Security Policy
DataPress is committed to maintaining the security and privacy of our customers' data. This Security Policy outlines the measures we have in place to protect our systems and data from unauthorized access, use, or disclosure. We regularly review and update our security measures to ensure that they are aligned with industry standards and best practices.
1. Introduction
1.1 Purpose of the Policy
The purpose of this Security Policy is to establish guidelines and procedures for the protection of information assets and resources within Updatabot, with particular emphasis on protecting customer data repositories and automated data processing operations. This policy outlines the security standards that must be followed by all employees, contractors, and third-party vendors who access or handle information assets, and it serves as the foundation for all other security-related policies and procedures.
The policy's primary objective is to protect the confidentiality, integrity, and availability of information assets, including but not limited to, customer data repositories, processing scripts, automated workflows, and business intellectual property.
1.2 Scope of the Policy
This Security Policy applies to all employees, contractors, and third-party vendors who access or handle information assets owned, maintained, or operated by DataPress Ltd. It applies to all information, regardless of whether it is stored electronically or in paper format.
This policy covers all systems and networks owned or operated by DataPress Ltd., including but not limited to:
- Data processing infrastructure
- Repository storage systems
- Automation and workflow systems
- Version control systems
- Access control systems
- Development and testing environments
- Cloud services and infrastructure
1.3 Policy Owner
The policy owner is the Chief Information Officer (CIO) at DataPress Ltd. The CIO is responsible for the creation, maintenance, and enforcement of this Security Policy. All questions regarding this policy should be directed to the CIO or their designated representative.
2. Security Standards
2.1 Snyk for Code Scanning
DataPress will use Snyk to scan all deployed code commits for vulnerabilities, including:
- Core platform code
- Data processing scripts
- Reference Tools
- Customer-uploaded processing scripts (when executed in our environment)
We will prioritize and work to resolve issues ranked Critical, High or Medium by Snyk. Snyk scans will be performed on a regular basis as part of our Secure Software Development Lifecycle.
2.2 Burp Suite for API Scanning
DataPress will use Burp Suite to perform automated vulnerability scans of our API surface. These scans will be performed on a periodic basis to identify vulnerabilities in our API, with particular attention to:
- Data ingestion endpoints
- Processing script execution endpoints
- Repository management endpoints
- Authentication and authorization endpoints
2.3 Vulnerability Management
DataPress maintains a documented process for managing vulnerabilities that includes:
- Automated vulnerability scanning of code and dependencies
- Regular security testing of data processing environments
- Monitoring of processing script execution
- Analysis of repository access patterns
- Tracking and mitigation of identified vulnerabilities
Vulnerabilities will be assigned a severity level based on the Common Vulnerability Scoring System (CVSS) and prioritized accordingly.
2.4 Data Encryption and Access Control
DataPress implements comprehensive data security measures including:
- Industry-standard encryption for data in transit and at rest
- Secure storage of customer repositories
- Isolated execution environments for data processing
- Role-based access control (RBAC) for repositories
- Multi-factor authentication for sensitive operations
- Audit logging of all data access and processing activities
2.5 Secure Software Development Lifecycle
DataPress follows a Secure Software Development Lifecycle (SSDLC) that includes:
- Secure coding practices for data processing
- Regular code reviews of platform components
- Security testing of processing environments
- Vulnerability scanning of dependencies
- Automated security testing in CI/CD pipelines
2.6 Security Awareness and Training
DataPress provides comprehensive security training including:
- General security awareness
- Secure coding practices
- Data protection requirements
- Safe handling of customer repositories
- Incident response procedures
- Regular security assessments
3. Roles and Responsibilities
3.1 Management
The management team is responsible for ensuring that security policies and procedures are developed, implemented, and maintained effectively. They will also ensure that all employees and contractors are trained in security awareness and follow security policies and procedures.
3.2 Development and Operations Teams
The development and operations teams are responsible for implementing security measures within the systems they develop and maintain. This includes adhering to secure coding practices, performing security testing, and responding to security incidents. They will work closely with the management team to ensure that security policies and procedures are being followed and that any security risks are identified and addressed promptly.
3.3 Employees
All employees have a responsibility to follow security policies and procedures, report any security incidents, and participate in security awareness training. They should also report any security vulnerabilities or concerns to the appropriate personnel.
DataPress personnel who violate this Security Policy or related procedures may be subject to disciplinary action, up to and including termination of employment or contract.
4. Compliance
4.1 Legal and Regulatory Requirements
DataPress is committed to complying with all relevant legal and regulatory requirements related to information security and data protection. This includes, but is not limited to, GDPR, CCPA, and any other applicable data protection laws and regulations.
DataPress will regularly monitor changes to relevant laws and regulations to ensure that our security practices are always in compliance with the latest requirements.
4.2 Audit and Assessment
DataPress will regularly review and assess the effectiveness of our security policies and practices to ensure compliance with applicable laws and regulations, industry best practices, and any other relevant standards.
External audits and assessments may be conducted periodically to validate DataPress's compliance with applicable laws and regulations, and to ensure that our security practices are effective and up-to-date.
Any identified vulnerabilities or weaknesses in our security practices will be promptly addressed and remediated to ensure ongoing compliance with legal and regulatory requirements.
5. Policy Review and Modification
5.1 Policy Review
This Security Policy will be reviewed on an annual basis, or more frequently if necessary, to ensure that it remains up-to-date and relevant to the needs of the business. Any changes to the policy will be communicated to all employees and contractors.
5.2 Policy Modification
Any modifications to this Security Policy will be made by the Policy Owner in consultation with the relevant stakeholders. The modified policy will be reviewed and approved by management before being communicated to all employees and contractors.
6. Contact Information
6.1 Reporting Security Incidents
All security incidents or suspected incidents related to DataPress systems or data must be reported immediately. Incidents can be reported to the DataPress Security Team by sending an email to [email protected]. Employees must cooperate with the Security Team during the investigation of a security incident.
6.2 Contact Information
If you have any questions, comments, or concerns about this security policy, please contact us at [email protected] or write to us at:
DataPress Ltd.Suite 111
94 London Road
Oxford, UK
OX3 9FN
Any inquiries regarding security or privacy should also be directed to this address.
