Security at Sitoo
Security is at the heart of what we do since the Sitoo Unified Commerce Platform anchored by POS is central to our customer’s operations.
The Sitoo Security team establishes policies and controls to monitor compliance. And the team continuously verifies security and compliance through third-party auditors.
Sitoo currently maintains an ISO 27001:2022 compliance certification. Our ISO 27001 certificate is available on our Trust Report: trust.sitoo.com.
By default, Sitoo encrypts data at rest and data in transit for all of our customers. Sitoo leverages AWS for data encryption in transit (TLS 1.2+) and at rest (AES-256). Sitoo uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS, NoSQL), and data stored within S3 etc.
Sitoo requires vulnerability scanning in our Secure Development Lifecycle (SDLC):
- Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
- Static analysis security testing (SAST) of code during pull requests and on an ongoing basis
- Dynamic analysis security testing (DAST) of running applications.
Sitoo engages with external independent penetration testing firms at least annually. All areas of the Sitoo products (APIs, backoffice web app, POS apps (iOS and Android) and cloud infrastructure are in-scope for these assessments.
Sitoo utilizes a structured employee on-boarding process involving background checks, reference checks, and interviews with relevant Sitoo employees. All Sitoo employees have reviewed and accepted all relevant policies and procedures.
Sitoo provides comprehensive security training to all employees upon onboarding and annually. In addition, all new employees attend a live onboarding session with the Sitoo Security Team centered around security principles guiding the company’s work. All new engineers also attend mandatory training focused on secure coding principles and practices.
Looking to report a security concern? Please visit our Responsible Disclosure page.