Security at Catalant
The world’s leading companies trust Catalant with sensitive information on mission critical work that spans across thousands of employees, independent experts and firms, alumni and retirees, and previously approved firms and consultants.
Below are examples of Catalant’s commitment to information security—from our segregation and encryption practices to our posture on third-party suppliers—and the measures we take to keep our users’ data safe, earn our customers’ trust, and strengthen our relationships over time.
Clear policies, procedures, and plans form the core of an effective security program. Catalant’s policies define the guidelines for employees to operate the Catalant Solutions Platform and Services, and serve to protect information assets. These policies include, but are not limited to, the following:
- Identification, Authentication, and Access Control
- Security Awareness
- Acceptable Use
- Risk Assessment
- Audit and Accountability
- Vulnerability Management
- Change Management
- Incident Response
Catalant’s management team reviews and approves policies annually—or when there is a significant change that impacts how controls or policies operate. Our information security team documents policies extensively and provides them to all employees on our intranet site.
As part of the Catalant employee onboarding process, all new hires must pass a background check, sign a confidentiality and non-disclosure agreement, complete security and privacy awareness training, and acknowledge receipt and understanding of our policies. We require all employees to complete security and privacy awareness training on an annual basis, and to re-certify that they agree to abide by our policies.
Catalant tightly controls access to systems and data based on the principles of least privilege, strictly limiting access levels based on job responsibilities. We only permit a small number of experienced employees to administer our production system, and our documented approval process tracks employees that require production systems access.
Catalant provisions all employees with a unique identifier and password, and enforces two-factor authentication for all employees when they access any of our systems. Our information security team reviews permissions on a quarterly basis to help ensure that access remains appropriate to active and authorized personnel. When an employee departs from Catalant, our process dictates that we notify relevant system administrators, who immediately revoke access.
The Catalant Solutions Platform can integrate with customers’ various Single Sign-On (SSO) solutions via Security Assertion Markup Language (SAML), enabling streamlined management of customer personnel who access the platform. Alternatively, end users can enable two-step verification to access the Platform by navigating to the Account Settings page within their account.
The Catalant Solutions Platform stores two categories of data: structured and unstructured. Structured data—including our expert profiles, customer profiles, and project information entered into the application—are stored within a Google Cloud SQL database. Unstructured data—including files uploaded by our customers or experts—are stored in Cloud Storage. We tag all customer data, and backend logical access controls prevent one customer from seeing the data of another customer.
Catalant restricts employee, customer and expert interaction with data via role-based access permissions that prevent users from accessing data without given permissions. Customers can further restrict access to the data they make available on the Platform using its access permission features.
Today’s security landscape makes data encryption increasingly important. That’s why Catalant configures the load balancers to support secure Transport Layer Security (TLS) connections between end-point devices and the Catalant Solutions Platform to help ensure the secure transmission of information over public networks. We also encrypt all data stored on the Platform at rest, using advanced encryption standard (AES) 256-bit encryption.
The Catalant product and engineering teams participate in the agile Software Development Life Cycle (SDLC) with multiple scrum teams. The Catalant SLDC includes a number of controls to help ensure development efforts are well-designed and secure. Controls in place include, but are not limited to, testing, code reviews, and management approvals prior to implementing a change into the production environment. Catalant also restricts the ability to implement changes in the production environment to a small number of authorized administrators.
New security vulnerabilities that threaten the confidentiality, integrity, and availability of data arise constantly. We continuously monitor for security vulnerabilities to Catalant Solutions Platform components through methods including, but not limited to, subscriptions with our vendors and reputable researchers, as well as monthly vulnerability scanning of the Platform and underlying systems. We triage all vulnerabilities to determine impact and patch our systems according to criticality. The architecture of the Platform enables our engineering team to deploy security patches seamlessly without disrupting our customers’ experience.
Catalant engages an independent third party to annually perform penetration testing of our web applications and the underlying infrastructure to identify security vulnerabilities. Product and engineering management reviews all findings, prioritizes them, and tracks issues through to resolution. If required, we re-test vulnerabilities to ensure that remediation actions sufficiently addressed the finding, and to confirm that the vulnerability no longer exists.
Customers who wish to perform their own independent testing should contact their Catalant Account Executive. With advance notice, we can provision a test environment for customers to perform testing.
Catalant leverages Google Cloud’s distributed architecture, spreading its data footprint over multiple regions, and multiple zones within those regions. Catalant uses a container-based architecture, which allows us to easily spin up the Catalant Solutions Platform infrastructure within another cloud provider, or from within our own hosted environment, if needed.
Catalant performs nightly backups by taking snapshots of all customer transaction data. Additionally, we retain binary logs to account for all data created and modified between nightly backups, allowing for a true point-in-time restoration, if needed. We also test the auto-failover ability of our database on a quarterly basis, and perform regularly scheduled data restoration tests to ensure the recoverability of data.
To help ensure that our controls are designed appropriately and operating effectively, Catalant undergoes an annual SOC 2 examination from an independent third-party audit firm. Please contact your Catalant Account Executive to request a copy of our most recent SOC 2 audit report.
At Catalant, our customers’ privacy is extremely important to us. Catalant has designed privacy program to meet General Data Protection Regulation (GDPR) requirements, as well as the rigorous demands of our customers and independent experts and firms in our Expert Marketplace. We are happy to sign data processing addendums and model clauses with our customers.
The Catalant Solutions Platform is built on the Google Cloud Platform. As part of Google’s service offering, Google takes responsibility for physical and environmental security, availability, routing, switching and networking controls. Google data centers are equipped with state-of-the-art physical security controls including, but not limited to, multi-factor authentication (badge access card and biometric), strict role-based access, security guard monitoring, video surveillance systems, and access logging and monitoring. Google deploys environmental security controls within their data centers to ensure systems remain fully operational that include redundant generators, uninterruptible power supply (UPS) systems, cooling systems, and fire detection and suppression systems.
Google provides Catalant with additional built-in protections that include, but are not limited to:
- Network layer intrusion detection: Google employs intelligent detection controls at data entry points with technologies in place to remedy certain dangerous situations.
- Vulnerability management: Any Google software consumed by Catalant automatically updates to most current version.
- Key management: Catalant’s encryption keys are stored in Google’s secure key management system (KMS) and rotated by Google on a quarterly basis.
- Traffic load increase protection: Google’s Autoscaler adds the appropriate resources to handle traffic spikes when required.