Security

Contact: [email protected]
Last updated on February 9, 2022

 

 

Our Promise

  • Compete values its customers’ data and is therefore committed to ensuring that its services remain secure and trustworthy.
  • The security controls that Compete uses to protect your data vary based on the sensitivity of the information that it collects, processes and stores, as well as the current state of technology advancements.
  • We understand that trust and security are extremely important to you and your business, and we take measures to protect them seriously.
  • In order to safeguard Compete’s information in accordance with these principles, effective security controls, practices and procedures are implemented at all levels across our infrastructure and products.
  • Compete has appointed a CISO to be a key part of the company’s executive team at a very early stage. This unusual step was taken to ensure a security-first approach and to assure the security and trust of its customers’ data.

Secure Development

  • Compete is an agile company. It has defined a software development process that is adaptive to an ever-changing and competitive market environment.
  • New staff across the company are trained in Secure Software Development LifeCycle (SSDLC) practices.
  • New product initiatives are reviewed by the security team according to SPbD (Security and Privacy by Design) concepts at the design phase.
  • System code is tested against known vulnerabilities (e.g, OWASP top 10).
  • Existing core systems and infrastructure are tested for security vulnerabilities periodically. In some instances testing is conducted by automatic scanners as well as manually by external independent parties.
  • Compete runs a Security ‘Bug Bounty’ Program. Researchers who have found a vulnerability may submit a bug according to the policy of the program through: [email protected]

Encryption and Anonymization

  • Compete uses aggregated, anonymized data for all benchmarking.
  • This anonymization and aggregation process prevents us from knowing or exposing the sources of the data. The process of generalization and aggregation algorithms prevent any data from being linked to any of our customers. Furthermore, benchmark results are presented in the form of percentiles and do not disclose any other details about the data points.
  • All data is encrypted in transit and at rest by dedicated encryption keys.
  • The customer’s company name is removed from the raw data to increase privacy by adding another layer of anonymity.
  • All customer data resides in its own schema, encrypted by a unique key.
  • Customer data is only accessible by each individual customer.
  • Compete uses encryption to protect sensitive information which aids in compliance with statutory, regulatory and contractual requirements.
  • Compete uses cryptographic algorithms, key lengths and strength, which are approved first by the security team in accordance with industry best practices.

Access Control

  • Authentication to the Compete app is done via OIDC (Open ID Connect) which is an identity layer on top of the OAuth 2 protocol. Compete supports common OIDC integrations at the customer’s discretion (e.g. Google, Microsoft or any other custom provider).
  • Username+password is not supported to reduce the risk of ATO (account takeover).
  • Authorization is fully controlled by the customer’s administrator. Admins can easily revoke all access to the Compete app at any given time.
  • Access to the production environment is restricted to authorized personnel only.
  • Authorized personnel are authenticated via a unique user account, password and two-factor authentication system before establishing a secured VPN session.
  • Compete employees use a Single-Sign-On (SSO) service to enhance security across multiple information systems.

API Integration

  • Compete provides an API integration to allow for a “hands-free” and secure upload of customer data.
  • Authentication to the customer HRS is limited to JWT (or other best practice authentication methods).
  • Strict minimization principles are applied for any type of data that is consumed by the API.
  • Customers can revoke access to the Compete app via API at any time.

Availability and Continuity

  • We’re committed to making Compete a highly available and reliable service.
  • We build systems that tolerate the failure of both individual components or a whole system.
  • Compete’s platform leverages AWS services and cross-region architecture in both Frankfurt (for Israeli and European data) and Ohio (for US data).
  • Compete applies extensive monitoring of services and components. Our monitoring methodology aims to predict issues that may cause server? problems and resolve them as soon as possible.

Privacy

  • Compete complies with data protection and privacy laws and regulations.
  • The company is represented by leading law firms and tracks all updates in privacy laws.
  • For more information, please read Compete’s privacy policy at https://www.competewith.com/privacy-policy/

ISO/IEC 27001/27701 Certifications

  • The ISO 27000s family of standards helps organizations keep information assets secure.
  • ISO/IEC 27001:2013 is the best-known standard in the ISO 27000s family and provides requirements for an Information Security Management System (ISMS). ISO/IEC 27001:
    • Enables Compete to better manage the security of its assets (such as financial information, intellectual property, employee details or information entrusted to Compete by third parties);
    • Provides customers and stakeholders with higher confidence in the way Compete approaches risk management and controls sensitive information;
    • Helps Compete comply with other standards and regulations; and
    • Allows Compete to ensure that we meet our legal obligations towards our customers, such as protecting customer privacy.
  • ISO/IEC 27701:2019 is an extension for privacy of ISO/IEC 27001 and can be used by any organization regardless of its location and size, regardless if it acts as PII (Personally Identifiable Information) controller, PII processor or both. ISO27701 enhances Compete’s information security management system to meet the additional requirements of ISO/IEC 27701 by implementing a Privacy Information Management Program in a company.
  • ISO/IEC 27001 and 27701 certifications manifest higher security, higher privacy, higher quality of Compete’s products and ultimately higher trust.