Book a Demo
Book a Demo

Security at Cymulate

Cymulate protects customer data with enterprise-grade security features and
comprehensive audits of applications, systems, and networks.

Full Overview
Certifications GDPR Data Center Cloud Security Application Security HR Security Product Security FAQ

Certifications

Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.

Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.

An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.

  • ISO 27001:2013 – Information Security Management
    A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS).
  • ISO 27701 – Security Techniques
    Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines.
  • ISO 27017 – Information Technology — Security Techniques
    Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.

GDPR

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.

The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.

Data Center

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.

Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.

Cloud Security

Facilities

Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant.

Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.

Learn about Data Center Controls at AWS.

On-Site Physical Security

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

Learn about AWS physical security.

Data Hosting Location

Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.

Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.

Encryption in Transit

All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

Data is encrypted at rest in AWS and DB using AES-256 key encryption.

Redundancy

Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.

Application Security

Secure Code Training

Annual secure code training is required for all engineers.

Quality Assurance

Cymulate’s Quality Assurance (QA) department reviews and tests all products before production

Separate Environments

Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.

Vulnerability Scanning

Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.

Software Composition Analysis

As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.

HR Security

Policies

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Training

All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.

Confidentiality Agreements

All new hires are required to sign non-disclosure and confidentiality agreements

Product Security

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.

Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).

Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.

Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

FAQ

Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.

Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.

Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.

Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.

Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.

The Cymulate support team is here for any questions or issues. They are available at [email protected]