Security at Catalant
Catalant is committed to providing a robust and comprehensive security program for our customers. We combine enterprise-class security features with exhaustive audits of our applications, systems, and networks to keep our users’ data safe, earn our customers’ trust, and strengthen our relationships over time.
Google Cloud Platform
The Catalant platform is built on the Google Cloud Platform. As part of Google’s service offering, Google takes responsibility for physical and environmental security, availability, routing, switching and networking controls. Google data centers are equipped with state-of-the-art physical security controls including, but not limited to, multi-factor authentication (badge access card and biometric), strict role-based access, security guard monitoring, video surveillance systems, and access logging and monitoring. Google deploys environmental security controls within their data centers to ensure systems remain fully operational that include redundant generators, uninterruptible power supply (UPS) systems, cooling systems, and fire detection and suppression systems.
Google provides Catalant with additional built-in protections that include, but are not limited to:
- Network layer intrusion detection: Google employs intelligent detection controls at data entry points with technologies in place to remedy certain dangerous situations.
- Vulnerability management: Any Google software consumed by Catalant automatically updates to most current version.
- Key management: Catalant’s encryption keys are stored in Google’s secure key management system (KMS) and rotated by Google on a quarterly basis.
- Traffic load increase protection: Google’s Autoscaler adds the appropriate resources to handle traffic spikes when required.
For more information regarding the Google Cloud Security, please view Google’s own Security and Privacy documentation: https://cloud.google.com/security/
The Catalant product and engineering teams are organized into multiple scrum teams following the Agile Software Development Life Cycle (SDLC) model. The Catalant SLDC includes a number of controls to help ensure development efforts are well-designed and secure. Controls in place include, but are not limited to, testing, code reviews, and management approvals prior to implementing a change into the production environment. Catalant also restricts the ability to implement changes in the production environment to a small number of authorized administrators.
We continuously monitor for security vulnerabilities to Catalant platform components through methods including, but not limited to, subscriptions with our vendors and reputable researchers, as well as monthly vulnerability scanning of the platform and underlying systems. We triage all vulnerabilities to determine impact and patch our systems according to criticality. The architecture of the platform enables our engineering team to deploy security patches seamlessly without disrupting our customers’ experience.
Penetration Testing & Application Hardening
Catalant engages an independent third party to perform annual penetration testing of our web applications and the underlying infrastructure to identify security vulnerabilities. Product and engineering management review all findings, prioritizes them, and tracks issues through to resolution. If required, we re-test vulnerabilities to ensure that remediation actions have sufficiently addressed the finding, and to confirm that the vulnerability no longer exists.
All Catalant systems run in secure data-centers that are managed and maintained by trusted and risk-assessed third-parties. These third-parties provide all of our network level services, including load balancers and network security. In addition, they provide services for intrusion detection and DDOS.
Additionally, Catalant uses trusted third-party services to review and test Catalant application level code for common security threat vectors like the OWASP TOP 10. Application vulnerability assessments are completed monthly with any potential vulnerabilities tracked and remediated in accordance with the vulnerability management policy. On a yearly basis Catalant utilizes a trusted third party to perform manual and automated penetration test to aid in independent validation and assurance of security testing in place.
Access to the Boston, Massachusetts multi-tenant office facility (25 Thomson Place) is required to be restricted via a badge access card system to help ensure only authorized and active personnel can access the office facility.
The Catalant office is locked 24 hours a day, 7 days a week. Employees are issued a unique badge access card that is required to access both the office building and the Catalant office space. The badge access card system is configured to log access attempts for review in the event of an incident that requires investigation. Additional ingress/egress points such as the loading docks, roof, etc. are securely locked to prevent unauthorized entrance.
Visitors to the Catalant office facility are required to be escorted at all times while on the premise. In the event an unknown person is discovered within the Catalant office space, they are to be removed from the facility immediately.
All visitors to the multi-tenant office facility are required use a video doorbell located in the secured main entryway on the first-floor to the building. Visitors must identify themselves, and communicate the purpose of their visit, prior to main entry to the building being unlocked by Catalant’s designated employee. Visitors are then required to take an elevator to the third floor and once are required to ring a door bell in order to be granted access to the Catalant office space. The visitor is then required to check- in and be escorted while on the premise.
Systems & Data Access
Catalant tightly controls access to systems and data based on the principles of least privilege, strictly limiting access levels based on job responsibilities. We only permit a small number of experienced employees to administer our production system, and our documented approval process tracks employees that require production systems access.
Catalant provisions all employees with a unique identifier and password, and enforces two-factor authentication for all employees when they access any of our systems. Our information security team reviews permissions on a quarterly basis to help ensure that access remains appropriate to active and authorized personnel. When an employee departs from Catalant, our process dictates that we notify relevant system administrators, who immediately revoke access.
Shared accounts are strictly prohibited under any circumstances. Unique user IDs are created for each employee. Catalant does not allow employees to access confidential data using a shared account, including but not limited to, access to the application and logging into the database.
The Catalant platform stores two categories of data: structured and unstructured. Structured data—including our expert profiles, customer profiles, and project information entered into the application—are stored within a Google Cloud SQL database. Unstructured data—including files uploaded by our customers or experts—are stored in Cloud Storage. We tag all customer data, and backend logical access controls prevent one customer from seeing the data of another customer.
Catalant restricts employee, customer and expert interaction with data via role-based access permissions that prevent users from accessing data without given permissions. Customers can further restrict access to the data they make available on the platform using its access permission features.
Catalant configures load balancers to support secure Transport Layer Security (TLS) connections between end-point devices and the Catalant platform to help ensure the secure transmission of information over public networks. We also encrypt all data stored on the platform at rest, using advanced encryption standard (AES) 256-bit encryption.
Catalant leverages Google Cloud’s distributed architecture, spreading its data footprint over multiple regions, and multiple zones within those regions. Catalant uses a container-based architecture, which allows us to easily spin up the Catalant platform infrastructure within another cloud provider, or from within our own hosted environment, if needed.
Catalant performs nightly backups by taking snapshots of all customer transaction data. Additionally, we retain binary logs to account for all data created and modified between nightly backups, allowing for a true point-in-time restoration, if needed. We also test the auto-failover ability of our database on a quarterly basis, and perform regularly scheduled data restoration tests to ensure the recoverability of data.
Security incidents must be immediately communicated to Information Security or DevOps personnel via e-mail, phone or through the internal chat system. Information Security or DevOps personnel is responsible for the response. Catalant’s Legal team is engaged to investigate the legal requirements for reporting compromises per laws and regulations, and to ensure that we meet our contractual commitments to customers.
Incident Response Testing
Catalant’s incident response plan is tested on an annual basis. The plan must provide for the continued operation or rapid recovery of critical systems in the event of an interruption or degradation of service. Upon successful completion of incident testing, an after-actions meeting is held to discuss the results of the test, and the incident response plan is modified to incorporate lessons learned or current industry developments.
All Catalant employees must review the Internal Information Security policies during on-boarding and recertify during a yearly review and renewal of Information Security training.
Clear policies, procedures, and plans form the core of an effective security program. Catalant’s policies include, but are not limited to, the following:
- Identification, Authentication, and Access Control
- Security Awareness
- Acceptable Use
- Risk Assessment
- Audit and Accountability
- Vulnerability Management
- Change Management
- Incident Response
Catalant’s management team reviews and approves policies annually—or when there is a significant change that impacts how controls or policies operate. Our information security team documents policies extensively and provides them to all employees on our intranet site.
As part of the Catalant employee onboarding process, all new hires (as well as all contractors with access to customer information) must pass a background check, sign a confidentiality and non-disclosure agreement, complete security and privacy awareness training, and acknowledge receipt and understanding of our policies. We require all employees to complete security and privacy awareness training on an annual basis, and to re-certify that they agree to abide by our policies.
Catalant’s Information Security team performs a risk analysis prior to Catalant engaging a prospective third-party vendor. Based on the nature of the third-party vendor relationship and services, the risk analysis may include the following activities:
- Discussion of security and process-related questions with the third-party vendor
- Completion of information security questionnaire by third-party vendor
- Review of policy and procedure documentation
- Review of third party audit and compliance reporting, that may include, but is not limited to the following reporting (e.g. SOC 2, PCI DSS, ISO, etc.)
- Review of data privacy reviews
- Onsite audit of the vendor’s systems, processes and/or facilities
The corresponding results are documented within an internal ticketing system that tracks any vendor systems that will store and/or have access to ‘Restricted’ and/or ‘Internal Use Only’ information. Evidence of approval will be documented within the internal ticketing system and is required prior to signing the agreement with the third-party vendor.
If the third-party vendor is accepting ‘Restricted’ or ‘Internal Use Only’ information as part of the agreement, the activities above must be performed. In addition, contractual requirements must be included to ensure that third party vendors implement and maintain appropriate security measures.
Vendor Monitoring & Renewal
Catalant monitors the adherence of its third-party vendors to contractual and applicable legal requirements. In addition, on at least an annual basis, Catalant’s information security team performs a security review of key third-party service providers. As part of the review process, Catalant is required to perform at least one of the following – have the Catalant security questionnaire completed, review third party audit reporting – any gaps identified need to be addressed. Schedule a call with the third party’s security team to discuss security posture. Evidence of the third-party security review is documented within the Catalant ticketing system. Catalant may terminate agreements with vendors that do not meet Catalant’s expected security requirements.