Certifications
Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.
SOC2 Type II
Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.
ISO
An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.
- ISO 27001:2013 – Information Security Management
A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS). - ISO 27701 – Security Techniques
Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines. - ISO 27017 – Information Technology — Security Techniques
Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
CSA STAR Level 1
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.
GDPR
Holistic and personalized approach to compliance
The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.
Data and privacy protection
Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.
Cymulate’s data and security team
The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.
Data Center
Secure development life cycle procedures
The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.
Annual third-party scans and tests
All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.
Data encryption
Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.
Cloud Security
Data Center Physical Security
Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant. Learn about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Center Controls at AWS.
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.
Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.
Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.
Encryption
All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Data is encrypted at rest in AWS and DB using AES-256 key encryption.
Availability and Continuity
Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.
Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.
Application Security
Security Development (SDLD)
Annual secure code training is required for all engineers.
Cymulate’s Quality Assurance (QA) department reviews and tests all products before production
Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.
Vulnerability Management
Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.
As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.
In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.
HR Security
Security Awareness
Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.
All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.
Employee Vetting
All new hires are required to sign non-disclosure and confidentiality agreements
Product Security
Authentication Options
Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.
2-Factor Authentication (2FA)
Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.
Role-Based Access Controls
Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).
IP Restrictions
Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.
Hosted Encryption Certificates for Help Center (TLS)
Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.
FAQ
Does Cymulate have any security certifications?
Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.
Does Cymulate have an identify and access management program?
Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.
Does Cymulate do any 3rd party audits?
Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.
Does Cymulate do vulnerability scanning or penetration testing?
Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.
Does Cymulate have a dedicated security team?
Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.
How can I report a security issue?
The Cymulate support team is here for any questions or issues. They are available at [email protected]
Certifications
Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.
SOC2 Type II
Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.
ISO
An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.
- ISO 27001:2013 – Information Security Management
A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS). - ISO 27701 – Security Techniques
Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines. - ISO 27017 – Information Technology — Security Techniques
Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
CSA STAR Level 1
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.
GDPR
Holistic and personalized approach to compliance
The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.
Data and privacy protection
Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.
Cymulate’s data and security team
The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.
Data Center
Secure development life cycle procedures
The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.
Annual third-party scans and tests
All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.
Data encryption
Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.
Cloud Security
Data Center Physical Security
Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant. Learn about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Center Controls at AWS.
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.
Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.
Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.
Encryption
All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Data is encrypted at rest in AWS and DB using AES-256 key encryption.
Availability and Continuity
Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.
Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.
Application Security
Security Development (SDLD)
Annual secure code training is required for all engineers.
Cymulate’s Quality Assurance (QA) department reviews and tests all products before production
Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.
Vulnerability Management
Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.
As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.
In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.
HR Security
Security Awareness
Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.
All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.
Employee Vetting
All new hires are required to sign non-disclosure and confidentiality agreements
Product Security
Authentication Options
Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.
2-Factor Authentication (2FA)
Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.
Role-Based Access Controls
Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).
IP Restrictions
Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.
Hosted Encryption Certificates for Help Center (TLS)
Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.
FAQ
Does Cymulate have any security certifications?
Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.
Does Cymulate have an identify and access management program?
Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.
Does Cymulate do any 3rd party audits?
Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.
Does Cymulate do vulnerability scanning or penetration testing?
Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.
Does Cymulate have a dedicated security team?
Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.
How can I report a security issue?
The Cymulate support team is here for any questions or issues. They are available at [email protected]
