Security at Cymulate

Cymulate protects customer data with enterprise-grade security features and
comprehensive audits of applications, systems, and networks. 

Certifications

Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.

SOC2 Type II

Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.

ISO

An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.

 

  • ISO 27001:2013 – Information Security Management
    A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS).
  • ISO 27701 – Security Techniques
    Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines.
  • ISO 27017 – Information Technology — Security Techniques
    Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

CSA STAR Level 1

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.

GDPR

Holistic and personalized approach to compliance

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Data and privacy protection

Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.

Cymulate’s data and security team

The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.

Data Center

Secure development life cycle procedures

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Annual third-party scans and tests

All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.

Data encryption

Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.

Cloud Security

Data Center Physical Security

Facilities

Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant. Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Center Controls at AWS.

On-Site Physical Security

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.

Data Hosting Location

Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.

Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.

Encryption

Encryption in Transit

All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

Data is encrypted at rest in AWS and DB using AES-256 key encryption.

Availability and Continuity

Redundancy

Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.

Application Security

Security Development (SDLD)

Secure Code Training

Annual secure code training is required for all engineers.

Quality Assurance

Cymulate’s Quality Assurance (QA) department reviews and tests all products before production

Separate Environments

Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.

Vulnerability Management

Vulnerability Scanning

Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.

Software Composition Analysis

As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.

HR Security

Security Awareness

Policies

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Training

All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.

Employee Vetting

Confidentiality Agreements

All new hires are required to sign non-disclosure and confidentiality agreements

Product Security

Authentication Options

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

2-Factor Authentication (2FA)

Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.

Role-Based Access Controls

Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).

IP Restrictions

Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.

Hosted Encryption Certificates for Help Center (TLS)

Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

FAQ

Does Cymulate have any security certifications?

Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.

Does Cymulate have an identify and access management program?

Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.

Does Cymulate do any 3rd party audits?

Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.

Does Cymulate do vulnerability scanning or penetration testing?

Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.

Does Cymulate have a dedicated security team?

Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.

How can I report a security issue?

The Cymulate support team is here for any questions or issues. They are available at [email protected]

Certifications

Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.

SOC2 Type II

Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.

ISO

An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.

 

  • ISO 27001:2013 – Information Security Management
    A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS).
  • ISO 27701 – Security Techniques
    Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines.
  • ISO 27017 – Information Technology — Security Techniques
    Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

CSA STAR Level 1

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.

GDPR

Holistic and personalized approach to compliance

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Data and privacy protection

Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.

Cymulate’s data and security team

The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.

Data Center

Secure development life cycle procedures

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Annual third-party scans and tests

All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.

Data encryption

Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.

Cloud Security

Data Center Physical Security

Facilities

Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant. Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Center Controls at AWS.

On-Site Physical Security

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.

Data Hosting Location

Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.

Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.

Encryption

Encryption in Transit

All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

Data is encrypted at rest in AWS and DB using AES-256 key encryption.

Availability and Continuity

Redundancy

Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.

Application Security

Security Development (SDLD)

Secure Code Training

Annual secure code training is required for all engineers.

Quality Assurance

Cymulate’s Quality Assurance (QA) department reviews and tests all products before production

Separate Environments

Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.

Vulnerability Management

Vulnerability Scanning

Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.

Software Composition Analysis

As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.

HR Security

Security Awareness

Policies

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Training

All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.

Employee Vetting

Confidentiality Agreements

All new hires are required to sign non-disclosure and confidentiality agreements

Product Security

Authentication Options

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

2-Factor Authentication (2FA)

Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.

Role-Based Access Controls

Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).

IP Restrictions

Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.

Hosted Encryption Certificates for Help Center (TLS)

Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

FAQ

Does Cymulate have any security certifications?

Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.

Does Cymulate have an identify and access management program?

Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.

Does Cymulate do any 3rd party audits?

Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.

Does Cymulate do vulnerability scanning or penetration testing?

Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.

Does Cymulate have a dedicated security team?

Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.

How can I report a security issue?

The Cymulate support team is here for any questions or issues. They are available at [email protected]

Full Overview
Certifications
GDPR
Data Center
Cloud Security
Application Security
HR Security
Product Security
FAQ