Web Application Vulnerability Scans:  At least once a month, Enveedo conducts automated web application vulnerability scans using a contracted tool for this purpose. 

Annual Penetration Testing: Enveedo contracts an external company to perform an annual penetration test and provide a report with the findings from the evaluation. 

SAST and SCA Source Code Scans: Vulnerability scans are conducted on source code to detect and address issues. 

Web Application Firewall (WAF): Enveedo uses a web application firewall (WAF) to protect its cloud infrastructure from unauthorized access and cyber threats, with its rules reviewed annually. 

Intrusion Detection System (IDS): Enveedo uses an Intrusion Detection System (IDS) to continuously monitor the company's network and enable early detection of potential security breaches. 

External Audits:  Enveedo undergoes an annual SOC 2 Type II audit conducted by a renowned international firm. 

Internal Privacy Audit:  Once per year, Enveedo conducts an internal privacy audit to assess compliance with all the objectives outlined in the organization's internal privacy policy. 

Security Risk Assessments:  Enveedo conducts an annual security risk assessment based on a recognized framework. 

Due Diligence for New Vendors:  Enveedo conducts due diligence on new vendors prior to engagement. 

Annual Vendor Assessment:  Enveedo conducts an annual vendor assessment to verify compliance with and maintenance of required security standards. 

Insurance Policy:  Enveedo maintains cybersecurity insurance to mitigate the financial impact of business disruptions. 

Anomaly Detection on Infrastructure:  Enveedo has implemented a detection tool on its infrastructure to identify anomalies or unusual activity, generating logs that undergo a threat analysis process and alert the Security team. 

Incident Response Plan:  A documented plan is in place to address potential security incidents promptly and effectively. 

Breach Notification Mechanisms:  Enveedo has a policy and mechanisms in place to notify affected data subjects, regulators, and other relevant parties of breaches and incidents. 

Annual Incident Response Test:  Enveedo conducts an annual test of its Incident Response Plan to evaluate its effectiveness and ensure timely and appropriate responses to security incidents. 

Email Security System:  Enveedo has preconfigured its email system with Security and Threat Policies, incorporating advanced anti-spam, anti-phishing, and anti-malware capabilities. 

Endpoint Protection Solution:  Enveedo has implemented a licensed Endpoint Protection solution with antimalware capabilities. 

Data Encryption:  Enveedo encrypts traffic between its web application and end-users using the TLS encryption protocol. 

Regular Backups:  Enveedo performs regular backups of the application database to ensure data integrity and availability in case of unexpected incidents. 

Customer Data Deletion:  When a customer leaves the service, Enveedo deletes their data within 60 days following the termination of the agreement. 

Regulatory Scope Analysis:  Enveedo conducts a Regulatory Scope Analysis at least once per year to assess key regulations impacting the organization due to its processing of personal data. 

Privacy Impact Analysis:  Enveedo conducts a Privacy Impact Assessment (PIA) at least once per year evaluating data subjects' expectations, the purposes, legal basis, necessity, and proportionality of the processing, as well as associated risks. 

Record of Processing Activities:  Enveedo has implemented a Record of Processing Activities (ROPA) for its processing of customer personal data. 

Role-Based Access:  All access granted is based on the staff member’s roles and responsibilities and must align with Enveedo's Access Matrix. 

Annual Access Review:  At least once a year, Enveedo conducs access reviews to ensure that all access permissions are appropriate based on job role functions. 

Comprehensive Security Policies:  Enveedo maintains a framework of security policies reviewed annually. 

Access Remotion:  Enveedo blocks access for employees and internal contractors no later than 1 day after termination. 

Training Campaing:  Employees and internal contractors are required to complete security training within thirty days of hire and at least annually for all staff. 

Phisihng Exercises:  On a monthly basis, Enveedo conducts automated simulated phishing exercises through a contracted platform specifically for this purpose. 

Code Change Management Process:  Changes are managed under a strict SDLC (Software Development Life Cycle) framework with proper approvals. 

Infrastructure Change Management Process:  Enveedo requires that changes to production infrastructure components be formally approved by an authorized user. 

SAST and SCA Source Code Scans:  Vulnerability scans are conducted on source code to detect and address issues. 

Software Bill of Materials:  Enveedo produces a Software Bill of Materials (SBOM) as part of the CI/CD process during every merge to the Development branch. 

Application Performance Monitoring:  Enveedo uses an application performance monitoring (APM) tool to monitor application performance and errors. 

Network Security Groups:  Enveedo has configured and manages Network Security Groups (NSGs) to control inbound traffic for instances in its Virtual Private Clouds (VPCs).