Sandbar Security Risk & Compliance Overview
Information Security
Sandbar encrypts and protects sensitive information across the transformation and analysis process.
- Sandbar uses TLS encryption for all data in transit.
- Sandbar encrypts all data at rest using AES 256-bit encryption.
- Sandbar uses intrusion detection systems, such as AWS Guard Duty, to monitor threats real-time,
Access Management & Authentication
Sandbar’s platform provides full control of access to all hosted information
- Sandbar provides account access via SSO. Clients can use their IDP to manage access to the software.
- Sandbar provides granular access controls. User access reviews and analysis are conducted on a regular basis.
- Sandbar tracks all activities in the software and is able to fully audit all changes made.
Software Development Practices & Authentication
Security processes and have been fully integrated into the Sandbar software development processes. Developers receive training that focuses on OWASP specific guidelines. In addition, processes are setup to allow for separation of duties and segmentation of platforms with dev, staging, and production.
- OWASP based security controls design
- Separation between dev, staging, and production.
- Use of test data in development environment.
- Code is peer reviewed
- Penetration testing
- Code repository controls
- Threat modeling
- Deployment controls
Infrastructure Security
Sandbar leverages Amazon Web Services (AWS). We utilize hardening practices from the Center for Internet Security (CIS) Benchmarks for the platform configuration. Sandbar can make available all standards, AWS certifications and accreditations along with physical security controls.
Company Policies and Procedures
Sandbar secuirty, risk, and compliance processes were developed based on industry best practices and are reveiewed and updated on an annual basis or upon any significant change.
- All employees are trained based on the Sandbar security poilicies when they are hired, and are required to recertify on an annual basis. Policies include:
- Access Control
- Business Continuity
- Disaster Recover
- Cryptographic Controls
- Data Management
- Human Resources Security
- Information Security
- Operations Security
- Physical Security
- Risk Management
- Third Party Risk Management
- Ongoing platform security is ensured through activities including, but not limited to:
- Network intrustion detection
- Code vulnerability scanning
- Penetration testing
- System, network, and application log analysis, repoirting, and retention.
- Sandbar has created an incident response team to handle any significant security or availability event to triage and respond to them, and minimize the impact on customer experience and customer data.
Regular Third-Party Security Review
Sandbar engages third parties to assess and review the implemented security practices. Vendors will provide their assessments and recommendations for improvements that will be implemened by the Sandbar team.
Standards and Certification
Sandbar is committed to establishing and maintaining compliance with key information security and regulatory standards, including:
- Service Organization Control (SOC) 2
- Payment Card Industry Data Security Standard D Non-Merchants (In Progress)
Sandbar and third-party certification and verification reports are available for limited distribution and shared under strict non-disclosure agreements.