The goal of the Security & Compliance program at Sales Boomerang is to protect the confidentiality, integrity and availability of information to the organization, employees, customers and the affiliated information systems. Our Company’s Information Security Program was developed with guidelines from NIST Cybersecurity Framework and ISO 27001. Our program aims to address risk, ensure a culture of security, proactively prevent security incidents, and continuously manage security threats and vulnerabilities.
Culture of Security
All the Company employees are responsible for safeguarding company assets, security and privacy is a shared employee responsibility. All our employees are screened for expertise, experience and integrity. Criminal background checks are required upon hire and are verified iteratively throughout employment. All employees are required to adhere to and acknowledge the information security policies and standards.
The security education training and awareness program is seen as a foundational component to our security program. Initial training is carried out for employees at the time of onboarding. Additionally, there are ongoing quarterly security, privacy and phishing awareness training that occur to maintain competency across our distributed workforce.
The Leadership team of the Company is accountable for and formally approves decisions regarding the Information Security Program.
Attestations
Sales Boomerang completed the initial American Institute of CPAs (AICPA) SOC2 Type 2 Attestation in 2022. Which means the design and operating effectiveness of our controls meet rigorous standards. We have already scheduled our next SOC 2 audit with RKL for 2023 to include our new combined organization. In an effort to constantly improve our security posture we have also shifted focus into preparing for the ISO 27001 Certification.
Platform Security
We develop and deploy solutions that balance thoughtful security controls and usability. SalesBoomerang provides you with the tools and support you need to ensure that all of your users engage in appropriate and compliant use of our platform. We maintain the platform security as part of our shared security model so that you can focus on your customers.
Regulatory Compliance
While we are not bound to the same regulatory controls required by lenders, we do take extra steps to ensure that we are compliant where appropriate and educate all staff with the relevant regulatory requirements for the benefit of our customers. Common regulatory policies that we review for applicability include: CFPB (Consumer Financial Protection Bureau), CCPA (California Consumer Privacy Act), GLBA (Gramm-Leach-Bliley Act), ADA (content accessibility), WCAG (Web Content Accessibility Guidelines). Our Security & Compliance team in conjunction with our Legal team ensure that applicable regulations and standards are factored into our program.
Physical & Logical Access Control
We are partnered with AWS for production data centers used to store and process data, these data centers meet or exceed industry standards. By leveraging AWS we can use their security infrastructure, logging, identity and intrusion protection systems and focus on delivering a scalable and secure product.
Our Company has designed internal data access processes and policies to prevent unauthorized persons and/or systems from gaining access to systems. The Company has designed its environment to restrict access and ensure access is relevant, timely and aligns with the individual’s job responsibilities. Our U.S.-based data centers feature 24 x 7 physical security. These data centers are protected and carry SOC2 and ISO certifications.
Availability
Production data centers are designed to be fully redundant and maintained without impact to operations, 24 hours a day, and seven days a week. The Company has disaster recovery plans in place and performs testing each year to validate effectiveness.
Application Security
All data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys. Data at rest and offline backups are encrypted to ensure adequate protection of customer data.
The Company conducts regular periodic scans of its applications, networks and infrastructure to detect vulnerabilities using commercially available, regularly updated scanning software.
Additionally, we leverage external consultants to perform security assessments and validate our defensive posture.
Software developed follows a Secure Software Development Life Cycle defined in our internal policy and procedure documents.
Audit Requests
The Company, in its role as a Data Processor, will take commercially reasonable measures to assist Clients (Data Controllers) with audits to verify compliance with the controls.
Vulnerability Disclosure
While Sales Boomerang appreciates external security researchers reaching out and disclosing vulnerabilities or misconfigurations within our Company's infrastructure or services, we do not engage with individuals in the event they are testing company owned infrastructure without appropriate permission.
If you have a question or would like to report something to our security & Compliance team please contact us here: security@salesboomerang.com