Enterprise-Grade Security for Your Cloud
Copado is dedicated to providing a high level of security to all customers. At Copado, we combine a strong security framework, internal and external audits, penetration testing, and trained employees to ensure that your data is protected. Below you’ll find an overview of many of our security policies, procedures, and controls.
- Copado maintains ISO 27001 and SOC 2 Type 1 certification and attestation examinations, performed annually by an
independent audit firm
- Copado has attained FedRAMP In-Process status and is expecting ATO later this year
- We undergo annual third party penetration testing
- We have a dedicated Security Compliance team that implements and monitors our security framework and controls
- The Copado security framework consists of policies, procedures and controls that align to
ISO 27001, SOC 2, FedRAMP and GDPR requirements
- We utilize third-party, cloud-based data centers, which maintain network architecture and data layer controls that meet the requirements of the most security-sensitive organizations. The data centers have several security-related certifications, including ISO 27001, SOC 2, FedRAMP, HIPAA, NIST, and several others
- Our employees attend security awareness training upon hire and annually, and are required to adhere to our code of conduct
- Annual risk assessments are performed to ensure we are addressing current as well as emerging risks
- We follow change management procedures for all changes to the organization and the Copado platform
Our cloud data centers have the highest standards for data privacy and security. Controls are in place at the perimeter, infrastructure, and environmental layers to ensure strong physical protection, and are audited regularly to ensure they comply with various security certifications and standards. In addition, Copado reviews these security certifications annually to ensure standards are properly maintained.
Application and Network Security
- All software releases and new features are reviewed and tested before release, according to our change management procedures
- Our testing and staging environments are separate from production environments, and no actual customer data is ever used for testing
- We have automated vulnerability scans that run at regular intervals, and are addressed according to our vulnerability management process
- A third party auditor performs annual penetration testing
- Automated monitoring, logging, and system alerts are in place
- We control our role based, least privilege system access (including granting and revoking), and formally review all admins and users quarterly
Customer data is encrypted in transit and at rest, and within our databases.
- We perform regular backups of data, and backup testing is performed annually
- We maintain documented incident response and disaster recovery policies and procedures, and testing as well as team training is performed annually
SOC 2 Type 1 Report
Restricted use report that describes the systems and security and confidentiality controls that are in place to protect data.