CISOfy and Security


We care about your data and trust. Security is our business, and we think it is serious business. Therefore we show some of the extensive security measures we have taken.

HTTPS

Communications to our web services occur via HTTPS, to ensure privacy and confidentiality of your data. Secure from the beginning is our motto: that is why we only provide our website via HTTPS.

Technical details

We use an Extended Validation (EV) certificate. This means our company details and ownership were checked and validated. TLS is being used, with the preference for TLSv1.2. The ciphers used are based on best practices, protecting against well-known attacks. HTTP Strict Transport Security (HSTS) is used to ensure HTTP connections are redirected, and browsers are instructed to use HTTPS instead. We also defined a long expiration date, so browsers will try HTTPS first. The great folks behind SSL Labs gave us a A+ score.

Session cookies are set the highest level of security (HttpOnly, Secure flag), protecting against CSRF/XSS attacks.


Continuous auditing

Regular audits, vulnerability and security scans are performed, to test our security defenses. We have security monitoring in place and use our own tooling Lynis Enterprise.


Secure downloads

All downloads are available via HTTPS, ensuring you download comes from our systems. Additionally we provide a hash (fingerprint) of the download and a digital signature. The hash can be used to validate the integrity of the file. The digital signature validates that we are the ones who released it. We apply these signatures also to our software repository.


System hardening

We are experts in system auditing. So we test our environment on a regular basis and apply security controls. This includes system hardening, software patch management, and log reviews.


Personal information

Although we are interested in our customers, we avoid collecting personal information as much as possible. Only basic information is stored to process trial requests and orders. Payment details are processed by a PCI compliant 3rd party Stripe.


Deletion of data

When data is no longer, we simply delete it. Hoarding is not our thing, especially not when it comes to sensitive data. We do however make backups. They are encrypted and stored in different undisclosed locations, both online and offline.


Responsible security disclosure

When you discover an issue with our site or products, we encourage you to use responsible disclosure. We respect your privacy, so you can report issues anonymously. Use security@cisofy.com for reporting any security issues.


Protect yourself: Don't break the law.

Security policies

See our public security policy for more details about how we do security management.

Thanks

We thank the following people for providing tips and suggestions to make our services more secure.

  • Nessim Jerbi
  • Sander Bos