GAT Labs (GAT+) Third Party Risk Assessment
Policy And Standards
1.Is your company UK or EU based (i.e. all servers/ staff sit within the EU and are therefore under EU GDPR legislation).
2.Do you ISO27001 certification or another form of information security accreditation (e.g. A GDPR compliant certificate, PCI DSS, ISO22301/BS2599, COBIT)
Yes, the service is run on GCP (Google Cloud Platform) in North America. This facility completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls (SOC 1, 2 and 3) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, GCP has achieved ISO 27001 certification and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), HIPAA and more.
3.Do you have written information security, data protection and confidentiality policies that outline your overall policy framework?
Yes, see our security policy statement
Data Protection and Privacy
4.Do you have a DPO in place?
5.Do you maintain a record of your data processing activities in line with the requirements of the General Data Protection Regulation including DPO details; Processing purpose; Data types; Sharing details; International transfers; Retention periods?
6.Will you need to/ be required to access personal data/ confidential information belonging to our organization? e.g. staff; customer data; confidential business information.
Yes. GAT only requires metadata. We build our exposure profile based purely on the metadata. GAT never retrieves file contents for auditing. We believe the risk in extracting file contents from the secure ‘shredded’ environment of Google’s servers to any third party software is too great for companies serious about security, so we don’t do it. Some of the most security-sensitive government customers in the US and the UK use GAT precisely because we don’t extract file contents.
Information Security and Risk Management
7.Do you have a policy and process for secure disposal of both IT equipment and media?
No customer data is ever stored on local equipment or media. Google is responsible for this.
8.Will our organisation be able to manage who has access to the service (our organization´s staff)?
GAT is the very first G Suite security tool provider to offer ‘lock and key’ access to G Suite files and emails. Ever aware that end-user security is paramount, this feature set goes much further than any of our competitors, not only does it allow for full file management, but it is the only tool to give silent views of all files and emails (Admins and Security Officers won’t appear as ‘Viewers’ of the files or emails), while at the same time it executes in a secure way that deeply protects end user’s rights. We carefully designed the solution to require both a lock and key for access. Managers, C level executives and security officers can also relax knowing you cannot download GAT and have unrestricted access to sensitive financial files or snoop on HR emails. G Suite Admin staff using GAT can report that they have the most functional security tool in the marketplace, yet with the highest security standards available.
9. Do you have an encryption policy which covers data encryption in transit and at rest?
“The Tool itself runs using a 2048-bit modulus RSA key, SHA256 used for hashing, AES (256-bit) used for encryption. It is Verified by Comodo. This ensures the site you connect to is who it says it is (generalaudittool.com), thus eliminating man in the middle attacks. It also ensures that any data transferred is moved inside an HTTPS tunnel, from Google to the audit tool and from the audit tool to your browser.
When using file storage GAT encrypts all the metadata it extracts and generates a single unique key. With GAT your data is never in plain-text form while at rest. Furthermore, we place the only key in a file in your G Suite account. Where we store G Suite data on databases in the G Suite environment we rely on Google’s own drive encryption. We do not encrypt the data ourselves and we do not have a unique key for this data.”
10. Do you undertake security testing and audits such as penetration testing and internal and external vulnerability scanning?
We depend on Google for security and pen testing.
11.Do you have a Security/ Breach Incident Management Policy and Procedure in place?
In the event of a customer data breach, we have a declared policy of customer notification. The response to any specific incident will depend on the nature of the incident and is not defined in specific terms.
12.Do you have a Business Continuity Policy in place?
For business continuity of our cloud services, we are dependent on GCP business continuity.
14.You are based in Ireland, and run services on the North American GCP. Could you please confirm your view as to whether this means that data transfers outside of the EU?
Yes, we are based in Ireland. We state so clearly on our website. Yes, our services are run 100% from GCP in North America. It is our view that data is transferred out of the EU and its protection is covered by Google under the EU/US data protection umbrella agreement. We as a data processor are covered directly by EU law.