Security & Compliance FAQs

Our company maintains a formal process to scan all code for vulnerabilities both (a) prior to production release and (b) periodically thereafter. This process includes automated static and dynamic analysis tools, dependency and third-party library scanning, and manual code reviews where appropriate. Identified vulnerabilities are tracked, prioritized, and remediated according to our secure software development lifecycle (SDLC) policies to ensure code security throughout the software lifecycle.

Specific code scanning practices for vulnerabilities include:

1. Software Composition Analysis (SCA): We scan third-party and open-source libraries to identify known vulnerabilities and ensure the security of all dependencies.
2. Static Application Security Testing (SAST): We analyze source code for security flaws prior to compilation or execution, enabling early detection and remediation of issues.
3. Dynamic Application Security Testing (DAST): We test running applications to identify vulnerabilities that may only appear during execution or in the production-like environment.
4. Manual Code Review: Our developers perform targeted, manual reviews of code to identify security issues that automated tools may not detect.

Our company currently has no vulnerabilities published in the National Vulnerability Database (https://nvd.nist.gov/vuln/search). We continuously monitor and regularly review the NVD and other security sources to proactively identify and address any potential vulnerabilities, ensuring the ongoing security and integrity of our products and services.

Full independent Web Application Penetration Test (WAPT) reports are maintained for internal security and risk management purposes only. This report contains sensitive security findings and is not available for customer inspection or distribution.

Customer-conducted web application penetration testing of the services in scope may be permitted only with at least thirty (30) days prior written notice of the proposed testing schedule or event. Such testing is subject to Impressionwise’s sole discretion to approve the timing, scope, and methodology of the testing. Approval may be withheld or conditioned as deemed necessary by Impressionwise to protect its systems, data, and operations. All testing must be conducted in non-production environments and in accordance with any additional terms communicated by Impressionwise.

Our organization maintains formal policies, standards, and procedures to identify, assess, and manage cyber supply chain risks. These measures ensure that all software, hardware, and third-party components used in our products and services are evaluated for potential security risks and mitigated according to established procedures, thereby protecting the integrity and security of our offerings.

Our company maintains a comprehensive Software Bill of Materials (SBOM) in accordance with https://www.cisa.gov/sbom for all software products, including all third-party and open-source components. The SBOM is regularly updated to track component integrity and address potential vulnerabilities, ensuring supply chain security and compliance with industry standards.

Our company does not participate in public or private bug bounty programs for the products or services in scope for this relationship. Security testing is conducted internally and through authorized independent assessments only.

Our company follows industry-recognized frameworks, specifically the CIS (Center for Internet Security) Benchmarks, to configure and harden IT systems, end-point devices, networks, and software. These benchmarks found at https://www.cisecurity.org/cis-benchmarksguide our secure configuration practices and help ensure that all systems are consistently hardened according to recognized best practices.

Our company employs an automated Security Information and Event Management (SIEM) system to collect, review, and correlate logs and behavioral events across IT systems, applications, and network devices. Security events related to scoped systems and data, including hosted environments, are **monitored continuously 24x7x365**, enabling real-time detection of anomalies or potential security incidents and supporting timely investigation and response in accordance with our security policies and procedures.