Skip to main content
All CollectionsGetting startedSecurity and Compliance
Judge.me SOC2 type 2 compliance: security commitment
Judge.me SOC2 type 2 compliance: security commitment
Updated over 8 months ago

At Judge.me, trust is the cornerstone of our operation. Security stands as one of our paramount concerns, with a dedicated focus on documenting and routinely reviewing our security policies and procedures. Our primary goal is to instill confidence in our customers when using our applications and customer support services, knowing that their personal information and online store records remain safeguarded.

Our dedication to security is exemplified by our attainment of SOC2 Type 2 certification. This certification not only affirms the appropriate design and implementation of controls but also the effective operation of these controls over a specific period.

Our compliance with SOC2 Type 2:

Secure personnel

  • We take the security of our data and that of our clients and customers seriously and ensures that only vetted personnel are given access to their resources.

  • All our contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.

  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.

  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure development

  • All our development projects, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.

  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.

  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with, as well as any other relevant training.

  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure testing

  • We deploy third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.

  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.

  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud security

  • Our cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

  • Our cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using our patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.

  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained experts.

  • We separate each customer's data and our own, using unique encryption keys to ensure data is protected and isolated.

  • Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.

  • We implement role-based access controls and the principles of the least privileged access, and review revoke access as needed.

How we get there

  • We integrated our tools and systems, including G Suite, Github, AWS, Heroku, MongoDB, etc., with Vanta, to automate the complex process of gathering evidence for security audits.

  • Vanta helps us handle employee security training, device monitoring, and automated alerts on any controls of concern. With a centralized place to manage our security and compliance, we ensure our policies, procedures, and controls are well-managed and maintained.

  • Prescient Assurance, a leader in security and compliance certifications for B2B and SAAS companies worldwide, carried out the audit. This audit goes a step further and evaluates the operational effectiveness of the controls over a specified period, typically at least three months. It examines not only the design but also the implementation and ongoing monitoring of controls. The Type 2 report provides assurance that the controls have been in place and operating effectively over a period of time.

  • To get a copy of our SOC2 Type 2 report, please get in touch with [email protected].

If you need help with Judge.me security commitment, contact our team at [email protected]. We're available to help 24/7!

Did this answer your question?