Trust Center
At Apptrix, our focus is on ensuring product security, safeguarding data privacy, and adhering to regulatory compliance.
Apptrix maintains a SOC 2 Type 2 compliant environment to ensure the highest standards of security, availability, and confidentiality. By keeping its infrastructure secure and compliant, Apptrix provides a safe, reliable foundation that protects customer environments and sensitive data, helping businesses operate with confidence and peace of mind.
🔐 Infrastructure Security
Unique production database authentication enforced
The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.
Unique account authentication enforced
The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
Production application access restricted
System access restricted to authorized access only
Production database access restricted
The company restricts privileged access to databases to authorized users with a business need.
Production network access restricted
The company restricts privileged access to the production network to authorized users with a business need.
Unique network system authentication enforced
The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
Remote access MFA enforced
The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Intrusion detection system utilized
The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.
Infrastructure performance monitored
An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
Network segmentation implemented
The company's network is segmented to prevent unauthorized access to customer data.
Network firewalls reviewed
The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.
Network firewalls utilized
The company uses firewalls and configures them to prevent unauthorized access.
🔐 Organizational Security
Production inventory maintained
The company maintains a formal inventory of production system assets.
Anti-malware technology utilized
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
Performance evaluations conducted
The company managers are required to complete performance evaluations for direct reports at least annually.
Password policy enforced
The company requires passwords for in-scope system components to be configured according to the company's policy.
MDM system utilized
The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
Visitor procedures enforced
The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.
🔐 Product Security
🔐Data and Privacy
Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.
Data retention procedures established
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.
Data classification policy established
The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.
🔐Internal Security Procedures
Continuity and Disaster Recovery plans established
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.
Continuity and disaster recovery plans tested
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
Cybersecurity insurance maintained
The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.
Development lifecycle established
The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
SOC 2 - System Description
Complete a description of your system for Section III of the audit report
Whistleblower policy established
The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.
Board oversight briefings conducted
The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.
Board charter documented
The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.
Board expertise developed
The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.
Board meetings conducted
The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.
System changes externally communicated
The company notifies customers of critical system changes that may affect their processing.
Management roles and responsibilities defined
The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
Organization structure documented
The company maintains an organizational chart that describes the organizational structure and reporting lines.
Roles and responsibilities specified
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.
Support system available
The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.
System changes communicated
The company communicates system changes to authorized internal users.
Incident response plan tested
The company tests their incident response plan at least annually.
Incident response policies established
The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
Physical access processes established
The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.
Data center access reviewed
The company reviews access to the data centers at least annually.
External support resources available
The company provides guidelines and technical support resources relating to system operations to customers.
Service description communicated
The company provides a description of its products and services to internal and external users.
