Since the beginning, we’ve built Poka with data protection and security as our top priority. Security is an ongoing effort and we are continuously improving our information security program and incorporating best practices across our organisation and platform.
Poka follows the Secure by Design principles and is built on a modern technology stack that provides the agility, performance, reliability, availability and the level of information security and privacy to meet our customer’s most stringent requirements.
How do you ensure that Poka employees play their role in preserving the security and privacy of our data?
Our employees play a crucial role in our ensuring the security and privacy of the Poka application and your data. Here are some of the steps we take:
How do you integrate security in the development lifecycle of the application?
Software Development Life Cycle
At Poka, we leverage the DevOps and Continuous Delivery models. The highly automated nature of our software and infrastructure delivery, combined with frequent releases, requires security be embedded into the SDLC is essential.
Here's an overview of some of our security, privacy and quality assurance practices: requirements identification, requirements review, design reviews, development controls (i.e. static analysis, code reviews), automated and manual testing, automated vulnerability scans, change management and deployment controls.
How is the Poka application available?
Poka is available as a Software as a Service (SaaS) delivery model, providing you with access to the most up-to-date and advanced application with no requirement for maintenance and upgrades.
How is our data protected?
To ensure data and process isolation, each customer gets dedicated instances of the Poka application, segregated database and data stores.
What are the user identity models and authentication options supported?
You can choose from two identity models with Poka:
How do we assign permission to users?
Access to your Poka instance is governed by roles and access rights configured by your designated Poka Administrators.
How can I limit access to my Poka instance?
Logical firewall
You may choose to restrict access to a specific IP range so that your Poka instance is only accessible in designated physical locations and through your organization's VPN.
We also support a per user access policy that enables users to connect outside your designated physical locations. You can also restrict from which countries they are allowed to access your Poka instance using our IP Geo-location access control feature.
What information is stored on the mobile devices?
The only information stored is the structure of your organization to speed up the app. The content itself is downloaded or streamed on demand.
How do you manage vulnerabilities?
Poka's Security Team uses a combination of automated and manual vulnerability scanning and exploitation software in order to detect or confirm the presence of vulnerabilities in our SaaS infrastructure and application. Our security team is responsible for assessing, prioritizing and the remediation of confirmed vulnerabilities.
Do you perform Penetration Test on a regular basis?
Poka also mandates a third-party security firm to perform authenticated and non-authenticated penetration testing against Poka SaaS infrastructure and application. The third party penetration testing is performed annually and an attestation of completion is available upon request.
How do you backup our data?
Customer data is backed up every hour and replicated in near-real time at the designated secondary Amazon AWS Region. Backups are performed without impacting the availability of our customer instances of Poka. Customer data is always transmitted over a secure communication channel and encrypted at rest.
How do you ensure the availability of Poka?
Poka is architected, designed, and coded following the cloud-native principles by our team and takes full advantage of Amazon AWS infrastructure services to provide high availability transparently across multiple data centers (AWS Availability Zones).
How do you handle security incidents?
A potential security incident may include, among other things, loss of availability, unauthorized access, disclosure or alteration of data. Poka has an incident management procedure which covers the entire lifecycle of a potential incident including: Plan and Prepare, Detect and Report, Access, Respond and Post-mortem.
Poka will promptly notify the customer without undue delay in the event of any reasonably suspected or confirmed security incident affecting a customer.
Who owns the data we store in your service?
You maintain full ownership and control of your data uploaded or created in Poka.
Will Poka employees access our data?
In the context of providing the service, it requires that some authorized Poka personnel have access to the systems which process or store your data. However, they are prohibited from accessing your data unless it is necessary to do so. For example, in order to reproduce or diagnose a problem you are having with Poka, we may need to access your data. Poka has a Customer Data Handling policy has been developed and communicated to all personnel that governs how customers' data may be accessed and how.
What happens to our data if we cancel our subscription to Poka?
Poka makes your data accessible for retrieval at any time during the term of your subscription and for a period of 60 days after the termination of your subscription. After 60 days, Poka will disable the account and will securely delete your data.
How do we retrieve our data?
You can retrieve the data created with Poka in JSON and the data uploaded to Poka in its native format using the Poka RESTful API.
How do you ensure that all our data was deleted?
We have a procedure for the secure deletion of customer data at the termination of the subscription. A Poka system administrator will be assigned the task and will delete all customer data: database, file storage, backups, encryption keys along with your instance of Poka. We will also provide you with a data destruction report signed by the VP of Information Security who will ensure that the procedure was followed and that the data was deleted in accordance with the procedure.
Where will our data be hosted?
We host Poka in Amazon Web Services (AWS) data centers (the leading Infrastructure as a Service (IaaS) cloud provider) in the United States, Canada or Germany according to your choice. AWS maintains multiple certifications and attestations for its hosting operations. For more information about their certification and compliance program, please visit the AWS Security website and the AWS Compliance website.
Poka is committed to protecting your data including the personal information of your employees. As a result we help your organization remain and demonstrate compliance with Privacy Laws and Regulations such as GDPR. Poka follows the seven data processing principles in GDPR:
Learn More about Poka's stance on GDPR by consulting the Compliance section
Poka is compliant with the Service Organization Controls (SOC) 2 Type 2 from AICPA, one of the most sought after security attestations for SaaS providers.
The SOC 2 Type 2 report provides assurance that Poka's information security program and control environment are compliant with the Trust Services Criteria developed and maintained by the AICPA. The report covers the controls Poka has implemented both from an organisational and technical perspective, and includes access management, encryption, code changes and deployment, monitoring, vulnerability management, incident management, risk management, human resources management, vendor management, and more.
The report helps companies, looking to use a cloud service like Poka, to properly assess and address the associated risks.
Poka's SOC 2 Type 2 report is available under NDA to all our existing and potential customers.
Please contact Poka's Security team to request a copy: infosec@poka.io.
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when selecting a cloud vendor.
The Security, Trust, and Assurance Registry (CSA STAR) and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 provides a comprehensive set of questions that customers can use to evaluate the depth and breadth of cloud vendors' security, privacy, and compliance processes.
Poka's security team has compiled responses to all 294 questions in the questionnaire. This document is a valuable resource for understanding how Poka meets and exceeds the requirements set forth by CSA.
The Controlled Goods Program (CGP) was initiated in April 2001 to further strengthen and coordinate defence trade controls with the U.S. The Controlled Goods Program is a registration and compliance program that regulates access to controlled goods and technologies, including ITAR-controlled articles, in Canada.
Since 2017, Poka is registered (CGP #20710) and complies with the requirements of the Canadian Controlled Goods Regulation and the Defence Production Act which requires conducting security assessments of personnel, preparing for inspections, developing security plans and reporting security breaches.
Please contact Poka's Security team to learn more about our compliance with CGP at infosec@poka.io. If the content of your communication is sensitive, please encrypt your email using our PGP key.
The General Data Protection Regulation (GDPR) is an EU regulation which replaced the Directive 95/46/EC and is meant to overhaul existing rules and guidelines on how organisations can process personal data of EU citizens. Its goal also aims to standardize data protection laws over all of Europe. One of the main features of GDPR is the added data subject rights meant to give more power and control to European citizens over their privacy.
What is Poka’s stance on GDPR?
At Poka, we are really excited about GDPR as this regulation will further help protect the security and the privacy of individuals. That's why Poka committed itself to set in place additional controls and processes to achieve compliance with GDPR.
What Personal Information do we collect and process?
By using our services, Poka may collect and process two categories of data: Customer Data and Other Information.
Who is the Data Controller and Data Processor?
As mentioned earlier, Poka collects and processes two categories of data: Customer Data and Other Information.
For Customer Data, the Customer is the data controller, and Poka is the data processor. For Other Information, Poka is the data controller.
How long do we retain Personal Information?
Do you offer assistance with GDPR?
Poka will gladly collaborate and assist each customer seeking compliance with the obligations pursuant to Articles 32 to 36 of GDPR.
How do you handle data subject requests?
With the new dispositions of GDPR, European citizens’ rights towards their personal information has been drastically enhanced and European citizens may now request the following:
Poka manages data subject requests differently depending on the type of information:
Is it possible to sign a DPA with Poka to ensure compliance with GDPR?
Yes, Poka makes available a Data Processing Addendum (DPA) for our Customers.