TABLE OF CONTENTS



Organisational security

This section refers to security practices, procedures and standards of Prokuria as an organisation. 


Information Security Policies


  • Does Prokuria have a set of comprehensive policies regarding Information Security?
    Yes.


  • Are Information Security Policies review periodically and if so, how often?
    Yes, Prokuria's Information Security Policies are reviewed yearly. 


  • Are these policies aligned with any international standards (e.g., ISO 27001)?
    Yes, our policies are aligned with ISO 270001.


  • Does Prokuria have a Password Management Policy?
    Yes. Our your Password management  standard include the use of strong passwords, periodic password change, not storing passwords in clear text, and restriction of sharing access and/or passwords.


  • What happens when Prokuria discards or sells a device?
    We keep an inventory of all our devices, including an asset owner responsible for each device, and the department associated with each device.
    We have have processes in place to permanently remove any sensitive data prior to disposal of devices with data storing capabilities (e.g. wiping drives of sensitive information before disposal). 




  • Are Prokuria's employees allowed to work remotely? What security measures are in place to enable remote access in a secure way?
    Access is permitted via VPN, on approved company devices only. 


  • Does Prokuria perform employee history and/or a background checks on employees and contractors?
    We conduct background checks directly for every employee and contractor.


  • Are employees trained on security awareness? How often?
    All our employees and long-term contractors undergo security training with yearly renewal.


  • What happens when Prokuria terminates a contract with an employee or a long-time contractor?
    We have a process in place to terminate information system and physical access and ensure the return of all business-related property (laptops, keys, id badges, etc.) immediately when an employee leaves the Company. For example, user account access will be revoked within 24 hours of a user’s departure. The account may be suspended or deleted as necessary. Notice to the account administrator is initiated as part of the termination process. Physical access (disabling the keycard) is revoked immediately, and user devices are retained immediately. 


  • Does Prokuria have procedures for identifying system access needs by job function?    
    Yes.


  • How does Prokuria ensure that user access for the critical systems remains up to date?
    We perform periodic users access reviews for the critical systems  on a quarterly basis. 


  • Are there on-device protection measures for employees?
    Yes, we are using malware protections solutions for all systems including employee devices.  



Network Security


  • Does Prokuria perform periodic penetretion testings on its network, and if so, how often?
    Yes we do - quarterly.


  • What happens when Prokuria detects a network vulnerability? How quickly is it addressed, and are clients notified?
    These are treated with utmost urgency; we make every effort to disclose the minimum amount of information required for a customer to assess the impact of a vulnerability as well as any steps required to mitigate the threat. We do not intend to provide any details that could enable a malicious actor to develop an exploit. Under no circumstances we will disclose a vulnerability until a patch has been developed or a set of mitigating controls have been verified to significantly reduce the threat.


  • What WIFI security standard does Prokuria use internally?
    At a minimum, WPA2 protection. 



Physical Environment Security


  • What kind of procedures exist when it comes to physical environment security?
    We have procedures that address the purpose, scope, roles, responsibilities, and compliance for physical and environmental security, such as security perimeter and entry controls, working in secure areas, equipment security, cabling security, fire detection and suppression, room temperature controls, etc.


  • In secured areas, such as data centres, are there security and environmental controls?
    The solution is 100% cloud based, thus no physical access to data centres.



Application security

This section refers to security practices, procedures and standards of the Prokuria Software as a Service software application. 


Data in Prokuria


  • Where is Prokuria's clients' data stored geographically?
    EU - Ireland. 


  • Who has access to Prokuria's clients' data?
    Each client only, and key technical staff of Prokuria for maintenance and support. Client data is segregated logically in the application, and there is no cross-processing of data between Prokuria's clients.



Authentication


  • Does Prokuria use multi-factor authentication?
    It's in our public roadmap for 2021, and already enabled for certain enterprise clients.


  • Does Prokuria support SSO integration?
    It's in our public roadmap for 2021, and already enabled for certain enterprise clients.


  • Does Prokuria provide an automated way (e.g. API) for managing access, such as, for example, adding users automatically via API calls? 
    Momentarily this is not a functionality that Prokuria supports. 


  • How are APIs protected? 
    Both internal and external APIs are protected through an authentication method. 



Encryption


  • Is data protected from unauthorised disclosure during transmission?
    All data in Prokuria is protected from unauthorised disclosure during transmission (encryption in transit) to external sites using strong encryption. We use a key of minimum 128 bits for symmetric encryption, 2048 bits for asymmetric encryption and certificates, and 256 bits (or higher) hashing.


  • How are the encryption keys and certificates protected?
    We employ a Key Management Policy that specify specific protections applied to each key and its metadata, as well as the timeframe to retain the key and metadata based on the sensitivity of data they protect. We employ Azure-specific tools to ensure that key management policy is enforced automatically.  


  • Is Prokuria using a black list to protect against malicious IP addresses?
    We use embedded security measures of Microsoft Azure, protecting against bots and other malicious software based on blacklists.



Backups and Logs


  • Do you perform regular backups on key systems? Shortly describe how is the back-up information protected.
    We perform backups via Azure built-in tools; backup is stored in Azure and is subject to Microsoft's backup protection policies. 


  • Do you log key security data?
    We record and regularly review system logs, key application logs, audit logs, security events, system use, systems alerts or failures. They are encrypted in an MS Azure database and subject to the same security and backup measures as the main application.


  • Does Prokuria store logs that clients can access?
    Yes, the platform provides granular logs for internal client audit purposes; API access can be enabled, upon request, as a development, and only for enterprise-level accounts.

Incidents and Recovery


  • What kind of Incident Response Plans does Prokuria have in place?
    We implement a documented Incident Response Plan, that include identification of roles and responsibilities, investigation, containment and escalation procedures, documentation and preservation of evidence, communication protocols, and lessons learned. The plan requires employees and contractors to immediately report incidents upon discovery.
    We also implement  a documented Business Continuity Plan and a Disaster Recovery Plan (DRP) that supports the current business continuity needs of the business. 


  • Is Prokuria able to notify clients in case of a security breach?
    Yes.