Security overview

Will Copper complete a security audit?

  • Copper has completed SOC2 auditing of our security controls against control criteria based on the following American Institute of Certified Public Accountants' (AICPA) Trust Services Principles:
    • Security – The system is protected against unauthorized access, use or modification.
    • Availability – The system is available for operation and use as committed or agreed.
    • Confidentiality – Information designated as confidential is protected as committed or agreed.

Is Copper GDPR compliant?

  • Get more information about Copper and the GDPR here

Where is customer data stored?

  • Copper stores all of its data in the United States.

What features does Copper have to increase application and user security?

  • Close integration with Google using OAuth which eliminates storing passwords by Copper.
  • User management delegated to account owner(s) in the customer’s organization.
  • Written request required from account owner to change ownership
  • Session timeouts with lock-out after repeated failed attempts
  • Annual penetration tests along with regular vulnerability scanning to identify and remediate any application vulnerabilities

What is our infrastructure and data security like?

  • All Computer and Data servers are hosted on SOC2 / NIST 800-58 / ISO 27001 attested data-centers.
  • Only a limited number of people at Copper have access to the infrastructure that hosts customer data that is protected with multi-factor authentication.
  • All data is encrypted in transit using TLS 1.2 / AES 256 encryption.
  • Copper has received a TRUSTe privacy certification. 

How does Copper ensure uptime and availability?

  • Redundancy and hot failover with the use of multiple data-centers.
  • Tested disaster recovery plans that utilize backups to restore service.

What are Copper's internal information security policies and procedures?

At Copper, we have a security program that includes the creation, maintenance, audit and enforcement of security policies and procedures; and designates responsibility and authority over security to dedicated personnel.

These policies include:

  • Data Protection
  • Change Management
  • Security Incident Response
  • Network Security
  • Network Access and Authentication
  • Vendor Management
  • Disaster Recovery
  • Clean Desk
  • Roles and Responsibilities

 Examples of the security controls:

  • Hiring practices include criminal background checks, confidentiality agreements, annual security awareness training, and employee performance evaluation.
  • Access to systems that process customer data are restricted by a strict approval process which limit granted access and capabilities to meet requirements of the Segregation of Duties and Least Privilege security models.
  • Employee’s access to resources regularly evaluated. If the employee’s role has changed, access will be removed no later than 48 hours and immediately at the time of an employee’s termination.
  • Agile development methodology with a strong change management which includes thorough code review, quality assurance verification and strict approval process for releases.
  • Due diligence procedures are in place for third-party service providers to review and monitor their security controls.

Is Copper compliant with NIST 800-58, NIST 800-171 or FedRamp?

  • We are not fully compliant at this time, only our data-centers that comprise of our services are compliant. Please make a support request here, so we know this is something you are interested in.

Is Copper HIPAA Compliant?

  • We are not HIPAA compliant.

 If you have any questions, please submit a request here

 

Was this article helpful? 1 out of 2 found this helpful