Data Privacy & Security
at Checkstep

Trust Matters: Checkstep’s commitment to you

At Checkstep, our top priorities are performance, security, and data privacy. These principles serve as our guiding light when it comes to designing our products and implementing our policies as an organization. We firmly believe that these values should be at the core of every decision we make and every action we take as a company. That is why we consistently invest significant resources in these areas, ensuring that our solutions never compromise the integrity of your data, your users, or your application.

Product Security

Security risk assessment is an integral part of our software development life cycle.

We use frameworks such as OWASP Top 10, as part of the risk review.

Checkstep performs continuous scans of its code using a SAST, dependency checks, infrastructure analysis service providers that outline potential vulnerabilities and fixes.

Checkstep’s engineers address issues by priority level.

All the product is independently analysed through thorough pentesting activity which is performed at least once a year.

Infrastructure Security

Checkstep runs on fully managed and secure AWS infrastructure as a multi-tenant architecture.

Customer data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Data is only used for servicing API calls and never for any other reason.

Our analytics will only track operational metrics to measure and report on the health and performance of the system.

Role management using access control lists (ACL) for moderators, engineers and policy managers.

Incident Management

Checkstep’s Incident Management Policy outlines how to identify, investigate, repair and prevent security incidents. It also defines a clear process of what to do if there is a suspected incident.

In line with laws and regulations governing the use and access of data, Checkstep’s security team will act and make decisions as is required to properly respond to a security incident or breach.
Learn more

Data protection and privacy

Defined classification levels

Checkstep has clearly defined classification levels. Confidential assets include a subcategory of Checkstep’s Confidential Information, which extends to Data Classification Policy. This governs data and information belonging to our customers or another organisation.

Acceptable use Policy

The use of assets is subject to our Acceptable Use Policy (e.g. user accounts, passwords, media use, email and communication activities etc).

Access control policy

Our Access Control policy provides direction to Checkstep employees about the methods of access control management and user authorisation in the information systems of the organisation.

Policies and procedures

Our HR policies and procedures cover the ways to flag and address various security issues in HR management. All Checkstep employees undergo screening, background checks and referencing.

Following best practices

Checkstep follows the industry best practices for its Software Development Lifecycle (SDLC). Checkstep has policies and procedures in place to clearly define the process of change control in our systems and services. This covers our staging environment, development implementation, operations and IT issues.

Resilience and Uptime

Checkstep is designed for uninterrupted uptime and enterprise scale, processing millions of events with no degradation of performance. Please check the status page at status.checkstep.com
  • Where is your datacentre?

    Checkstep is utilizing AWS as the cloud provider, the region for storing and processing is the Ireland. This means the data is kept within EU and GDPR laws apply.

  • What is the retention period of the logs and temporary data?

    Retention period for the logs is generally 6 months, unless asked specifically. This period complies with the regulations and gives us a wide enough window to troubleshoot any problems that would come from client requests. The retention period for the processed data is not really applicable, since Checkstep doesn’t keep a copy of the processed item, we only gather meta-data (IP address, time, etc..) and for that 6 months period is applied.

  • What security controls have you implemented?

    In general, our control fabric is aligned with our policies, risk management program and industry best practices and standards. We secure access to all our systems and ensure that all access is based on the principle of least privilege.

    All employees are required to use a password manager, with a unique strong password and multi-factor authentication by default for all accounts.

    Access to our cloud infrastructure has restricted permissions using role based access controls, with access alerts and auditing in place. Encryption, audit logging, password policy etc are in place.

    Our infrastructure is secured using internal networks protected by segmenting them and applying strict rules for the communication between them. Access to the network configuration is restricted and only allowed on the basis of least privilege.

  • How do you secure access to the data?

    General rule of “least privilege” is being applied. This results in the fact, that only few people have access to the infrastructure at all and even less have the rights to the production data. For those selected employees there are still few barriers (VPN, strong password, bastion server, strong database password) to jump.

Prevent harmful content from reaching your platform

Speak to one of our experts and find out how
Talk to an expert