Security & SOC 2

March 2022

Introduction

Everflow Technologies Inc. ("Everflow," "we," or "our") has implemented processes in accordance with its security principles, to develop and deliver our products and services, and maintain the security of customer and user data.

Security

Personnel

Everflow employees and contractors who access sensitive information are screened prior to engagement. They also undergo regular security training, and sign confidentiality terms or non-disclosure agreements.

Data and systems are limited to authorized personal, based on segregated responsibilities and legitimate business use, where appropriate. Everflow's termination process includes removal of access to related systems and data.

Policies

Everflow staff must review and acknowledge Everflow's regularly updated security policies, at least annually, including our Information Security Policy (covering confidentiality of client data and acceptable use of company resources) and Incident Response Plan (covering information security or data privacy incidents and events).

Development

Development of new products, tools and services, and major changes to existing ones, follow secure development lifecycle principles, including design review to ensure security requirements are satisfied. Everflow applies an agile development methodology that deploys products on an regular iterative release cycle.

Penetration Testing

Everflow undergoes regular third party penetration testing. All new systems, products and services are scanned prior to being deployed to production.

Production Environment and Cloud Security

Everflow is built on the Google Cloud Platform (GCP). Everflow leverages the native physical and network security features of GCP and relies on GCP to maintain the infrastructure, services, and physical access policies and procedures. Security features include the following:

  • All customer cloud environments and data are isolated. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored.
  • We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • Clients' data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information are protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review and revoke access as needed.

Scheduled and emergency changes are tested in separate environments, before Engineering's approval for deployment to the production environment. Testing is prohibited in the production environment (with the exception of deployment validation).

Risk Management

Everflow identifies, analyzes, controls and monitors strategic and operational risks. This risk assessment process may be applied to all business processes, information, information systems, networks, devices, and information processing facilities that are owned or used by Everflow.

Business Continuity and Disaster Recovery Plan

Everflow regularly updates its Business Continuity and Disaster Recovery Plan, covering business functions critical to the delivery of our products and services to clients.

Incident Response Plan

Everflow regularly updates its Incident Response Plan, which covers information security or data privacy incidents and events. It includes guidance for employees or incident responders who believe they have discovered, or are responding to, a security incident.

SOC 2

Type II

Everflow is SOC 2 certified. Everflow successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that Everflow’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.

Everflow was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SaaS companies worldwide. Prescient Assurance is a registered public accounting firm in the US and Canada and provides risk management and assurance services.

Please email legal@everflow.io for a copy of the SOC 2 report, or with any security or compliance questions.