Security Statement
Trust and Security Statement
Companies from all over the world trust Checkstep with their data and content moderation integrations. Security, reliability and integrity are at the heart of everything we do.
Since its founding in 2020, Checkstep has been developed by engineers and scientists experienced in building secure and reliable systems at companies like J.P. Morgan, Facebook, Microsoft and Xerox. Checkstep is registered in the UK and operates throughout Europe, North America and Asia. We are a fully remote business.
Data Security
Checkstep runs on fully managed and secure AWS infrastructure as a multi-tenant architecture.
Customer data is encrypted at rest and stored in secure Linux containers only.
Data is only used for servicing API calls and never for any other reason.
Our analytics will only track operational metrics to measure and report on the health and performance of the system.
Role management using access control lists (ACL) for moderators, engineers and policy managers.
Deployments in Cloud Architectures
Enterprise level customers have additional safeguards and security measures to ensure safe and reliable movement of data.
Enhanced security includes:
- An individual AWS account completely isolated from other tenants with all the dedicated resources that are needed for operations.
- Network isolation.
- AWS CloudTrail for audit logging.
Contact us to find out more about enhanced enterprise features.
Security Standard – SOC 2 Type II
Checkstep is SOC2 Type II certified. The certification is based on the COSO framework and has been audited by an external Big4 CPA firm (EY). The scope of the program includes Information Security, Availability, and Confidentiality.
Penetration & Vulnerability Testing
Checkstep routinely undertakes 3rd party security reviews. The findings are grouped by priority level and worked on by our in-house security team.
GDPR
Checkstep is committed to supporting customers in their GDPR compliance efforts, and has undertaken the necessary steps to be GDPR-ready. The Website Privacy Policy and Privacy Statement detail how Checkstep collects, uses, and protects information.
Data Protection
Checkstep has clearly defined classification levels. Confidential assets include a subcategory of Checkstep’s Confidential Information, which extends to Data Classification Policy. This governs data and information belonging to our customers or another organisation.
The use of assets is subject to our Acceptable Use Policy (e.g. user accounts, passwords, media use, email and communication activities etc).
Our Access Control policy provides direction to Checkstep employees about the methods of access control management and user authorisation in the information systems of the organisation.
Our HR policies and procedures cover the ways to flag and address various security issues in HR management. All Checkstep employees undergo screening, background checks and referencing.
Checkstep follows the industry best practices for its Software Development Lifecycle (SDLC). Checkstep has policies and procedures in place to clearly define the process of change control in our systems and services. This covers our staging environment, development implementation, operations and IT issues.
Employee Access Procedure
Checkstep conducts various security checks prior to employment, during employment and at the termination of employment. Onboarding new employees includes data security training and signed agreement to adhere to our Information Security policy, Acceptable Use policy and Code of Conduct. Checkstep IT only provides employees with the access rights limited to what they require to be able to perform their job.
Risk Assessment
Checkstep uses Drata, a security and compliance automation platform that continuously monitors and collects evidence of a company’s security controls, while streamlining workflows to ensure audit-readiness.
Checkstep conducts a thorough risk assessment annually. We use these to identify, assess and manage risks that may affect our business operations.
Our risk assessment procedure includes detecting, evaluating and reducing risks through continual observation, data analysis and other RA procedures built into our day-to-day operations and regular management, compliance and administrative activities.
Action points from the risk assessments are tracked by the CEO and conveyed to relevant departments and personnel.
Incident Management
Checkstep’s Incident Management Policy outlines how to identify, investigate, repair and prevent security incidents. It also defines a clear process of what to do if there is a suspected incident. In line with laws and regulations governing the use and access of data, Checkstep’s security team will act and make decisions as is required to properly respond to a security incident or breach.
Our security team includes our CEO, CTO and our Head of Engineering. Wherever a security incident (electronic or physical) is suspected or confirmed, all parties are expected to follow appropriate policies and procedures and adhere to instructions provided to them by the security team.
Auditing
Checkstep collects production environment audit logs from various locations such as Kubernetes, cloud storage and networking. Some of these logs are analysed automatically (e.g. AWS GuardDuty), while others are reviewed manually.
Internal Vulnerability Scanning: Checkstep performs continuous scans of its code using a service provider which outlines potential vulnerabilities and fixes. Checkstep’s engineers address issues by priority level.
External Vulnerability Scanning: At least once every three months, Checkstep will use a service to scan our production environments for network vulnerabilities.
Threat Detecting: Checkstep’s audit logs are examined and archived.
Questions
Feel free to reach out if you need more information about Checkstep’s security.