Winware offers survey capabilities so that its customers can capture feedback from the customer’s users on an opt-in basis. Users who opt-in to a survey share their Name, Email, survey responses and potentially their social media information so that Winware can match survey responses to specific users and sales activities in its customers CRM tool or on Winware's backend. Winware stores all event data on Google Cloud. Data is encrypted both at rest and in transit. Winware also offers access to 3rd party panel providers for the purposes of getting responses to surveys.
Your data is secure with Winware. We use industry-standard best practices to provide a highly safe and secure product.
Winware is certified by a 3rd party auditor as compliant with SOC2 Type II and GDPR requirements. Please contact privacy@winware.ai for documentation.
Winware’s customers have the option to integrate Winware with it’s CRM or other marketing tools to pass all user survey data directly to the those other platforms. Winware is NOT recieving data from the customer's CRM, only passing information into the CRM.
Winware had defined and communicated to its employees the requirements for acceptable use of Winware's resources in order to mitigate the risk of unauthorized access to Winware equipment, as well as use and modification of information assets. These include a clear desk and clear screen rules, data handling requirements, password maintenance, equipment security, and breach reporting/incident notification.
a. Winware information must be handled in compliance with the information security policy.
b. Actual or suspected information security incidents must be reported without delay in compliance with Winware information security incident section of this policy.
a. Winware assets (e.g., laptops, desktops, internet connection, data, and software) must only be used for approved purposes.
b. Reasonable use of Winware systems is permitted, providing it does not interfere with the employee’s work for Winware.
c. Personal use of Winware information of any type or classification except for Public information is prohibited.
a. Winware provides email to facilitate the company’s business needs and interests. Email must be used in compliance with Winware's Information Security policy. All-Access to email messages must be limited to authorized personnel.
b. Winware users must exercise caution when opening unsolicited attachments, phishing emails, and web links from both known and unknown sources.
a. Winware internet must not be used to visit sites that contain pornographic, obscene, indecent, hateful, or other offensive material, visit hacker sites or breach copyright legislation.
Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes.
a) Each user of Winware information resources must have a uniquely assigned user account to allow them to access information resources. This user account is not shared and directly ties to an individual to support accountability;
b) User’s access to information resources must be requested, approved, and granted through a standard documented request and approval process.
c) User’s account information must not be divulged to any other person without a documented reason that has been approved by management per the requirements listed in the information classification and handling section of this document.
d) Accounts that are inactive for a maximum period of 90 consecutive days must be disabled. Any exceptions must be authorized and documented appropriately.
e) Notifying the IT&SD Department of the transfer, resignation, or termination of any staff member under the supervisor’s supervision. A staff member’s access to Winware’s information system will be disabled on the date of the staff member’s termination or resignation, or if necessary for other reasons in the judgment of Winware’s Vice President of IT&SD.
Winware employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Employees have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.
Winware recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration, or destruction of such data. For this purpose, Winware implements industry-standard security controls and maintains a comprehensive security program
Winware has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted periodically and identified risks are mitigated according to risk severity and business priorities.
Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to Winware's employees, premises, system, and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies, and procedures implemented are commensurate with the risks and particular legal, regulatory, or contractual requirements associated with each facility.
Winware maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process, or host Winware data or have access to Winware network and systems.
a. All third-party must adhere to the following information security requirements who have access to confidential or restricted information.
i. A non-disclosure agreement (NDA) must be in place before Winware Internal, Confidential or Restricted information is disclosed to the third party.
ii. Reasonable steps must be taken to obtain assurance that appropriate security controls are in place at the third party. These steps must be taken regularly in line with the risk associated with sharing data with the third-party.
iii. An inventory of all third parties with access to Winware information must be maintained.
iv. Contracts with the third party must be signed before any third party is provided access to Winware information.
v. A reassessment of the third party’s security controls must be considered in the case of a change to the data classification or frequency of data shared with the third party.
vi. At the termination of a contract:
1. Winware information assets must be returned, retained, transferred or securely destroyed.
2. Physical and logical access to Winware's information assets and facilities must be revoked.
Winware has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.
a. Winware management is committed to building and maintaining an incident management program in order to support the organization’s business mission, protect its customer data and services, and protect Winware proprietary information, systems, services, facilities, and people.
i. Changing the configuration of, removing, de-activation or otherwise tampering with any malware software that has been installed on systems is only allowed for authorized users.
ii. All incidences of malware or virus must be reported immediately to Winware management. The infected system must be isolated as soon as possible from the network infrastructure and handled.
iii. Any actual or suspected information security incidents must be reported to Winware management as soon as they are suspected.
iv. Information security incidents must be managed in accordance with defined Incident Management standards, comply with applicable local legal and regulatory requirements, designate specific people to be available to respond to alerts, and be supported by tools and procedures.
v. Information security incidents must be reviewed to determine common factors, patterns, and trends, understand the costs and impact and assess the effectiveness of controls
Winware utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.
a. A business continuity plan (BCP) must be documented and reviewed once a year. Components of the documented plan must include:
i. Acceptable recovery time frames (e,g., Recovery point objective (RPO), and Recovery time objective (RTO))
ii. Roles and responsibilities of key team members
iii. The BCP must be based on a Business Impact Analysis (BIA).
b. Both fallback and resumption-related emergency procedures must be defined to allow for both temporary measures and full resumption as required.
c. The documented plan must be tested regularly.
i. Testing may involve, but may not be limited to, discussion, simulation, technical recovery testing, or complete rehearsals.
d. Updates to the business continuity plan must be disseminated on a timely basis.
i. Winware will conduct a business impact analysis (BIA) in order to identify the criticality of its assets, facilities, and processes. The BIA will be reviewed regularly for currency and accuracy.
i. Winware will identify areas in which it requires redundancy in order to maintain its business objective for availability and provide adequate resources to support that level of redundancy and future capacity needs.
Here at Winware, we review all reports of security vulnerabilities seriously. To report a vulnerability in one of our products or solutions, please contact our Computer Security Incidents Response Team (CSIRT) at support@winware.ai.