Spherity Software Security Statement

Introduction

At Spherity, we prioritize the security and privacy of our customers' data and the systems we develop. The management and protection of information assets is one of Spherity’s most important challenges. Information management has been identified as an essential value of Spherity’s business operations. This document outlines our commitment to maintaining the highest level of security in our software solutions, the measures we employ to protect sensitive information, and our ongoing efforts to stay up-to-date with industry best practices. We believe transparency is vital, and we are committed to publicly sharing our security practices to assure our customers of the trustworthiness of our software products.

Scope

This security document applies to Spherity’s Credentialing Service, CARO. It encompasses both our internally developed software and any third-party software integrated into our products.

Security Principles

Confidentiality
We safeguard the confidentiality of our customers' data by implementing strong access controls and encryption techniques to prevent unauthorized access.

Integrity
We maintain the integrity of our software by employing secure coding practices, performing regular vulnerability assessments, and promptly addressing any identified issues to prevent data tampering or unauthorized modifications.

Availability
We ensure high availability of our software by employing robust hosting infrastructure and conducting regular backups to mitigate the impact of potential disruptions.

Privacy
We respect and protect the privacy of our customers' data by adhering to applicable data protection regulations and industry best practices.

Security Measures

Secure Development Practices
Our software development team follows industry-standard secure coding policies. Appropriate policies, standards, and documentation are taken into account to ensure a secure development process and to give development teams guidelines and policies to follow. To further increase our applications’ security, Spherity’s policies pay special attention to the elimination of attack vectors in our applications and to also follow the guidelines and recommendations of the Open Web Application Security Project (OWASP).

User Authentication and Access Control
We implement secure user authentication mechanisms, such as strong password policies, multi-factor authentication (MFA), and role-based access controls (RBAC), to ensure that only authorized individuals can access sensitive information.

Encryption
According to our policy for cryptography we employ strong encryption algorithms to protect data at rest and in transit. This includes using industry-standard protocols (e.g., HTTPS) for secure communication and encryption algorithms for encrypting sensitive data stored in databases or file systems.

Regular Security Assessments
We conduct regular security assessments, including penetration testing and vulnerability scanning, to identify potential weaknesses in our software. Any identified vulnerabilities are promptly remediated to maintain a secure environment.

Incident Response and Monitoring
We have established incident response procedures to quickly and effectively respond to security incidents. We employ robust monitoring systems that enable us to detect and respond to any suspicious activities or anomalies in real-time.

Employee Training and Awareness
We provide regular security training and awareness programs to our employees, ensuring they understand their roles and responsibilities in maintaining the security of our software and the data it handles.

Continuous Improvement

We are committed to continually improving our security practices to address emerging threats and vulnerabilities. Continuous improvement is inherent in all our processes. This includes staying up-to-date with the latest industry standards. We conduct regular reviews of our security policies, procedures, and infrastructure to ensure they remain effective and aligned with best practices.

Third-Party Security

Along the supply chain, information security is of great importance for all partners involved. Suppliers and partners run through a supplier evaluation process and are categorized by criticality in service levels. When integrating third parties into our procedures, we review their security practices and conduct due diligence to ensure they meet our security standards. We only collaborate with trusted partners who share our commitment to security and privacy.