Information on Trust and Security
We believe that well-trained personnel are a key part of maintaining security. We regularly conduct training and tests with our staff. The training and awareness program is the main tool for communicating responsibilities to our team, in accordance with our internal information security policies and procedures.
During the onboarding process, new team members undergo security awareness training and sign a strict confidentiality agreement.
Our association conducts thorough background checks before hiring. Software developers are trained on how to apply all aspects of the system development methodology securely and effectively.
Information Security Mission
We care about our customers and their convenience when using Sajda. We manufacture our product in such a way that users can focus as much as possible on implementing their workflows. Everything else will be taken care of by our team.
Our association takes data security very seriously and is committed to handling it responsibly and in compliance with applicable information security standards and global data privacy laws.
Application Security
We set high standards for the secure development of Sajda, implementing necessary security controls and conducting regular security risk assessments. The program development methodology is established and based on best practices in system development and project management.
Sajda includes proactive security controls that help avoid threats to desktop/mobile applications and web infrastructure.
We place great importance on testing Sajda components. Sajda tests include exploiting static code analysis techniques during development and testing phases. Development, testing, and staging environments are isolated from production environments and from each other.
For additional control and better user management processes, we provide user authentication via Single Sign-On (SSO). Currently, we support (LDAP and OAuth (Google Workspace (formerly G Suite)) and are working on implementing SAML.
Access Control
We implement access control mechanisms at every layer of the stack, dividing our infrastructure by zones, environments, and services. We have implemented strict access controls at the following levels:
- Physical access
- Network access
- Data center infrastructure access
- Operating system access
- Application access
Authentication is provided only via enhanced password protection (in accordance with the password policy) and multi-factor authentication (if applicable). Access (corresponding to administrative responsibilities) to confidential business data, application, and association network is granted on a “need to know” basis. Our team continuously monitors access to all data processing and information systems and verifies compliance with access policies.
Physical access to our data centers and facilities is limited to authorized personnel only.
Network access to the association’s internal network is granted using a VPN. Access control to Sajda’s cloud infrastructure is ensured by a virtual private cloud (VPC) routing and certificate-based encrypted connection.
Reliability Policy
We value and respect each minute of our customers and care about the accessibility of our application. Sajda is hosted at Cloudflare, which offers a high level of scalability and fault tolerance. The application, data, and backup data are replicated and stored in multiple data centers within Cloudflare regions. Customers’ personal data are processed in accordance with our privacy policy and global data privacy regulations.
Risk Management
The association’s information security program is based on a risk-based approach. The risk management process is implemented in all information systems and business processes. Our association’s risk management objectives are as follows:
Our team performs threat modeling for Sajda to identify and prioritize potential security threats. This information is taken into account in the application design process as well as in subsequent development phases. All key members of the development team are involved in the objective threat modeling process.
Antivirus Policy
Our association has implemented the necessary protection to prevent and protect against “malicious code” (computer viruses, malware) that are designed to exploit vulnerabilities, harm the performance of the IT environment, and/or obtain confidential business data stored on laptops, workstations, and data center servers.
Network Security Policy
In the process of deploying and maintaining network security, we use the requirements and recommendations of the best practices of information security and standards of providers. We regularly analyze our network infrastructure both in our facilities and in Cloudflare and reconfigure it according to new threats and potential risks.
Our network security controls include various protective measures:
- network segmentation
- firewall with configuration rules
- encrypted protocols
Network Security allows us to effectively deal with “internal” and “external” application infrastructure threats.
Vulnerability / Patch Management
Our IT team takes steps to collect information about vulnerabilities across all systems and keep all systems up-to-date with software updates and patches provided by the vendor. Our vulnerability / patch management includes 5 steps:
- Governance – maintaining a vulnerability / patch management structure.
- Coverage – ensuring that appropriate system components comply with the vulnerability / patch management policy.
- Inspection – using automated and/or manual techniques designed to identify vulnerabilities / patches associated with specific system components of the association.
- Reporting – defining, collecting, and reporting vulnerability / patch implementation information to facilitate correction in accordance with the company’s strategy and organizational objectives.
- Handling – correcting or enhancing systems to prevent, minimize, or mitigate negative impacts on the system.
