CHEQ Security Posture
Introduction
At CHEQ, we are committed to protecting the privacy and security of our users and customers’ data. This document outlines our security and privacy posture, as well as the measures we take to ensure the confidentiality, integrity, and availability of our users and customers’ data.
Information Security Program
At cheq.ai, we take information security seriously and strive to ensure the highest level of protection for your personal data. Our Information Security Program follows industry best practices, policies, and procedures to guard against unauthorized access and protect your information.
To maintain the integrity of our security program, we conduct regular reviews and enhancements to comply with the latest industry standards and regulations. Additionally, we utilize a range of security controls, including:
- Endpoint detection and response (XDR) for endpoint users
- Mobile Device Management (MDM)
- Cloud security posture management (CSPM) and cloud workload protection (CWP) for cloud security
- Vulnerability monitoring (OWASP Top 10, SAST, DAST, IAC)
- Vendor risk management platforms
- Data loss prevention (DLP) tools
- Web application firewall (WAF)
- Log management
- Cyber Intelligence and threats detection tools for proactive security
- Security information and event management (SIEM) for log monitoring
- Moreover, we operate 24/7 automated security monitoring and alerting across endpoints, cloud workloads, and applications, with response by our InfoSec and DevOps teams, supported by a managed security partner.
Our comprehensive security measures ensure that we can safeguard against potential security threats and keep your data safe.
We are committed to maintaining the highest level of information security and protecting your data. If you have any questions or concerns about our Information Security Program, please don’t hesitate to reach out to us at: infosec@cheq.ai.
Network Security
We use firewalls, intrusion detection and prevention systems, and other network security measures to protect our systems from unauthorized access and attacks. We regularly monitor our network for anomalies and suspicious activity and have a response plan in place to address any potential security incidents.
System Security
We follow industry-standard security best practices to secure our systems and infrastructure. This includes regular patching and updates, vulnerability scanning and remediation, and system hardening. We also use endpoint protection and other security tools to protect our systems from malware and other threats.
Security Operations
We have a dedicated security operations team that is responsible for monitoring and responding to security incidents. Our security operations team uses industry-standard tools and techniques to detect and respond to potential threats and works closely with other teams to ensure a coordinated response.
Access Controls
We use RBAC, MFA, SSO, and other access control measures to ensure that only authorized personnel have access to our systems and data. We also regularly review and update our access control policies to ensure their effectiveness, we conduct a user access review on all company applications, systems, and tools. We also use VPNs, the Zero Trust approach, and other security measures to secure remote access. Access is granted on a least-privilege basis and recertified at least semi-annually. Privileged access requires multi-factor authentication and is logged and reviewed.
Security & Privacy Risk Management
We prioritize the security and privacy of our customers through comprehensive risk management practices. Our security and privacy risk management approach encompasses a multi-layered strategy to ensure a robust security posture. We conduct thorough risk assessments to identify potential vulnerabilities and threats, allowing us to implement appropriate safeguards and controls. By leveraging industry best practices and adhering to international standards such as ISO 27001 and ISO 27701, we maintain a secure and compliant environment. Our dedicated team continually monitors and analyzes emerging security risks and privacy concerns to proactively address them. We are committed to maintaining the confidentiality, integrity, and availability of customer data, providing peace of mind and trust in our services.
Penetration Testing
We regularly conduct penetration testing and vulnerability assessments to identify potential security vulnerabilities in our systems and infrastructure. We work with third-party security experts to conduct these tests and use the results to improve our security posture. Penetration tests are conducted at least annually by an independent third-party security vendor and cover both the application and infrastructure layers, findings are tracked to remediation under risk-based service-level objectives.
Logging
We maintain detailed logs of system activity to help us detect potential security incidents, enable rapid detection, and investigate any issues. Our logs are protected and stored securely and are regularly reviewed to ensure their effectiveness. Our logging system includes appropriate access controls and audit trails to ensure the integrity of our logs.
Application-Level Security
We implement a security-oriented design in multiple layers, one of which is the application layer. The CHEQ application is developed according to the OWASP Top 10 framework and all code is peer-reviewed prior to deployment to production.
Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, and unit testing which addresses authorization aspects, and more. CHEQ developers go through periodic security training to keep them up-to-date with secure development best practices.
We also use web application firewalls and other security measures such as Cloud Security Posture Management (CSPM) to protect our applications and APIs from attacks.
Cyber Intelligence and Threat Detection
We employ cutting-edge cyber intelligence and threat detection tools to bolster our proactive security measures. Our advanced technologies continuously monitor networks, systems, and applications, identifying and mitigating potential threats in real-time. By leveraging machine learning and artificial intelligence, we can swiftly detect and respond to emerging threats, ensuring a robust security posture. Our comprehensive approach to cyber intelligence and threat detection enables us to stay one step ahead, safeguarding our customers’ valuable data and ensuring a secure environment.
Data Protection, Continuity, and Retention
We follow industry-standard best practices to protect our users’ data. This includes data encryption at rest and in transit, regular backups, and disaster recovery and business continuity plans. We also have retention policies in place to ensure that data is retained for only as long as necessary. Retention periods are defined in our Data Processing Agreement and Privacy Policy. Upon contract termination or verified customer request, customer data is deleted or anonymized within the timeframe stated in the DPA: https://cheq.ai/data-processing-agreement/.
Internal IT Security
We follow industry-standard best practices to ensure the security of our internal systems and infrastructure. This includes regular patching and updates, endpoint protection, Mobile Device Management (MDM), and other security measures to protect against potential threats.
Change Management
We follow a rigorous change management process to ensure that changes to our systems and infrastructure are properly tested and validated before being implemented in production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.
Vulnerability Management
Our vulnerability management program promptly detects and resolves security vulnerabilities using industry best practices, including regular scanning and testing aligned with OWASP and NIST standards. Our testing covers both application and infrastructure with a combination of manual and automatic tools. We prioritize high-risk vulnerabilities and conduct retesting after fixing them. Our aim is to continuously improve and stay current with the latest practices to provide top-notch security for our customers.
Encryption
We use encryption to protect data at rest and in transit. Data in transit is encrypted using TLS 1.2 or higher with industry-standard ciphers (e.g., SHA-256 with RSA) and certificates issued through our PKI. Data at rest, including customer data, backups, and other stored data, is encrypted using industry-standard algorithms (AES-256) with keys managed by cloud-provider key management services.
High Availability
We use multiple AWS & Azure regions and redundant systems to ensure high availability and minimize downtime. Our systems are designed to be highly available to ensure that our users can access our services and their data when they need it. This includes using redundant hardware, and network, and implementing appropriate failover and disaster recovery measures.
Security Incident Management
We have a security incident management process in place to ensure that potential security incidents are identified, contained, and remediated in a timely manner. Our security incident management process includes a defined response plan, communication protocols, and regular training for our security operations team. CHEQ aims to acknowledge confirmed cybersecurity incidents within 48 hours and to notify affected customers and authorities without undue delay, in line with contractual commitments and applicable regulatory obligations, including the timelines set out in GDPR Article 33.
Resilience and Service Continuity
We have a disaster recovery and business continuity plan in place to ensure that our service remains available in the event of a major disruption. This includes regular testing of our disaster recovery plan and backup systems, and a process for prioritizing and restoring critical systems during an outage.
Backups and Recovery
We maintain regular backups of our systems and data to ensure that we can quickly recover from a major disruption. Our backup systems are securely stored and regularly tested to ensure their effectiveness. Backups are encrypted at rest, retained across geographically separated locations, monitored for failure, and restoration is tested periodically to validate recoverability.
Monitoring and Resilience
We have implemented appropriate 24/7 monitoring and resilience measures to ensure that our systems and services are functioning properly and that potential disruptions are promptly identified and remediated. This includes implementing appropriate monitoring and alerting tools and techniques, and regularly testing our resilience measures.
Password Controls
We follow industry-standard password policies to ensure the security of our users’ accounts. This includes requiring strong passwords, multi-factor authentication (MFA), single sign-on (SSO), monitoring for compromised credentials, and account lockout after repeated failed attempts, and using other password protection measures.
Security Organization and Program
We have a dedicated security team responsible for ensuring ongoing security and compliance of our systems and services. Our security team works closely with other teams to ensure a coordinated response to potential threats, and regularly reviews and updates our security program to address new risks and vulnerabilities and update our security posture.
Confidentiality
We maintain strict confidentiality controls to protect our users’ data and other sensitive information. This includes restricting access to sensitive information, using encryption and other security measures to protect data in transit and at rest, and following appropriate retention and deletion policies.
People Security
We conduct regular security awareness training for our employees to ensure that they understand and follow our security policies and procedures. All employees and contractors complete security and privacy awareness training annually, and developers undergo dedicated secure coding training annually. Pre-employment background checks are performed where legally permitted, and all personnel are bound by confidentiality obligations and CHEQ’s Code of Conduct.
Third-Party Vendor Management
We have a vendor management program in place to ensure that third-party vendors that have access to our systems and data follow appropriate security and privacy controls. We conduct regular security assessments and due diligence on our vendors to ensure their security posture. This includes implementing appropriate vendor security assessments, contracts, and controls, and regularly reviewing and updating our third-party vendor management policies and procedures. Critical vendors are evaluated against independent assurance evidence (such as ISO 27001 certificates and SOC 2 reports) at onboarding and at least annually thereafter. Data Processing Agreements and security addenda are executed where personal data is processed. CHEQ’s current Sub-Processors list is published on our website.
Security & Privacy by Design
We follow a security & privacy-by-design approach to ensure that security and privacy is built into our systems and infrastructure from the ground up. This includes using industry-standard security and privacy frameworks, conducting regular security and privacy reviews, following secure coding practices, implementing appropriate security controls, application security testing, policies at every stage of the development lifecycle, and regularly reviewing and updating our security and privacy by design practices and procedures, following secure development methodologies.
Staged Releases
We follow a staged release process to ensure that new features and updates are properly tested and validated before being released to production. This minimizes the risk of introducing security vulnerabilities or other issues into our systems.
Architecture and Data Segregation
We follow a multi-layered security architecture and data segregation techniques to ensure that our users’ data is appropriately segmented and isolated. This includes using appropriate network and data segmentation techniques and implementing appropriate access control measures.
Physical Security
We follow industry-standard physical security measures to ensure the security of our facilities. This includes using access controls, surveillance, and other measures to prevent unauthorized access and protect our systems and assets.
AI Security
CHEQ applies security-by-design principles to the development, deployment, and operation of AI and machine learning capabilities within its products. Our AI security controls are designed to protect customer data, prevent misuse, and maintain the integrity, reliability, and resilience of AI-driven detection capabilities.
CHEQ does not use customer data to train general-purpose AI models unless expressly agreed with the customer. Access to AI systems, datasets, model outputs, and supporting infrastructure is restricted based on least-privilege principles and monitored through CHEQ’s security controls.
AI-related risks, including data leakage, model manipulation, adversarial abuse, prompt injection, unauthorized access, and inappropriate model outputs, are assessed as part of CHEQ’s broader security and privacy risk management program. Where applicable, AI systems are subject to secure development practices, testing, monitoring, human oversight, and periodic review.
CHEQ’s AI governance and security practices are aligned with industry-recognized frameworks, including ISO/IEC 42001, and are continuously reviewed as AI security threats, regulatory expectations, and customer requirements evolve.
SOC 2 Type 2
CHEQ maintains a SOC 2 Type 2 attestation covering the Trust Services Criteria for Security, Availability, Confidentiality, and Privacy, examined by an independent third-party auditor.
ISO 27001(ISMS)
We are ISO 27001 certified, a globally recognized standard for information security management systems (ISMS). Our ISO 27001 certification demonstrates our commitment to maintaining the highest levels of security and compliance.
ISO 27701(PIMS)
We are ISO 27701 certified, an internationally recognized standard for privacy information management systems (PIMS). This certification ensures that we have implemented robust privacy controls, comply with relevant privacy laws, and prioritize the security of personal information. Our ISO 27701 certification reaffirms our dedication to maintaining the highest standards of privacy management for our valued customers.
ISO 42001 (AIMS)
CHEQ is ISO/IEC 42001 certified, an international standard for AI Management Systems (AIMS). This certification reflects our commitment to the responsible development, deployment, and oversight of artificial intelligence and machine learning within our products. Our AIMS governs AI risk management, data quality, bias and fairness considerations, human oversight, transparency, and continuous improvement of our AI-driven detection capabilities, helping us deliver trustworthy AI to our customers.
GDPR Ready
We comply with the EU’s General Data Protection Regulation (GDPR) to ensure that our users’ personal data is processed lawfully, fairly, and transparently. We have implemented appropriate technical and organizational measures to protect our users’ data and to facilitate data subject rights.
CCPA Ready
We also comply with the California Consumer Privacy Act (CCPA) to ensure that our users’ personal data is protected and that they have control over their data. We have implemented appropriate privacy controls and policies to comply with the CCPA.
CSA Star Level 1 – Self-Assessment
CHEQ maintains a Cloud Security Alliance Security, Trust, Assurance and Risk (CSA STAR) Level 1 self-assessment. This reflects CHEQ’s completion and publication of the CSA CAIQ questionnaire, aligned with the Cloud Controls Matrix (CCM), to provide customers with transparency into CHEQ’s cloud security and privacy controls. STAR Level 1 is a self-assessment designation and does not constitute a third-party certification or attestation. CHEQ continues to evaluate opportunities to enhance its CSA STAR assurance level as part of its ongoing security and compliance roadmap.