Greencopper Security Guide

Privacy

  • We do not sell personal information of our customers to third parties.
  • We have a full time staff focused on privacy and security issues.
  • Greencopper processes user personal data in accordance to GDPR’s data protection principles.
  • You can find our privacy policy at: https://privacy.greencopper.com/

Hosting Environment

  • Greencopper uses data centers that meet the following certifications:
    • PCI-DSS Level 1 Service Provider
    • SOC 3 - System and Organization Controls
    • NIST 800-53 Revision 4
    • ISO 9001 - Global Quality Standard
    • ISO 27001 - Security Management Control
    • ISO 27017 - Cloud Specific Controls
    • ISO 27018 - Personal Data Protection

Software Development

  • All Greencopper software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
  • All Greencopper source code is developed in accordance with a standard SDLC process that includes
    • A software and security code review before being shipped to production.
    • Running through a continuous integration test suite.
    • Manual QA testing.
  • A Pen-test including Static and Dynamic Code Analysis is regularly done by a third party security company.

Encryption

  • All web traffic is encrypted by TLS 1.2 or greater.
  • Greencopper follows NIST recommendations for hashing, symmetric and asymmetric encryption.
  • Memorized Secrets are handled in conformance with NIST SP  800-63
  • Greencopper destroy data in conformance with NIST SP 800-88

Organization

  • All staff regularly receives security training by trained professionals and must pass security awareness tests.
  • All staff are regularly subjected to simulated phishing and other social engineering attacks to test their awareness.
  • All staff must sign off on security and acceptable use policies and procedures.

Responsible Disclosure

  • If you discover a vulnerability, Greencopper requests that you responsibly disclose the vulnerability to our security team by taking the following steps.
  • We have an internal Responsible Disclosure process that cover the initial signalement up to the full resolution of the discovered security breach

References