Mycroft's Security Practices
Last revised: July 2024
Introduction
Mycroft is a believer in leading by example and believing in our own product. As a result, we continuously monitor our security program through our own product itself in which allows us to build a security and program based on the following standards and regulations:
- AICPA Trust Services Criteria 2017 Rev. 2 (SOC 2)
- NIST Cybersecurity Framework
- GDPR / PIPEDA / CCPA / CPRA
Policies
In support of the highest standards of security and privacy, Mycroft has established the following policies which are reviewed on at least an annual basis:
- Information Security and Governance
- Privacy
- Code of Conduct
- Asset Management
- Data Classification and Lifecycle Management
- Logical Access
- Vulnerability Management
- Incident Response
- Secure Software Development and Management
- Vendor Risk Management
- Business Continuity and Disaster Recovery
Continuous Security Monitoring
We have currently implemented the following to ensure ongoing maintenance and compliance:
- Cloud Security Posture Management
- Continuous Code Repository Testing and Monitoring
- Dynamic Automation and Response
- Endpoint Management and Monitoring
- Application Security Testing
- Ongoing Testing and Monitoring for Availability and Integrity
- Continuous Access and Configuration Reviews
Administrative and Governance Controls
In addition to the technical controls, we have implemented the following administrative and governance controls:
- Assigned individual as the Data Protection Officer / Information Security Leader
- Policy Management
- Vendor Risk Management and Governance
- HR and Contractual Obligation Processes
- Customer Communications and Support Management
- Continuous Risk Assessments (including AI, Security, Fraud, and Operations)