|
Trust Center
Request Access
Subscribe
Overview
Resources
FAQ
Overview
Resources
FAQ
Live Sync Enabled
Frequently Asked Questions
Common questions about our security and compliance program.
Request Access
Subscribe
Frequently Asked Questions
Expand all
Collapse all
How long are approved versions of the policy retained?
What may happen when an employee violates the policy?
How does the Security Team verify compliance?
What are the policy owner's main responsibilities?
Who owns the Information Security Policy?
Do security policies have named owners and formal approval?
How often are information-security policies reviewed?
Must new vendors be reviewed before production use?
How are high-risk vendors handled?
What does Concord evaluate for SaaS vendors handling Customer Data or Sensitive information?
How are vendor risks tracked?
What is evaluated during critical-vendor security reviews?
How often are critical infrastructure providers reviewed?
When does Concord notify customers or authorities about a breach?
What happens after a high-impact incident?
Who determines whether a security event qualifies as an incident?
What are common examples of potential security incidents?
What phases are included in Concord's incident-response process?
What code-review requirements apply to software changes?
May live Customer Data be used in non-production environments?
What data may be used in development and testing?
What role does the Security Committee have in product development?
Is security considered throughout software development?
Where should conversations involving Sensitive information occur?
May Sensitive hardcopy documents be left on printers?
How must hardcopy documents containing Sensitive information be disposed of?
What physical-security responsibilities do personnel have for company equipment?
Can customers request hosting-provider assurance reports?
What physical-security certifications do Concord's primary hosting providers maintain?
Who hosts Concord's production services and networks?
How must endpoint communications with Concord systems be protected?
Are there geographic restrictions on using Concord-provisioned laptops?
May personal devices access Concord-managed AWS VPC environments?
What security requirements apply to endpoints?
What tools notify Concord about dependency patches?
How does Concord manage patches?
How are vulnerabilities with published exploits handled?
What happens when vulnerability scans identify issues meeting Concord's risk criteria?
How are container images scanned for vulnerabilities?
How are Concord codebases scanned for vulnerabilities?
How is stored production data encrypted?
Are encryption keys rotated?
Who manages encryption keys for customers?
What standards govern encryption algorithms and methods?
Who reviews significant security events?
Are logs automatically scanned?
Where are logs collected?
How does Concord monitor its systems?
What are examples of required personnel conduct?
What are examples of prohibited personnel conduct?
What security incidents must personnel report?
Must personnel complete information-security training?
Are personnel trained on the Information Security Policy?
How often are AWS Security Group policies reviewed?
How does Concord connect securely to MongoDB Atlas?
What inbound network traffic is allowed?
How are firewall policies enforced?
Are direct connections to the Concord VPC permitted?
How must personnel connect to networks and systems used to operate the Concord Service?
What is Public data?
What is Internal-only data?
What is Sensitive data?
What is Restricted data?
How is Service Data protected?
Where is Customer Data stored?
Do Concord personnel have access to unencrypted Customer Data?
Where may Concord information be stored and processed?
How is Customer Data protected in transit and at rest?
How is Customer Data classified?
What are Concord's data-classification levels?
What must happen when a password is compromised?
What must personnel do if an authentication device is lost?
Are default vendor passwords allowed?