Security Governance

  1. Governance / Audits
    1. Do you have a security policy, is this policy enforced?
    2. Do you perform yearly compliance audits?
    3. Do you perform routine pentests?
    4. Did you already suffer security breaches / data loss?
    5. What's your internal notification / escalation procedure in case of breach? How would we be informed and how long would it take?
    6. Would a third party be allowed to perform a functional or technical security audit of your service?
  2. Reversibility
    1. Does the contract describe a reversibility plan/ handover plan/ step in rights?

Do you have a security policy, is this policy enforced?

We follow all the rules of secure development. Including things such as:

  • User HTTPS for domain entries
  • Using only current encryption and hashing algorithms
  • Not allowing for directory listing
  • Not storing sensitive data inside cookies
  • Strong password policy
  • Not storing sensitive information in a form’s hidden fields
  • Verify file upload functionality
  • Setting secure response headers
  • Make sure third party libraries are secured
  • Hide web server information.
  • Basically as much as we can do.

Please see our full Staffwise Data Security Policy

Do you perform yearly compliance audits?

We are currently undertaking our ISO27001. Proof of engagement can be supplied upon request.

We review all our policies at least once a year: https://staffwi.se/policies 

Do you perform routine pentests?

Traditional penetration tests carried out by humans once a year can provide a snapshot of security posture at a single point in time, but they have fundamental limitations in this age of AI:

  1. Scalability
    1. As our platform grows, the volume of features and integrations increases. Scaling manual tests to that level would be cost-prohibitive.
    2. Detectify scales seamlessly, running the same depth of checks regardless of system complexity.
  2. Human Fatigue vs. Machine Learning
    1. Humans can miss issues due to oversight, time pressure, or lack of up-to-date knowledge.
    2. Detectify combines automated scanning with input from a global ethical hacking community. When a new exploit is discovered in the wild, Detectify rapidly integrates it into its test suite — far faster than any individual consultant can adapt.
  3. Frequency
    1. With regular feature releases, an annual test becomes outdated almost immediately after the next update.
    2. Detectify provides ongoing weekly penetration testing, so every new release is covered, not just those aligned to the calendar.
  4. Coverage & Consistency
    1. A manual tester is constrained by time, scope, and individual expertise. Even the best human cannot test every vector exhaustively in a short engagement.
    2. Detectify runs hundreds of automated checks every week, covering OWASP Top 10 vulnerabilities and beyond, ensuring consistency that human testers can’t match.

Because we rapidly roll out new features, we perform automated penetration tests every week. This cadence ensures any new code or configuration is immediately stress-tested against current threat vectors.

Click here to see out lastest Detectify report, which delivers real-time scoring and detailed findings. The Medium item you’ll notice is expected and relates to client flexibility: our platform allows multiple subdomains with controlled data flow between them, which Detectify flags by design.

Detectify strive to be the very bleeding edge of web application security. They perform automatic penetration tests against web applications, based on the OWASP Top 10 specifications, seemingly magic fingerprinting of content management systems, and the very latest trends in vulnerability research. More information can be found on their website: https://detectify.com

Staffwise has the lowest possible threat score of 0, and a perfect 10/10 for the OWASP Top 10:

This scores pertains to Staffwise passing on each item below:

  • A1. Injection
    • Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • A2. Broken Authentication
    • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.
  • A3. Sensitive Data Exposure
    • Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
  • A4. XML External Entities (XXE)
    • Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  • A5. Broken Access Control
    • Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • A6. Security Misconfiguration
    • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
  • A7. Cross-Site Scripting (XSS)
    • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • A8. Insecure Deserialization
    • Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
  • A9. Using Components with Known Vulnerabilities
    • Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
  • A10. Insufficient Logging and Monitoring
    • Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

If you are not familiar with the OWASP Top 10, click here to find out more: OWASP Top 10

A full recent report is available upon request.

Did you already suffer security breaches / data loss?

No

What's your internal notification / escalation procedure in case of breach? How would we be informed and how long would it take?

See Staffwise Data Breach Policy

Would a third party be allowed to perform a functional or technical security audit of your service?

Yes

Does the contract describe a reversibility plan/ handover plan/ step in rights?

You would have constant 24 hour access to the web portal to view and retreive your data in real time as data is being submitted via the tablet or mobile devices. You can download as CSV or XLSX at any time.