greencopper uses data centers that meet the following certifications:
- PCI-DSS Level 1 Service Provider
- SOC 3 - System and Organization Controls
- NIST 800-53 Revision 4
- ISO 9001 - Global Quality Standard
- ISO 27001 - Security Management Control
- ISO 27017 - Cloud Specific Controls
- ISO 27018 - Personal Data Protection
- All Greencopper software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
- All Greencopper source code is developed in accordance with a standard SDLC process that includes
- A software and security code review before being shipped to production.
- Running through a continuous integration test suite.
- Manual QA testing.
- A Pen-test including Static and Dynamic Code Analysis is regularly done by a third party security company.
- All web traffic is encrypted by TLS 1.2 or greater.
- Greencopper follows NIST recommendations for hashing, symmetric and asymmetric encryption.
- Memorized Secrets are handled in conformance with NIST SP 800-63
- Greencopper destroy data in conformance with NIST SP 800-88
- All staff regularly receives security training by trained professionals and must pass security awareness tests.
- All staff are regularly subjected to simulated phishing and other social engineering attacks to test their awareness.
- All staff must sign off on security and acceptable use policies and procedures.
- If you discover a vulnerability, Greencopper requests that you responsibly disclose the vulnerability to our security team by taking the following steps.
- Do not attempt to exploit the vulnerability
- Email our Security Incident Response Team at firstname.lastname@example.org
- We have an internal Responsible Disclosure process that cover the initial signalement up to the full resolution of the discovered security breach
- OWASP Top Ten: https://www.owasp.org/index.php/Top_10_2010-Main
- NIST SP 800-63 : https://pages.nist.gov/800-63-3/
- NIST SP 800-88 : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf