Skip to content

Information Security Checklist

Purpose

This checklist is designed to ensure that the product meets the necessary security and compliance requirements for our clients, particularly in regulated industries. It serves as a guide for both internal teams and clients to understand the security posture of the product.

1. Architecture & Deployment

  • Deployment model defined (Public Cloud / Private Cloud / On-Prem / Hybrid) - Deployment Model
  • Environment isolation for multibrand/multi-client scenarios
  • Data residency locations identified and compliant with client/regulatory requirements
  • Scalability plan for multi-market, multi-brand usage

2. Data Security

  • Data encryption at rest (e.g. AES–256)
  • Data encryption in transit (e.g. TLS 1.2+)

3. Identity & Access Management

  • Role-Based Access Control (RBAC) implemented
  • Fine-grained access controls (e.g. brand/category-specific rules)
  • Immutable audit logs enabled for all user and asset activity
  • SSO integration supported (e.g. Azure AD, Okta, SAML 2.0)
  • Multi-Factor Authentication (MFA) enforced
  • Secure user provisioning and deprovisioning process
  • Admin activity and access logging in place

4. Compliance & Regulatory Alignment

  • Aligned with ISO 27001 / SOC 2 Type II (or roadmap in place)
  • GDPR, CCPA, HIPAA compliance (as applicable)
  • 21 CFR Part 11 compliance for regulated industry (if relevant)
  • MLR-specific workflow controls in place (e.g. mandatory approvals, time stamps, reviewer logs)
  • Document retention policy defined and configurable

5. Application Security

  • Regular vulnerability scans (static + dynamic analysis)
  • Third-party penetration testing performed
  • Secure coding practices in place (OWASP Top 10 mitigated)
  • DevSecOps integrated into development pipeline

6. Third-party & Subprocessor Management

  • Inventory of all third-party tools and services
  • Risk assessment completed for each subprocessor
  • Data Processing Agreements (DPAs) in place
  • Subprocessor locations and access reviewed

7. Business Continuity & Disaster Recovery

  • Disaster Recovery Plan (DRP) documented
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined
  • Backups regularly taken and encrypted
  • Incident Response Plan documented and tested

8. Client-specific Governance & MLR Controls

  • Brand/region-level data segmentation supported
  • Custom approval workflows configurable per client/brand
  • PoC tracking and reporting dashboards available
  • Asset-level compliance history tracked (versioning, approvals, amends)

9. Audit & Reporting

  • Detailed logs exportable for client audits
  • Reports available on user actions, compliance status, and SLA adherence
  • System access reports (logins, roles, permission changes)

10. Security Awareness & Enablement

  • Internal teams trained in secure data handling and development practices
  • Client-facing teams briefed on ISR posture and processes