Effective from: May 21, 2021
Wingify Software Pvt Ltd. (herein referred to as Wingify in this document) is committed to ensuring the Confidentiality, Integrity, and Availability (CIA) and provide comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity and/ or interruptions to their availability. To provide adequate protection for information assets, Wingify has built the Information Security Management System (ISMS) which includes the respective policies to be followed in a diligent, consistent, and impartial manner. Wingify will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required.
This document details Wingify policies to ensure the protection of its information assets, and to allow the use, access, and disclosure of such information in accordance with appropriate standards, laws, and regulations.
All workforce members, customers, and third parties who use Wingify’s information processing facilities are required to comply with the Information Security policy of Wingify. All the existing Wingify policies, relating to personnel, administration, protection of confidential information, and other areas would apply equally to the information systems environment.
Wingify is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.
The key regulation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.
The scope of this policy covers all information assets owned or provided by Wingify, whether they reside on the corporate network or elsewhere.
Information Security policies apply to all business functions of Wingify which include:
||Finance & Accounts
||Business Operations and Analytics
|Customer Success Management
||Security & Compliance
The Information Security policies apply to any person (employees, consultants, customers, and third parties), who accesses and uses Wingify information systems.
Wingify has established, implemented, maintained, and continually improved the Information Security Management System within the context of its overall business activities and risks it may face in accordance with the requirements of the ISO 27001:2013 standard. The ISMS processes used are based on the Plan, Do, Check, and Act (PDCA) model.
Plan (Establish the ISMS)
Wingify has established policies, related processes, objectives, and procedures relevant for managing risks and improving information security to deliver results in accordance with its overall policies and objectives. The Plan phase includes:
- Establishing the ISMS
- Defining the scope of ISMS
- Defining an ISMS manual
- Defining a systematic approach to risk assessment
- Identifying risks
- Assessing the risks
- Identifying and evaluating options for the treatment or risks
- Selecting control objectives
- Preparing a statement of applicability
Do (Implement and operate the ISMS)
Wingify has adopted and implemented procedures and processes to ensure compliance and adherence to the ISMS framework. Wingify management made all the necessary resources available to ensure implementation and operation according to the ISMS. The Do phase includes:
- Formulating a risk treatment plan
- Implementing the risk treatment plan
- Implementing controls
- Implementing training and awareness programs
- Managing operations
- Managing resources
- Implementing procedures and other controls for incident handling
Check (Monitor and review the ISMS)
The compliance team ensures regular and continuous monitoring by conducting periodic assessments, reviews, and audits of the Information Security policy of Wingify. The Check phase includes:
- Executing monitoring procedures and other controls
- Undertaking regular reviews of the effectiveness of ISMS
- Reviewing the risk of residual risk and acceptable risk
- Conducting internal ISMS audits
- Undertaking management review of ISMS
- Recording actions and events that could have an impact on the effectiveness or performance of ISMS
ACT (Maintain and improve the ISMS)
Continual improvement in the effectiveness of ISMS at Wingify is demonstrated through the use of Security Policy, Security Objective, Audit Results, Analysis of Data, Corrective and Preventive Actions, and Management Review. The Act phase includes:
- Maintaining and improving the ISMS
- Implementing identified improvements
- Taking appropriate corrective actions and preventive actions
- Communicating the results & actions, and agreeing with all interested parties
- Ensuring that the improvements help achieve their intended objective
4. Leadership and Commitment
Wingify is committed to security. The top management has constituted Wingify Corporate Security and Compliance Team, which is responsible for defining and improving the ISMS.
The top management has demonstrated leadership and commitment with respect to the information security management system by:
- Ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of Wingify
- Ensuring integration of ISMS requirements into Wingify’s processes
- Ensuring that the resources needed for ISMS are available
- Communicating the importance of effective information security management and of conforming to the information security management system requirements
- Ensuring that ISMS achieves its intended outcome(s)
- Directing and supporting persons to contribute to the effectiveness of ISMS
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility
The following is the information security management policy statement adopted by Wingify:
“Wingify is committed to ensuring integrity, confidentiality, availability, and security of its physical and information assets at all times for serving the needs and expectations of its interested parties both within organization and from external parties including clients, suppliers, regulatory, and governmental departments in line with its vision, mission, and values while meeting all legal, statutory, regulatory, and contractual requirements. Wingify’s information systems and the information and data they contain are fundamental for its daily operations and future success. Wingify will develop, implement, maintain, and continually improve policies, procedures, and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available to authorized persons as and when required.”
The Information Security measures include:
5.1. Governance and Organization Structure
Wingify has established a Corporate Security and Compliance Team (CSC) made up of key personnel whose responsibility is to identify areas of security and compliance concern across Wingify and act as the first line of defense in enhancing the appropriate security and compliance posture. This team reports to the CEO.
The team comprises the workforce who are knowledgeable in legal cross-regulation, policy, products, and IT, and are interested in ensuring five of the trust principles—confidentiality, integrity, availability, privacy, and security—with regard to data protection by law, compliance, and standards across Wingify. The CEO has assigned the responsibilities and authority to Data Protection Officer for overseeing and maintaining information security and compliance as per the standard and industry best practices.
The governance of these programs is performed by the Corporate Security and Compliance Committee, consisting of executives and other department heads from across Wingify.
5.2. Personnel Security
Wingify has established a formal sanctions policy and process for personnel failing to comply with established information security and compliance policies and procedures.
Wingify has established personnel security requirements, including security roles and responsibilities for third-party providers, and monitors provider compliance.
Wingify screens individuals requiring access to critical and production environment information and information systems before authorizing access. The only workforce with the highest clearance has access to our data center data. Workforce access is logged, and passwords are strictly regulated. We follow as needed basis access principles to production data to only a select few of these workforces who need such access to provide support and troubleshooting.
As per the established process, on termination of individual employment, Wingify terminates information system access, conducts exit interviews, retrieves all organizational information system-related property, and provides appropriate personnel with access to official records created by the terminated workforce that are stored on organizational information systems.
Wingify has developed a world-class practice for managing security and data protection risk.
Awareness and Training
All workforce members complete an annual information security and privacy awareness and training program.
As part of this program, additional role-based training is provided to the workforce, before they start handling sensitive and confidential information.
Information Security and Compliance Training Guide is provided as a quick reference guide to workforce members.
Training logs identifying the training class, attendee, and date are kept by the HR department.
5.3. Information Asset Management
5.4. Access Control
The access controls required to meet the security objectives of the Information Security policy. Access control management is paramount to protecting Wingify information resources and requires implementation of controls and continuous oversight to restrict access.
Confidentiality, Integrity, and Availability (CIA) are fundamental aspects of protection of systems and information, and are achieved through logical, physical, and procedural controls. It is vital for the protection of systems and information authorized users who have access to Wingify systems and information are aware of and understand how their actions may affect security and privacy.
The policy is organized into the following key sections which map directly to the ISO 27001 Access Control Domain security objectives:
- Business Requirements for Access Control
- User Access Management
- User Responsibilities
- Application and Application Access Control
- Mobile Computing and Teleworking
Access control is established by imposing standards for protection at the operating system level, at the Application level, and at the Database level. Access to Wingify computer systems will be based on the principles of “least privilege” and "need to know” and must be administered to ensure that appropriate level of access control is applied to users as well as system support personnel to protect Wingify information systems.
Administrative (also known as "root") access to systems is limited to Workforce Members who have a legitimate business need for this type of access. Administrative access to network devices is logged.
All access to Wingify systems and services are reviewed by CSC and updated on a quarterly basis to assure proper authorizations are in place commensurate with job
Access to electronically stored records containing personal information will be electronically limited to those workforces having an authorized and unique login ID assigned.
Where practical, all visitors who are expected to access areas other than common space or are granted access to office space containing personal information should be required to sign in at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times. Visitors are required to wear said visitor ID in a plainly visible location on their body unless escorted at all times.
Where practical, all visitors are restricted from areas where files containing personal information are stored. Alternatively, visitors must be escorted or accompanied by an approved person in any area where files containing personal information are stored.
Cleaning personnel (or others after normal business hours and not also authorized to have access to personal information) are not to have access to areas where files containing personal information are stored.
All computers with an Internet connection or any computer that stores or processes personal information must have a recently updated version of software providing virus, anti-spyware, and anti-malware protection, installed and active at all times.
Password Management: We have processes designed to enforce minimum password requirements for Wingify Service. We currently enforce the following requirements and security standards for end user passwords on Wingify Service:
Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
Multiple sign-ins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force sign-in, but not long enough to prevent legitimate users from being unable to use the application.
Email-based password reset links are sent only to a user's pre-registered email address with a temporary link.
Wingify prevents reuse of recently-used passwords.
5.5. Physical and Environmental Security
Our data centers are hosted in some of the most secure facilities available today in locations and use industry best practices that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods. Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security. Within our office premises, we employ a number of best industry-standard physical security controls.
5.6. Operational Security
5.7. Communication Security
Wingify has deployed an information technology network to facilitate its business and
make it more efficient for various risks. And establish management direction, principles, and standard requirement to ensure that the appropriate protection of information on its networks maintained and sustained. Few controls which in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction as follow:
Network Controls: Wingify monitors and updates its communication technologies periodically with the goal of providing network security as per industry best practices cryptographic techniques are used to protect the confidentiality, integrity, and authenticity of sensitive and confidential information. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Infrastructure Controls: Wingify uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the Wingify product service. Notifications from these tools are sent to the Wingify Security Team so that they can take appropriate action.
Secure Communication: All data transmissions to Wingify services are encrypted using TLS protocols, and we use certificates issued by SHA 256 based CA ensuring that our users have a secure connection from their browsers to our service. We use the latest and updated cipher suites Wingify Products are always communicated via HTTPS using Transport Layer Security (TLS), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
Wingify Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
Retention and disposal guidelines for all business correspondence including messages, in accordance with the defined standard.
Segregation of the network shall be done by establishing V-LAN/ DMZ architecture. In either case, Testing, Production and Development environment shall be segregated as well.
Agreements have been established for the secure transfer of business information to external parties (such as customers, suppliers, and other interested parties).
The roles and responsibilities for management of network security shall be clearly defined, communicated and reviewed on a regular basis to ensure optimum operative effectiveness and necessary segregation of duties shall be done to attain the said objective.
5.8. System Acquisition, Development, and Maintenance
Wingify has established Software Development Lifecycle adopted for planning, requirement analysis, design, development, testing and maintenance of the product VWO Experience Optimization Platform. There are controls which in place to achieve the information security and data protection requirements as follow:
Wingify product security practices are measured using industry standard and methodologies security models. Wingify follows Agile methodologies for feature delivery and Scrum is used for new feature delivery. The SDLC for the Wingify Product services includes many activities to enhance security and privacy posture:
- Defining security and privacy requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments and Pen Test)
Wingify Product designs, reviews, and tests the software using applicable OWASP and CIS standards.
We use Definition of Done (DoD) to maintain the quality of deliverables, A clear and consistent Definition of Done is an effort to create an objective framework for quality. DoD provides a clear guideline to the team and to the stakeholders around exactly what needs to be done for each Story, Sprint, Release, and Task to ensure a consistent and sustainable quality of deliverables. It ensures transparency and quality fit for the purpose of the product and organization
Wingify Product code is stored in a Stash / Atlassian system hosted by most secure data centers facilities. Wingify adopts a strict, least access privileges principle for providing access to the code. Commits to production code are strictly reviewed, and approval is restricted to just two people (Chief Technical Officer and Lead Engineer), after passing Unit Testing and QA in Test and Staging.
Manual source code analysis on security-sensitive areas of code
The Wingify development team is trained on Open Web Security Application Project (OWASP) Secure Coding Practices and uses industry best practices for building secure apps.
Wingify takes the security of its systems seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps Wingify in ensuring the security and privacy of its users. Bugs can be reported through email at [email protected]
5.9. Third-Party Supplier
Wingify provides essential services and business functions which rely on IT solutions and applications contracted by third-party suppliers, which may be primary or subcontractors.
Wingify maintains the integrity and accuracy of its information to meet its goals and obligations, both to the business and to people. To ensure this, it is essential that information is secured in line with professional best practices as well as statutory, regulatory, and contractual requirements that maintain confidentiality, integrity, and availability of all information assets.
Wingify has established a formal Third-Party Supplier policy and put in place a procurement process so that contracts and dealings between Wingify and third-party suppliers have acceptable levels of data protection and information security in place to protect information (such as personal & company data) and maintain the confidentiality, availability, and integrity of information and are fit for purpose. Information security requirement will vary according to the type of contractual relationship with each supplier. There are a few controls in place to achieve protection of data, information, and information system as follows:
Information security and controls should be formally documented in a contractual agreement which may be part of or an addendum to the main commercial service contract.
Separate Non-Disclosure Agreement should be used where a more specific level of control over confidentiality is required.
Appropriate due diligence must be exercised in the selection and approval of new supplier before the contract is agreed.
The information security provisions in place at existing suppliers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary.
Access to Wingify, information should be limited wherever possible according to clear business needs.
Basic information security principles such as least privilege, separation of duties, and defense in depth should be applied.
Wingify will have the Rights to Audit the information security and privacy practices of the supplier and/or the subcontractor.
Supplier access to Wingify information resources is granted solely for the work contracted and for no other purpose.
The supplier must comply with all applicable data protection regulation, best practice standards, and agreements.
On termination of a supplier or supplier employee from the contract for any reason, the supplier will ensure that all sensitive and confidential information is collected and returned to Wingify or destroyed within 24 hours.
The security of information is fundamental to Wingify’s compliance with data protection legislation and a key focus in its ISO 27001 risk assessment, procurement, and management strategy.
Before contracting with a third-party supplier, it is incumbent upon Wingify to exercise due diligence in reaching as much understanding as possible of the information security approach and controls the company has in place. It is important that the documented “supplier due to diligence assessment" procedure is followed so that all the required information is collected and an informed assessment can be made.
All Wingify contracts will clearly define each party’s data protection and information security responsibilities toward the other by detailing the parties to the contract, effective date, functions or services being provided (such as defined service levels), liabilities, limitations on use of subcontractors and other commercial/legal matters normal to any contract.
The processing must be governed by a contract in writing between the controller and the processor, setting out the following:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects involved
- Obligations and rights of the controller and processor
5.10. Reporting Security and Privacy Breaches
Wingify has a Security Incident Response Plan designed to promptly and systematically respond to security, privacy, and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. Security Incident Response Policy & Procedure has become an important component of Wingify Information Security programs.
The primary focus of the plan is detecting, analyzing, prioritizing, and handling security incidents.
Wingify follows policies and procedures to detect, respond to, and otherwise address security incidents including procedures to:
- Identify and respond to suspected or known security incidents followed by mitigating their harmful effects and documenting these incidents along with their outcomes.
- Restore the availability or access to Customer Personnel.
- Retrieve data in a timely manner.
Notice: Wingify agrees to provide a prompt written notice within the time frame required under Applicable Data Protection Law(s) to a customer’s Designated POC if it knows or suspects that a security incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for the customer to comply with its own notification obligations to regulatory authorities or individuals affected by the security incident.
Under no circumstances should a user attempt to resolve any security and privacy breach on their own without first consulting the Wingify DPO. Users may attempt to resolve security and privacy breaches only under the instruction of, and with the express permission of the DPO.
5.11. Business Contingency and Disaster Recovery
Wingify has established a formal business contingency management (BCM) plan and a Disaster Recovery Plan (DRP) to minimize downtime of the critical business process, and recovery within required and agreed business timescales in the event of a disaster. Wingify has also created a clearly defined framework for the ongoing management of the BCM activities and provide guidelines for the development, testing, maintenance, and implementation of business continuity plans.
Wingify defined two categories of systems from the disaster recovery perspective:
Critical Systems: These systems host application servers and database servers or are required for the functioning of systems that host application servers and database servers. These systems, if unavailable, affect the availability of data and must be restored, or have a backup process to restore these, immediately on becoming unavailable.
Non-Critical Systems: These systems include the ones that are not considered most critical. These systems, while they may affect the performance and overall security of critical systems, do not prevent critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.
Backup: To prevent data loss due to human error, our application databases are backed up every hour in an automated fashion.
Data Replication: Our customer and application databases are timely replicated on backup servers along with our CDN servers which are geo-redundant.
Location: We store customer data in a secure data center at an offsite location in the US.
Internet Redundancy: Wingify is connected through multiple Tier-1 ISPs. So, if anyone fails or experiences a delay, you can still reliably get to your applications and information.
DRP is tested on a half-yearly basis; and the results are documented, and revisions are made, as necessary.
Wingify has established a formal Compliance Policy and Procedure which addresses aspects of compliance required to be adhered to and fulfilled with respect to Wingify’s Information Security Policies. This policy also addresses the legal and compliance requirements pertaining to relevant statutory legislation, and contractual and regulatory obligations which Wingify is supposed to adhere to in order to protect its documents, records, and assets, thereby preventing the misuse of information processing facilities. Such efforts would help Wingify establish, maintain, and sustain the desired information security and privacy posture aligned with the Wingify strategic business plan, based on the best practices, standards, and principles.
Wingify is committed to and conducts its business activities lawfully and in a manner that is consistent with its compliance obligations. The Legal and Regulatory Compliance (Compliance Policy) establishes the overarching principles and commitment to action for Wingify with respect to achieving compliance by:
- Identifying a clear compliance framework within which Wingify operates.
- Promoting a consistent, rigorous, and comprehensive approach to compliance throughout Wingify.
- Developing and maintaining practices that facilitate and monitor compliance within Wingify.
- Seeking to ensure standards of good corporate governance, ethics, and community expectations.
- Engendering a culture of compliance where every person within Wingify accepts personal responsibility for compliance, and acts ethically and with integrity.
Wingify has been identifying all relevant regulatory and legislative requirements as per its contractual requirements and organization’s operational requirements and defining, documenting, and updating it on a regular basis.
All records, as mandated by statutory/legal/regulatory authorities in India or of foreign origin, for which Wingify is responsible for compliance, will be protected from intentional or unintentional damage through natural causes.
The retention limit of statutory records will be as mandated by the applicable legislation. However, for business records/documents, the business group heads and or HODs shall determine the retention limit with justification.
Wingify will always seek to protect the privacy of the personal information of its customers, employees, and third parties with whom Wingify has signed the third-party agreement. Divulging of facts will be done only in keeping with statutory/contractual/regulatory/legal requirements. Such information will always be protected from getting misused, leaked, or falsified or traded with any interested party knowingly or unknowingly.
Where logs are required to be maintained as per contractual/regulatory/statutory/legal requirement, these will be maintained for a specified duration.
Data or records that are no longer required for business, legal, and/or regulatory purpose will be disposed of securely.
Legal restrictions on the use of assets in respect of which there are IPRs (such as copyright, software license, trademarks, design rights, and others) will be complied with.
Intellectual Property Rights of software programs, documentation and other information generated by or provided by Wingify users, consultants, and contractors for the benefit of Wingify, will be the property of Wingify.
Intellectual Property Rights will be included in all contracts.
Relevant statutory, regulatory, and contractual requirements for Wingify ’s information assets will be defined explicitly. Such requirements will include, but are not limited to:
- Information Technology Laws (IT Act 2008/2011 Amended)
- Software Licensing Requirements
- Intellectual Property Rights (IPR) Laws
- Labor and General Employment Laws
- Health and Safety Laws
- Environmental Laws
As part of the information security audits by independent consultants or body, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external shall be restricted immediately after completion of the audit.
Compliance requirements are used to enforce a minimum level of security and privacy within Wingify. These are by no means a “finish line” for security and privacy. The primary compliance standards will be:
- EU GDPR
- ISO 27701:2019
- ISO 27001:2013
Information Security Program: Wingify agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data, Employee and third-parties data, as required by the Applicable Data Protection Law(s). Further, Wingify agrees to regularly test, assess, and evaluate the effectiveness of its Information Security Program to ensure the security of the Processing. Wingify has comprehensive privacy and security assessments and certifications performed by regulatory or third parties. Such certifications include ISO 27001: 2013, ISO 27701: 2019 certifications.
Any workforce member found to have violated this policy may be subject to disciplinary and/or legal action according to the Sanction policy.
Please feel free to ask questions and share concerns with us at [email protected]