GENERAL INFORMATION
The Matter product is 100% serverless architecture to achieve high elasticity, performance, and security for our clients.
COMPLIANCE
Third Party Audits
We have an external third-party conduct vulnerability scans and periodic penetration tests on our applications and networks.
Information System Regulatory Mapping
In the shared tenancy SaaS model, customer data is segmented based on tenant ID, such that data can only be accessed by the tenant who owns it. Tenants are not able to inadvertently access another tenant’s data.
In the isolated tenancy SaaS model, customer data is isolated entirely in its own account.
DATA GOVERNANCE
Non-Production Data
Production data will never be replicated or used in lower environments such as development or testing environments.
Data Security Classification
( ) Not Classified ( X ) Confidential ( ) PII ( ) Sensitive PII ( ) Highly Restricted
Data Retention Policy
If a customer unsubscribes from the Matter shared-tenant SaaS offering, client data will be maintained in the case the customer wishes to re-subscribe at a later date. Customer data can be deleted by request through Matter support.
Customer data associated with the single-tenant SaaS offering will be deleted after 30 days.
INFORMATION SECURITY
Policy
We follow industry standards (such as CIS, ISO, CSA, etc.) for our information security and privacy policies. We diligently map our controls, architecture and processes to regulations and/or standards.
We have the capability to continuously monitor and report the compliance of our infrastructure against our information security baselines.
Policy Enforcement
We have a strict policy established for employees to avoid a violation of security policies and procedures.
User Access Policy
We have controls in place ensuring timely removal of systems access which is no longer required for business purposes. Access to production environments is done via assumed role with access expiring after one hour.
User Access Restriction/Authorization
We have documented procedures on how we grant and approve access to tenant data.
User Access Revocation
We perform timely de-provisioning, revocation or modification of user access to the organizations systems, information assets and data implemented upon any change in status of employees, contractors, customers, business partners or third parties.
Industry Knowledge/Benchmarking
We participate in industry groups and professional associations related to information security and we benchmark our security controls against industry standards.
Roles and Responsibilities
We provide tenants with a role definition document clarifying our administrative responsibilities vs. those of the tenant.
User Responsibility
We inform our users of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements.
We inform our users of their responsibilities for maintaining a safe and secure working environment.
Encryption
Client data is encrypted at rest. Client data is encrypted in transit through HTTPS, both when accessing the Matter site, and with all communications between internal services.
File uploads and downloads through the Matter client are further protected to restrict access and expire access after a period of time.
Vulnerability/Patch Management
We conduct network-layer and application-layer vulnerability scans as prescribed by industry best practices.
Incident Management
We have a documented security incident response plan with clear roles and responsibilities and SLAs. We can integrate customer tenant requirements into our security incident response plan.
Audit Tools Access
All access to systems is recorded with logs centralized in a security account.
Source Code Access Restriction
All source code for Matter is kept securely within private GitHub repos is strictly controlled, with allowed users frequently monitored.
RESILIENCY
Management Program
We have policies, process and procedures in place, defining business continuity to minimize the impact of a realized risk event and properly communicate to tenants.
Business Continuity Testing
Our business continuity plan is subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness.
Availability Required (In terms of hours of operation and % uptime)
99.9%
SECURITY ARCHITECTURE
User ID Credentials
We support use of or integration with existing customer-based Single Sign On (SSO) solutions for the shared tenancy SaaS solution.
Data Security/Integrity
Our Data Security Architecture is designed using several industry standards such as CIS, CSA Trusted Cloud Architectural Standard, FedRAMP, PCI, etc.
Application Security
We utilize industry standards to build in security of our application.
Audit Logging
All access is logged with logs being sent to a central security account.