22196
page-template,page-template-full_width,page-template-full_width-php,page,page-id-22196,theme-stockholm,stockholm-core-1.0.8,woocommerce-no-js,select-theme-ver-5.1.5,ajax_fade,page_not_loaded,wpb-js-composer js-comp-ver-6.0.2,vc_responsive
Title Image

Matter Security & Compliance Procedures

GENERAL INFORMATION

 

The Matter product is 100% serverless architecture to achieve high elasticity, performance, and security for our clients.

 

COMPLIANCE

 

Third Party Audits

We have an external third-party conduct vulnerability scans and periodic penetration tests on our applications and networks.

 

Information System Regulatory Mapping

In the shared tenancy SaaS model, customer data is segmented based on tenant ID, such that data can only be accessed by the tenant who owns it. Tenants are not able to inadvertently access another tenant’s data.

In the isolated tenancy SaaS model, customer data is isolated entirely in its own account.

 

DATA GOVERNANCE

 

Non-Production Data

Production data will never be replicated or used in lower environments such as development or testing environments.

 

Data Security Classification

( ) Not Classified ( X ) Confidential ( ) PII ( ) Sensitive PII ( ) Highly Restricted

 

Data Retention Policy

If a customer unsubscribes from the Matter shared-tenant SaaS offering, client data will be maintained in the case the customer wishes to re-subscribe at a later date. Customer data can be deleted by request through Matter support.

Customer data associated with the single-tenant SaaS offering will be deleted after 30 days.

 

INFORMATION SECURITY

 

Policy

We follow industry standards (such as CIS, ISO, CSA, etc.) for our information security and privacy policies. We diligently map our controls, architecture and processes to regulations and/or standards.

We have the capability to continuously monitor and report the compliance of our infrastructure against our information security baselines.

 

Policy Enforcement

We have a strict policy established for employees to avoid a violation of security policies and procedures.

 

User Access Policy

We have controls in place ensuring timely removal of systems access which is no longer required for business purposes. Access to production environments is done via assumed role with access expiring after one hour.

User Access Restriction/Authorization

We have documented procedures on how we grant and approve access to tenant data.

 

User Access Revocation

We perform timely de-provisioning, revocation or modification of user access to the organizations systems, information assets and data implemented upon any change in status of employees, contractors, customers, business partners or third parties.

 

Industry Knowledge/Benchmarking

We participate in industry groups and professional associations related to information security and we benchmark our security controls against industry standards.

 

Roles and Responsibilities

We provide tenants with a role definition document clarifying our administrative responsibilities vs. those of the tenant.

 

User Responsibility

We inform our users of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements.

We inform our users of their responsibilities for maintaining a safe and secure working environment.

 

Encryption

Client data is encrypted at rest. Client data is encrypted in transit through HTTPS, both when accessing the Matter site, and with all communications between internal services.

File uploads and downloads through the Matter client are further protected to restrict access and expire access after a period of time.

 

Vulnerability/Patch Management

We conduct network-layer and application-layer vulnerability scans as prescribed by industry best practices.

 

Incident Management

We have a documented security incident response plan with clear roles and responsibilities and SLAs. We can integrate customer tenant requirements into our security incident response plan.

 

Audit Tools Access

All access to systems is recorded with logs centralized in a security account.

 

Source Code Access Restriction

All source code for Matter is kept securely within private GitHub repos is strictly controlled, with allowed users frequently monitored.

 

RESILIENCY

 

Management Program

We have policies, process and procedures in place, defining business continuity to minimize the impact of a realized risk event and properly communicate to tenants.

 

Business Continuity Testing

Our business continuity plan is subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness.

 

Availability Required (In terms of hours of operation and % uptime)

99.9%

 

SECURITY ARCHITECTURE

 

User ID Credentials

We support use of or integration with existing customer-based Single Sign On (SSO) solutions for the shared tenancy SaaS solution.

 

Data Security/Integrity

Our Data Security Architecture is designed using several industry standards such as CIS, CSA Trusted Cloud Architectural Standard, FedRAMP, PCI, etc.

 

Application Security

We utilize industry standards to build in security of our application.

 

Audit Logging

All access is logged with logs being sent to a central security account.