Will Copper complete a security audit?
- Copper has completed SOC2 auditing of our security controls against control criteria based on the following American Institute of Certified Public Accountants' (AICPA) Trust Services Principles:
- Security – The system is protected against unauthorized access, use or modification.
- Availability – The system is available for operation and use as committed or agreed.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
Is Copper GDPR compliant?
- Get more information about Copper and the GDPR here.
Where is customer data stored?
- Copper stores all of its data in the United States.
What features does Copper have to increase application and user security?
- Close integration with Google using OAuth which eliminates storing passwords by Copper.
- User management delegated to account owner(s) in the customer’s organization.
- Written request required from account owner to change ownership
- Session timeouts with lock-out after repeated failed attempts
- Annual penetration tests along with regular vulnerability scanning to identify and remediate any application vulnerabilities
What is our infrastructure and data security like?
- All Computer and Data servers are hosted on SOC2 / NIST 800-58 / ISO 27001 attested data-centers.
- Only a limited number of people at Copper have access to the infrastructure that hosts customer data that is protected with multi-factor authentication.
- All data is encrypted in transit using TLS 1.2 / AES 256 encryption.
- Copper has received a TRUSTe privacy certification.
How does Copper ensure uptime and availability?
- Redundancy and hot failover with the use of multiple data-centers.
- Tested disaster recovery plans that utilize backups to restore service.
What are Copper's internal information security policies and procedures?
At Copper, we have a security program that includes the creation, maintenance, audit and enforcement of security policies and procedures; and designates responsibility and authority over security to dedicated personnel.
These policies include:
- Data Protection
- Change Management
- Security Incident Response
- Network Security
- Network Access and Authentication
- Vendor Management
- Disaster Recovery
- Clean Desk
- Roles and Responsibilities
Examples of the security controls:
- Hiring practices include criminal background checks, confidentiality agreements, annual security awareness training, and employee performance evaluation.
- Access to systems that process customer data are restricted by a strict approval process which limit granted access and capabilities to meet requirements of the Segregation of Duties and Least Privilege security models.
- Employee’s access to resources regularly evaluated. If the employee’s role has changed, access will be removed no later than 48 hours and immediately at the time of an employee’s termination.
- Agile development methodology with a strong change management which includes thorough code review, quality assurance verification and strict approval process for releases.
- Due diligence procedures are in place for third-party service providers to review and monitor their security controls.
Is Copper compliant with NIST 800-58, NIST 800-171 or FedRamp?
- We are not fully compliant at this time, only our data-centers that comprise of our services are compliant. Please make a support request here, so we know this is something you are interested in.
If you have any questions, please submit a request here