Security & Compliance

Security

Since the beginning, we’ve built Poka with data protection and security as our top priority. Security is an ongoing effort and we are continuously improving our information security program and incorporating best practices across our organisation and platform.

Poka follows the Secure by Design principles and is built on a modern technology stack that provides the agility, performance, reliability, availability and the level of information security and privacy to meet our customer’s most stringent requirements.

People

How do you ensure that Poka employees play their role in preserving the security and privacy of our data?

Our employees play a crucial role in our ensuring the security and privacy of the Poka application and your data. Here are some of the steps we take:

• Background Checks
  All candidates are required to successfully complete a standard background check as part of the hiring process. They are also required to sign an NDA as part of their employment contract.
• Roles & Responsibilities
  DevOps, Support, Customer Success and Professional Services teams are made aware of their responsibilities in maintaining the security, confidentiality, integrity and availability of customer data.
• Training
  Poka provides information security and privacy training for new hires, and on an ongoing basis to all employees. In addition to this general information security and privacy training, more targeted training is also provided.

Application Security

How do you integrate security in the development lifecycle of the application?

Software Development Life Cycle

At Poka, we leverage the DevOps and Continuous Delivery models. The highly automated nature of our software and infrastructure delivery, combined with frequent releases, requires security be embedded into the SDLC is essential.

Here's an overview of some of our security, privacy and quality assurance practices: requirements identification, requirements review, design reviews, development controls (i.e. static analysis, code reviews), automated and manual testing, automated vulnerability scans, change management and deployment controls.

How is the Poka application available?

Poka is available as a Software as a Service (SaaS) delivery model, providing you with access to the most up-to-date and advanced application with no requirement for maintenance and upgrades.

How is our data protected?

• Your data is encrypted in transit using Transport Layer Security (TLS) 1.2
• Your data is encrypted at rest using 256-bit AES, one of the strongest block ciphers available
• We use versioning and never delete any of your data
• We protect your data from unauthorized access using multiple access management controls
• Your data is backed-up every hour and copied off-site

Is our data isolated from other customers?

To ensure data and process isolation, each customer gets dedicated instances of the Poka application, segregated database and data stores.

What are the user identity models and authentication options supported?

You can choose from two identity models with Poka:

1. SAML-based Single Sign-On (SSO)
   
   You can integrate Poka with your corporate credential directories using Security Assertion Markup Language (SAML v2.0) to retain full control of authentication process. You can also automatically provision and deprovision your users in Poka with System for Cross-domain Identity Management (SCIM) - an open standard used by identity providers and Single Sign-On (SSO) services to manage user accounts across of SaaS providers, including Poka.
   
2. Poka Cloud Accounts
   
   You can also manage user accounts directly in Poka.

• Configurable Password Policy
• Credentials are never stored in human readable format. We use a secure one-way hash algorithm with a salt

How do we assign permission to users?

Access to your Poka instance is governed by roles and access rights configured by your designated Poka Administrators.

How can I limit access to my Poka instance?

Logical firewall

You may choose to restrict access to a specific IP range so that your Poka instance is only accessible in designated physical locations and through your organization's VPN.

We also support a per user access policy that enables users to connect outside your designated physical locations. You can also restrict from which countries they are allowed to access your Poka instance using our IP Geo-location access control feature.

What information is stored on the mobile devices?

The only information stored is the structure of your organization to speed up the app. The content itself is downloaded or streamed on demand.

How do you manage vulnerabilities?

Poka's Security Team uses a combination of automated and manual vulnerability scanning and exploitation software in order to detect or confirm the presence of vulnerabilities in our SaaS infrastructure and application. Our security team is responsible for assessing, prioritizing and the remediation of confirmed vulnerabilities.

Do you perform Penetration Test on a regular basis?

Poka also mandates a third-party security firm to perform authenticated and non-authenticated penetration testing against Poka SaaS infrastructure and application. The third party penetration testing is performed annually and an attestation of completion is available upon request.

Operations Security

How do you backup our data?

Customer data is backed up every hour and replicated in near-real time at the designated secondary Amazon AWS Region. Backups are performed without impacting the availability of our customer instances of Poka. Customer data is always transmitted over a secure communication channel and encrypted at rest.

How do you ensure the availability of Poka?

Poka is architected, designed, and coded following the cloud-native principles by our team and takes full advantage of Amazon AWS infrastructure services to provide high availability transparently across multiple data centers (AWS Availability Zones).

How do you handle security incidents?

A potential security incident may include, among other things, loss of availability, unauthorized access, disclosure or alteration of data. Poka has an incident management procedure which covers the entire lifecycle of a potential incident including: Plan and Prepare, Detect and Report, Access, Respond and Post-mortem.

Poka will promptly notify the customer without undue delay in the event of any reasonably suspected or confirmed security incident affecting a customer.

Data Ownership And Control

Who owns the data we store in your service?

You maintain full ownership and control of your data uploaded or created in Poka.

Will Poka employees access our data?

In the context of providing the service, it requires that some authorized Poka personnel have access to the systems which process or store your data. However, they are prohibited from accessing your data unless it is necessary to do so. For example, in order to reproduce or diagnose a problem you are having with Poka, we may need to access your data. Poka has a Customer Data Handling policy has been developed and communicated to all personnel that governs how customers' data may be accessed and how.

What happens to our data if we cancel our subscription to Poka?

Poka makes your data accessible for retrieval at any time during the term of your subscription and for a period of 60 days after the termination of your subscription. After 60 days, Poka will disable the account and will securely delete your data.

How do we retrieve our data?

You can retrieve the data created with Poka in JSON and the data uploaded to Poka in its native format using the Poka RESTful API.

How do you ensure that all our data was deleted?

We have a procedure for the secure deletion of customer data at the termination of the subscription. A Poka system administrator will be assigned the task and will delete all customer data: database, file storage, backups, encryption keys along with your instance of Poka. We will also provide you with a data destruction report signed by the VP of Information Security who will ensure that the procedure was followed and that the data was deleted in accordance with the procedure.

Hosting Infrastructure

Where will our data be hosted?

We host Poka in Amazon Web Services (AWS) data centers (the leading Infrastructure as a Service (IaaS) cloud provider) in the United States, Canada or Germany according to your choice. AWS maintains multiple certifications and attestations for its hosting operations. For more information about their certification and compliance program, please visit the AWS Security website and the AWS Compliance website.

Privacy

Poka is committed to protecting your data including the personal information of your employees. As a result we help your organization remain and demonstrate compliance with Privacy Laws and Regulations such as GDPR. Poka follows the seven data processing principles in GDPR:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Learn More about Poka's stance on GDPR by consulting the Compliance section

SOC 2 Type II

Poka is compliant with the Service Organization Controls (SOC) 2 Type 2 from AICPA, one of the most sought after security attestations for SaaS providers.

The SOC 2 Type 2 report provides assurance that Poka's information security program and control environment are compliant with the Trust Services Criteria developed and maintained by the AICPA. The report covers the controls Poka has implemented both from an organisational and technical perspective, and includes access management, encryption, code changes and deployment, monitoring, vulnerability management, incident management, risk management, human resources management, vendor management, and more.

The report helps companies, looking to use a cloud service like Poka, to properly assess and address the associated risks.

Poka's SOC 2 Type 2 report is available under NDA to all our existing and potential customers.

Please contact Poka's Security team to request a copy: infosec@poka.io.

Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when selecting a cloud vendor.

The Security, Trust, and Assurance Registry (CSA STAR) and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 provides a comprehensive set of questions that customers can use to evaluate the depth and breadth of cloud vendors' security, privacy, and compliance processes.

Poka's security team has compiled responses to all 294 questions in the questionnaire. This document is a valuable resource for understanding how Poka meets and exceeds the requirements set forth by CSA.

Download the document

Canadian Controlled Goods Program

The Controlled Goods Program (CGP) was initiated in April 2001 to further strengthen and coordinate defence trade controls with the U.S. The Controlled Goods Program is a registration and compliance program that regulates access to controlled goods and technologies, including ITAR-controlled articles, in Canada.

Since 2017, Poka is registered (CGP #20710) and complies with the requirements of the Canadian Controlled Goods Regulation and the Defence Production Act which requires conducting security assessments of personnel, preparing for inspections, developing security plans and reporting security breaches.

Please contact Poka's Security team to learn more about our compliance with CGP at infosec@poka.io. If the content of your communication is sensitive, please encrypt your email using our PGP key.

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is an EU regulation which replaced the Directive 95/46/EC and is meant to overhaul existing rules and guidelines on how organisations can process personal data of EU citizens. Its goal also aims to standardize data protection laws over all of Europe. One of the main features of GDPR is the added data subject rights meant to give more power and control to European citizens over their privacy.

What is Poka’s stance on GDPR?

At Poka, we are really excited about GDPR as this regulation will further help protect the security and the privacy of individuals. That's why Poka committed itself to set in place additional controls and processes to achieve compliance with GDPR.

What Personal Information do we collect and process?

By using our services, Poka may collect and process two categories of data: Customer Data and Other Information.

• Customer Data: This category covers any Personal or non-Personal Information or data that the Customer may have submitted when interacting with our services (Poka). This category includes some types of information or data indirectly created by the Customer’s usage of our services (Poka) such as, but not limited to, application logs, support conversations, etc.
  
  It is the responsibility of the Customer to verify the legal basis for collecting and processing Personal Information through Poka’s services (Poka) and managing any data subject requests.
• Other Information: In its legitimate interests, Poka needs to collect and process some Personal Information to operate as a business. Poka may collect and process Personal Information about its users to achieve its billing, accounting and auditing activities, and may send surveys to users of the Customer and collect feedback to improve its services and offerings. This information is only used for internal activities.

Who is the Data Controller and Data Processor?

As mentioned earlier, Poka collects and processes two categories of data: Customer Data and Other Information.

For Customer Data, the Customer is the data controller, and Poka is the data processor. For Other Information, Poka is the data controller.

How long do we retain Personal Information?

• Customer Data : Poka will retain all Customer Data in accordance to the instructions of the Customer. Usually, Poka will retain all Customer Data until the termination of the data processing services between the Customer and Poka. Customer may be able to modify or delete any information directly inside the Poka service, and may ask Poka for assistance where necessary.
• Other Information: Poka will retain any Other Information as long as necessary to pursue its legitimate business interests as described above in the What Personal Information do we collect and process? section.

Do you offer assistance with GDPR?

Poka will gladly collaborate and assist each customer seeking compliance with the obligations pursuant to Articles 32 to 36 of GDPR.

How do you handle data subject requests?

With the new dispositions of GDPR, European citizens’ rights towards their personal information has been drastically enhanced and European citizens may now request the following:

• Right to be forgotten
• Right to object
• Right to rectification
• Right of portability
• Right of access

Poka manages data subject requests differently depending on the type of information:

• Customer Data: In the case where Poka receives data subject requests from an individual involving Customer Data, Poka will forward the request to the Customer, which acts as the data controller. Poka will never act without the orders of the Customer. It is the responsibility of the Customer to manage those requests. Where reasonably feasible, Poka may assist the Customer if it cannot fulfill the individual’s request independently.
• Other Information: Poka will manage data subject requests involving Other Information.

Is it possible to sign a DPA with Poka to ensure compliance with GDPR?

Yes, Poka makes available a Data Processing Addendum (DPA) for our Customers.