As a cyber security company, we have to be dedicated to the security of our product, our company, and our employees. We cannot provide security if we are not ourselves secure and compliant.
In keeping with our dedication to our own internal security, we have taken three major steps over the last year.
- Initiated a SOC 2 Audit - With our auditors at Armanino LLP, we’ve initiated a SOC 2 Audit of our systems and protocols. While we are still undergoing the control accreditation Type II phase of the SOC 2 audit, I'm pleased to announce that we are now SOC 2 Type I certified. This certification indicates that we have created the necessary processes in our software and work environments to bolster security, availability, and confidentiality. Put simply, it difficult for malicious or personnel to affect your data and our products.
The SOC 2 Audit was conducted by Armanino LLP a California CPA firm with extensive SOC audit experience. In accord with AICPA standards, our SOC 2 report is releasable by request under NDA.
- Completed a penetration test (pentest) - A penetration test is an attempt by white hat hackers to see how accessible and vulnerable our products and systems are. We hired a seasoned cyber security company, Inferno Systems Inc., to perform the pentest and look for potential exploits in our system.
While they were unable to infiltrate our systems or exfiltrate data, they did point out areas that could be bulked up to further our defense in depth. We quickly followed the recommendations of these experts and implemented the changes on our systems.
Going forward, we will make a commitment to yearly pentests to make sure that we are always staying ahead of the curve when it comes to our security.
- Launched a bug bounty program - In-keeping with the goals of our pentest, we have also started a “Bug Bounty” program offering independent security researchers payment in exchange for discovering bug and security flaws within our products and systems. We’ve partnered with another Y Combinator company, Federacy, to bring forth this bug bounty program.
We launched the bug bounty program for several reasons. First, we wanted to stand by our product with real money and second, we wanted to make sure that we had independent researchers actively testing our systems and products between our annual pentests.
You can check out the details of our bug bounty here: https://www.federacy.com/paladin-cyber-bug-bounty
Like other forward-thinking security companies, we do not view these steps as the ultimate goal in our own cyber security and compliance but stepping stones in crafting a truly secure product, company, and culture.