Security Policies
We are working with external vendors to both assess the current state, and put documentation, data transfer contracts, training and procedures in place as required. At Small Improvements, our policy is that our Security Lead leads the effort, but everyone at the company is responsible for Information Security.
We have security policies in place to address:
Devices
Passwords
Encryption
Limiting data access to data and admin accounts
Guarding against attacks
A protocol for responding to incidents (including a “drop everything” priority)
These security policies are reviewed yearly. We are currently working on developing a formal Information Security Program as part of our GDPR preparation.
Every new employee needs to sign our data privacy policy, gets informed about our security policy and best practices, and is instructed to remain alert regarding social engineering attacks. We frequently share news and updates about security best practices internally, and every employee who works on the actual code base or has administrative access is frequently working in security improvements themselves.
Recurring training is being developed as part of our GDPR prep.
To ensure our information security policies are complied with, the development team have several safe-guards in place to ensure high code quality and to minimize the risk of security vulnerabilities, as well as to spread a security awareness among all developers.
All non-trivial code is reviewed by at least one developer through the use of “pull requests”. In addition to this, we have weekly developer exchange meetings, where code is shown and discussed with the whole development team, it is discussed from both a code quality and security perspective. We also have bi-weekly security meetings, which are entirely focused on resolving any known security issues and discuss any improvements we can implement to keep our application secure.
We also have a Hackerone program that runs continuously where external security researchers are identifying and reporting errors. Employees that violate these policies and procedures are subject to standard disciplinary action including the option to terminate the employment contract. In addition, we are developing a Code of Conduct as part of our GDPR preparation.
Security Measures
Access to our physical premises is restricted to employees. All machines and storage devices are encrypted. Our software and customer data is hosted on the Google Cloud, Google‘s security measures apply. When employees work remote, VPN connections are used and firewall usage is mandatory.
To guard against IT vulnerabilities, staff are responsible for keeping their own devices up to date. We inform about this during the onboarding. In addition to this, we inform everyone about high-profile vulnerabilities using Slack. Our application and data is hosted on Google App Engine and Cloud. Google ensures that the infrastructure is kept secure, and that systems and media used for data storage are destroyed securely. See https://cloud.google.com/security/ for more information.
Locally, we perform network security testing and require encryption of all storage devices and computers.
To protect access to data we use 2FA where available. Our policy requires giving as few people as possible access to admin accounts with access to sensitive data as possible on a need-to-know basis. We revisit access levels regularly and choose the minimum levels possible. Accounts have unique IDs and we use 2FA where available. All storage devices and computers need to be encrypted. No personal data is stored on local computers unless specifally required for troubleshooting a customer issue, and is removed it immediately afterwards.
On our servers we encrypt all sensitive textual content using AES256, and hash passwords using bcrypt. In terms of external audits and review we underwent a successful audit by Security Compass in 2017, we use Google’s security analysis tools, and are continuously under review as part of our HackerOne program.
Incident Management
While we do not have a formal Cyber Security Program we do continuously assess risks across all areas of Cyber Security as they are essential to our business success. Both security (hacking our systems and stealing information) as well as a breach in data protection (providing access to personal information that should be confidential) are our key security risks and are addressed with this priority.
Training our staff happens in our internal developer exchange forum and by attending conferences. We’ve developed onboarding material for staff as part of GDPR preparation in addition.
We have a cyber security incident response plan (IRP) in place that clearly defines actions to be taken, reporting the incident internally, which events should trigger it’s use including their priority. Any report of a potential breach of security or exposure of private data is treated with a “drop everything” critical priority and as a small company, everyone including our CEO is involved immediately.
We aim to inform any company affected or at risk of being affected within 8h. We run postmortems on any incident, infrastructure or security.
We have so far experienced no successful cyber attacks.
Business Continuity and Disaster Recovery
We host in Google‘s infrastructure, so Google‘s measures to protect continuity and recovery apply. Our data backups are stored in independent services and data centers at, allowing for higher resilience.
Data Protection
Our take is that every single team is responsible for data protection, not just our Data Protection Officer. In the process of preparing for GDPR we’re extending our current policies and training protocols to create a formal Data Protection Program.
Privacy Policies
We currently employ a Privacy Policy/Obligation to Data Secrecy according to German Law that all employees need to sign, which binds them to maintain the confidentiality of all personal and private data. Violations can result in fines and imprisonment. From a technical perspective, code reviews, quality assurance, and external auditing verify that the product holds up to our standards. We’re developing a Code of Conduct in addition as part of our GDPR prep.
Data Access
To ensure data is only accessible on a need-to-know basis. We have internal role-based permissions to restrict access to the only those who need to be able to access a set of information. We review role and group- membership of staff on an ongoing basis, and also each time we hire or off-board a person.
Access to functionality like large-scale exports within our tool is only available to existing users with the role of HR Admin, and must be made available manually by our Customer Success team.
Data Transfer and Hosting
We work with a number of subprocessors to provide our services, listed here.
We only work with highly respected vendors that have been in the business for years and have a good track record regarding server uptime and reliability, breaches, and overall good business behaviour. For each usecase we make sure to only share the least possible amount of data needed to achieve our business goals, and we have GDRP-compliant data processing agreements in place.
We usually host data and our application on US-based Google datacenters, but can also host them on a EU Google datacenter if requested by the customer.
Internally Small Improvements consists of two entities: The parent company “Small Improvements Software GmbH” which is based in Berlin, Germany, and the 100% subsidiary “Small Improvements, Inc.”, based in Delaware, USA. The servers and the database are managed by the Berlin staff, and our US-based support staff also get access to customer data in order to troubleshoot customer problems. There are GDPR-compliant data processing agreements in place for this.