Security Policy

At SoapBox, all our employees and contractors share a collective commitment to the protection of both company and client information, understanding that it is a shared responsibility. The advantage of our small organization lies in our agility to swiftly communicate, implement, and provide training on new information, policy or procedure updates, potential external threats, and the adoption of new tools.

Physical Security Standards

Our services are hosted on the Microsoft Azure platform, known for its robust physical data security and stringent environmental controls. We conduct thorough assessments and testing of all environments where data is transmitted or stored to verify their compliance with our rigorous security standards.

Application Security

Our customer-facing web services are safeguarded by industry-standard firewalls. All data is encrypted during transit and while at rest. We are diligent in maintaining the integrity of our internal network through rigorous vulnerability assessments and patch management. Prior to each production release deployment, our code undergoes thorough vulnerability scans to ensure the highest level of security.

Data Security

To safeguard customer data against unauthorized access, we utilize secured environments, and implement role-based access control. We meticulously manage and restrict access to our systems, employing stringent security measures, and enforce two-factor authentication across all services. We offer continuous training to our staff on information security policies and practices, backed by a system of disciplinary actions for any breaches of our established policies and procedures. 

Data Privacy

We only collect and process information that our customers provide to us. Our customers own their data. We maintain a publicly accessible privacy policy, which includes information regarding our information management practices, types of information we collect, and how that information is used.

Data Encryption

To safeguard against unauthorized access, we employ robust encryption measures for any sensitive or confidential information, such as PHI and PCI data, whether stored or transmitted over electronic communication networks. Encryption technology renders the data completely unusable, rendering it unreadable and indecipherable to anyone without proper authorization.

Incident Response, Disaster Recovery & Business Continuity

We have well-established incident response and disaster recovery protocols in place. In the rare event that our monitoring tools detect unauthorized access, the following steps will be taken by SoapBox staff:

  • Activation of the Incident Response Plan and notification of response team members.

  • Password resets and, if applicable, revocation of relevant keys.

  • Notification to SoapBox's relevant teams - Engineering, Product, Customer Success.

  • Notification to impacted customers about the intrusion and the status of their compromised data, along with regular updates on our progress.

  • A thorough RCA to pinpoint the breach's source, with the involvement of necessary third-party forensics experts as needed.

  • Formulation of system or process enhancement tasks to prevent future incidents.

  • Transparent communication with affected customers (if impacted) regarding the improvement plan and updates on the implementation of these improvements.

In addition, we uphold a business continuity plan that undergoes regular testing and adjustments as required, with a minimum of an annual review.

Contact

If you have questions or comments regarding SoapBox's Information Security initiative, contact us.

Search