As a company committed to CCPA, GDPR, PIPEDA, and HIPAA compliance, we understand the critical importance of information security in today's digital landscape.
The increasing frequency and sophistication of cyber attacks highlight the necessity for businesses to prioritize security to safeguard their data and ensure the trust and confidence of their clients. By implementing industry-standard security measures and best practices, we demonstrate our unwavering commitment to the protection of sensitive information and the preservation of the integrity of our operations.
We take pride in the rigorous security protocols we have in place and are dedicated to maintaining the highest standards of security excellence.
Our Compliance Standards
ITRO adheres to international data protection and privacy regulations
How has this been accomplished?
As an organization, we understand the importance of maintaining compliance with security practices and standards. That's why we utilize security and compliance best practices to ensure that we remain continuously compliant and adhere to the relevant security protocols.
We have centralized processes that assess and monitor various security controls and procedures. By integrating with our existing systems and tools, we maintain a comprehensive view of our security posture, identifying any potential issues and ensuring that we are always up to date with the latest security protocols and industry standards. This gives us the confidence that we are following industry best practices and that we are providing a secure environment for our customers and stakeholders.
warning What happens if something becomes out of compliance?
If something were to fall out of compliance, our monitoring systems would detect the issue and alert us immediately. This allows us to take prompt action to address the problem and get back into compliance quickly. By using proactive monitoring, we can stay on top of our compliance obligations and take proactive steps to ensure that we remain compliant with the relevant security practices and standards. This gives us the confidence that we are providing a secure environment for our clients and stakeholders and helps us to maintain our reputation as a reliable and trustworthy organization.
Procedures & Controls
Secure Policies & Procedures
Written information security policies and procedures ensure that the company has documented and tested controls in place to protect customer data and respond to security incidents effectively.
Vulnerability & Penetration Testing
Regular vulnerability and penetration testing help to identify and address potential security weaknesses before they can be exploited by attackers. ITRO undergoes regular security assessments of our applications to identify any security vulnerabilities, allowing us to raise these issues internally and remediate them immediately. We also employ automated vulnerability scanning within our code and its dependencies.
Data Encryption
Encryption of sensitive data helps to ensure that the data cannot be accessed or read by unauthorized parties. Having our databases encrypted allows customers to feel safe when using our products and services as it safeguards data when in transit (TLS 1.3) or at rest (AES-256).
Multi-Factor Authentication
Multi-factor authentication helps to prevent unauthorized access to the company's systems, which can help to protect customer data from theft or tampering. We implement MFA across all critical systems and encourage our clients to enable MFA on their accounts.
Secure Development Lifecycle
All changes to our codebase are protected with code review processes, meaning that to be able to push a new code change to production, the code change must have been approved by another engineer, as well as the code change has to pass a number of automated tests that check for security issues. This way, no bad actors internal or external to ITRO are able to push malicious code due to our secure reviews process.
Monitoring
Ongoing monitoring of system access logs and network traffic helps to detect and respond to potential security incidents, reducing the likelihood of customer data being compromised. We maintain 24/7 monitoring of our infrastructure and applications.
Employee Training & Awareness
Regular training and awareness programs for employees help to ensure that they are equipped to handle customer data securely, reducing the likelihood of human error or intentional data breaches. We make it a priority that these are completed straight away for all new employees and completed annually for all existing employees.
Access Controls & Background Checks
Access controls and background checks for employees, third-party vendors and service providers help to ensure that they are trustworthy and can be relied upon to handle customer data securely. We regularly review application access and access levels for all employees to make sure they only have access to applications which are required to perform their job role.
Third-Party Audits and Assessments
Regular third-party audits and assessments provide an independent validation of the effectiveness of the company's information security controls and procedures, providing customers with confidence that their data is being handled securely.
Intrusion Detection
ITRO utilizes intrusion detection systems to continuously monitor our systems for potential threats that may occur at any time. Knowing at the early stages that a threat could be critical allows us to act quickly and efficiently to prevent any threats from causing short or long term issues.
Vulnerability Disclosure
At ITRO, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Out of scope vulnerabilities:
- Clickjacking
- Cross-Site Request Forgery (CSRF)
- Attacks requiring MITM or physical access to a user's device
- Any activity that could lead to the disruption of our service (DoS)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- SPF Email spoofing
- Missing DNSSEC, CAA, CSP headers
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Deadlinks
- Anything related to DNS or email security
- Rate Limiting
- XSS (Cross-Site Scripting) on non-production environments
Note: ITRO reserves the right to designate any reported vulnerability as out of scope.
What to do and what not to do
check_circle Do
- ✓ Report vulnerabilities via email to [email protected]
- ✓ Provide sufficient information to reproduce the problem
- ✓ Include the IP address or URL of the affected system
- ✓ Provide a clear description of the vulnerability
- ✓ Allow reasonable time for us to address the issue
cancel Don't
- ✗ Run automated scanners on our infrastructure without permission
- ✗ Take advantage of the vulnerability beyond what's necessary to demonstrate it
- ✗ Download more data than necessary or delete/modify other people's data
- ✗ Reveal the problem to others until it has been resolved
- ✗ Use attacks on physical security, social engineering, DDoS, spam, or third-party applications
handshake Our Promise
If you have followed the instructions above:
- We will not take any legal action against you in regard to the report
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
- We will keep you informed of the progress towards resolving the problem
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)
- We strive to resolve all problems as quickly as possible
Report a Security Vulnerability
If you've discovered a security vulnerability, please report it responsibly.
email [email protected]Regulatory Compliance Details
GDPR Compliance
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. ITRO complies with GDPR requirements including:
- Lawful basis for data processing
- Data subject rights (access, rectification, erasure)
- Data protection by design and default
- Breach notification procedures
- Data processing agreements with vendors
CCPA Compliance
The California Consumer Privacy Act (CCPA) gives California residents control over their personal information. We comply with:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of data selling
- Right to non-discrimination
- Transparent privacy notices
PIPEDA Compliance
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law. ITRO adheres to:
- 10 fair information principles
- Meaningful consent requirements
- Purpose limitation and data minimization
- Individual access and correction rights
- Accountability and safeguards
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information. For healthcare clients, we provide:
- Protected Health Information (PHI) safeguards
- Business Associate Agreements (BAA)
- Administrative, physical, and technical safeguards
- Audit controls and integrity controls
- Breach notification compliance
Security Questions?
If you have any questions about our security practices or compliance measures, please don't hesitate to contact us.