Comeet Technologies Inc. (hereinafter “Comeet” ) holistic security framework is based on the company management commitment, ongoing enforcement best practices by security controls and assessments, and technological layers of safeguards developed into Comeet’s application since 2013.
Topics covered in this article:
The Security Team
Comeet CISO (Chief Information Security Officer) team manages, designs, develops, and deploys security architectures, policies, and procedures, as part of its multi-year security work. Our Security team is led by our CISO and includes the essential security functions such as DevSecOps, IT Manager, and application and infrastructure experts.
Governance and Risk Management
Annual Risk Assessment includes an Information Security Audit, owned, operated and maintained by the CISO. Its result is presented to the steering committee and afterwards to management during management security reviews.
Any third party must adhere to Comeet’s strict security standards and certification prior to engagement to validate its compliance with those standards. In addition to the initial engagement procedure, all third parties undergo annual reviews that are performed by the CISO and legal counsel.
Comeet’s employees and contractors are required to sign confidentiality agreements (“NDAs”) that apply during their engagement with Comeet. In addition, new employees go through an onboarding process that includes security guidelines, expectations, and code of conduct.
Security Awareness and Communication
Comeet employees are trained and briefed on the contractual obligations taken on by the company as it relates to the data security of clients, including periodical security awareness training.
Comeet CISO communicates with all employees on a regular basis, covering topics such as phishing aware campaigns, emerging threats, and other industry-related security topics.
Comeet Customer Application
The Comeet application provides the most robust and comprehensive customer authentication access by including multiple security measures:
Single Sign on – Comeet support integration with various Identity providers implementing SAML 2.0 standard
Full Complexity password according to OWASP best practices
Failed login – Lockout account following multiple unsuccessful attempts
Salted Password Hashing – Customers’ passwords are encrypted in the Comeet storage base
The Comeet application supports role-based access controls, which are implemented in a manner consistent with the principle of ‘least privilege’ and ‘need to know.’
Data at Rest – Customer data is stored in an encrypted database, with a stronger encryption algorithm and tightly managed access.
Data at Transit – Comeet web servers support strong encryption protocols, such as TLS 1.2 to secure communication in transit and API connections.
Vulnerability and Patch Management
We have established a vulnerability and patch management process for our systems, which includes technical vulnerability assessments, patch testing, patch deployment and verification.
Secure Development Life-Cycle (SDLC)
Comeet application development life cycle follows industry-standards for security such as OWASP (Open Web Application Security Project) recommendations. In addition, all R&D team members go through extensive training in application security, and are deeply committed to secure code development practices.
Periodic penetration tests are carried out and performed by rotating third parties on an annual basis.
IP Access Restriction
The Comeet platform supports IP whitelisting access per customers’ requests.
File securing validation
Comeet implements different types of security measures in uploading files to our platform, such as:
File upload protection – Each file or macro is scanned by Antivirus software
Restrict uploading File types
Securing our Production Environment (Amazon Web Services)
The Comeet production environment is hosted by Amazon Web Services (‘AWS’). AWS is widely regarded as employing highly protective and industry-standard protective measures ensuring the security of physical servers managed by them, relied upon by thousands of technology providers around the world. More on AWS security measures can be found here: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Logging and Monitoring
Comeet uses a wide range of tools to monitor its environment across data centers, both on the server and application level. These logs are continuously reviewed for anomalies by our security team 24×7.
Comeet’s infrastructure and network security includes multiple defence layers to secure the network architecture, such as WAF, VPN, segregation, and threat and traffic detections.
Application Availability / Resilience
The Comeet production environment is hosted by AWS, which provides the highest resiliency and availability commitment, backed by the proper SLAs (Service Level Agreement).
Comeet’s information is stored in multiple availability zones, which allows us to remain operational in the event of most failure modes, including natural disasters or system failures.
The Comeet Security work plan include maintaining a number of compliance standards, such as:
SOC 2 (we are SOC 2 certified)
We are committed to the confidentiality, data privacy, and security of Comeet customers and their personal data. Comeet security efforts are constantly evolving to keep up with the changing security landscape. We are investing and will continue to invest extensive resources towards maintaining the highest levels of data protection, privacy and security standards.