Data privacy and cloud security with Whispir
Security and the protection of privacy is of the utmost importance to Whispir. We continue to invest a significant amount of time and resources to secure the Whispir platform, customer data entrusted to us, and our operations and network communications.
Whispir’s operational practices are embedded within an Information Security Management System that is both ISO/IEC-27001:2013 and ISO/IEC-27018:2019 certified. Whispir adopts a comprehensive approach towards managing its information security program. We ensure that appropriate measures are in place to protect customer data and privacy.
Whispir has completed a detailed security questionnaire and assessment via CyberGRX, a leader in Third-Party Risk Management. Whispir’s assessment was independently validated by CyberGRX partner, KPMG. Assessment results allow customers to gain assurance over Whispir’s information security program at the security control level. The assessment also provides advanced capabilities by integrating Whispir responses with analytics, threat intelligence, and sophisticated risk models, based on known breach kill chains, to provide a dynamic and an in-depth view of Whispir’s security posture.
Our Security Industry Affiliates: ACSC Partner (Australian Cyber Security Centre), OWASP, AWS.
We align and collaborate with industry leaders for security, privacy, and compliance to ensure we are operating in parallel with evolving industry best practices.
Report a vulnerability
We actively encourage engagement with the security research community, our customers and the wider public to report vulnerabilities in our products to us. Whispir recognizes those who contribute to keep Whispir safe.
Only a limited set of staff who demonstrate the strict need-to-access Whispir data and systems are provided access. Principle of least privilege is enforced.
TLS 1.2 is enforced for Data in-transit. AES-256 encryption is used to implement encryption Data at-rest. AWS capabilities are used for managing and securing encryption keys. Your passwords are hashed and stored securely.
Security incident response
Whispir aligns its security incident response processes to NIST guidelines for incident handling. Our dedicated security team has access to a combination of best of breed security tooling, clear incident triaging criteria and incident playbooks to effectively handle and coordinate a response to a security incident. The team also has on-demand access to external expertise to augment security incident response, coordination, and forensics capabilities. Comprehensive logging and monitoring of our platform and its cloud infrastructure enables quick identification and response to potential security incidents.
Whispir maintains a comprehensive vulnerability management program using technology and processes to effectively identify, triage and remediate vulnerabilities and misconfigurations according to the risk it presents. This is a key aspect of our ISO27001 certification that is independently audited. We have best of breed tooling to identify software assets across our production and end-user computing environments and conduct regular vulnerability scanning that includes web application and host scanning as well as static application security testing. We also conduct penetration testing prior to significant IT changes and maintain a Responsible Vulnerability Management Policy on our public website that encourages researchers to disclose vulnerabilities identified in a responsible manner.
Privacy by design
Whispir adopts the model recommended by the Office of the Australian Information Commissioner (OAIC) for carrying out privacy impact assessments when we build new products, services, or implement a new process, or when we change an existing one where personal information is involved.
Customers have the option to choose the region or territory where the customer's Whispir account be based in. Once the customer is homed to a specific Whispir environment, customer's data does not leave that Jurisdiction.
Human resources security
Whispir human resource security management processes ensure that background verification checks are performed for all employees. All staff and, where relevant, contractors and third-party personnel receive security awareness training on Whispir security policies, standards and guidelines, and prevailing security risks.