Carbide Security Portal
Overview
This page provides an overview of Carbide's security program. For any security related questions that haven't been addressed on this page, please email us at security@carbidesecure.com.
Solution Security
Data Encrypted in Transit
Customer Data Removal
We have a process to remove customer data governed under our Privacy policy. Customers may deny or withdraw consent by sending email to privacy@carbidesecure.com.
Data Encrypted at Rest
Human Resources
Human Resource Policy
We have a Human Resources policy which defines human resources requirements at each stage of employment and engagement as it relates to information security and data privacy. This policy includes the requirements at onboarding, during employment or independent contractor engagements, and upon change of role or termination.
Risk Management
Approved Risk Management Program
Our Risk Management program is governed under our Risk Assessment policy.
Privacy Risk Assessment
Risk assessments are conducted at least annually. Additionally, when significant changes occur, a risk assessment is performed to assess the impact those changes have on privacy and organizational risk.
Vendor Management Review
We have a Vendor Management policy which governs the key objectives of vendor management and vendor risk management.
Privacy
GDPR Compliance
We have implemented the necessary controls to meet GDPR requirements.
Personally Identifiable Information (PII)
Our Privacy Notice describes how customer data is managed. Customers may review the Privacy Notice at https://carbidesecure.com/privacy-notice/.
Operations Management
Backups
System backups are performed automatically on a regular basis. Full Backups must be kept for at least 90 days to ensure that there is a known good state, free from infection should a system need to be restored.
Asset and Data Management
Asset Management Policy
We have an Asset Management policy which outlines safeguarding measures for our asset.
Data Classification
We have a Data Classification policy which defines our data classification levels. These levels determine who has permission to access our data and under what conditions.
Incident Event and Communications Management
Formal Incident Response Plan
An incident response plan has been implemented in preparation to respond immediately to a security incident.
Application Security
Change Control Documentation
We have a Software Change Management policy which ensures that changes to all software we create are minimally disruptive to services. It applies to all development and production environments.
Software Development Lifecycle
Threat Management
Anti-Malware Policy
Our Endpoint Hardening policy includes information on antivirus and anti-malware requirements.
Internal Vulnerability Scanning
We conduct monthly vulnerability scans using tools approved thir-party tools to identify improper configurations, known vulnerabilities, unpatched systems, and other potential vulnerabilities.
External Vulnerability Scanning
We conduct external penetration testing annually using a third-party provider.
Penetration Testing
We conduct penetration tests on an annual basis using a third-party tester.
Vulnerability Management Process
We have a Vulnerability Management policy which documents vulnerability management processes and appropriate tools for conducting vulnerability assessments of identified critical systems.
Business Resiliency
Business Continuity Plan
We have an Availability Management policy which outlines our Business Continuity Planning and Testing processes. These plans are reviewed and revised to reflect any changes to roles, responsibilities or core business functions and the systems that support them.
Security Policy
Information Security Policy
We have an Information Governance policy which provides an overview of our privacy and security mission and objectives, and highlights the key roles and responsibilities within the organization as they relate to data privacy and information security. This policy ensures that the information security and privacy program has structure, consistency, and buy-in at the highest level of the organization. It also articulates the team structure as it relates to information security and data privacy.
Policy Review Cadence
Our Information Security & Privacy policies are reviewed annually.
Certifications