By default, Sitoo encrypts data at rest and data in transit for all of our customers. Sitoo leverages AWS for data encryption in transit (TLS 1.2+) and at rest (AES-256). Sitoo uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS, NoSQL), and data stored within S3 etc.
Sitoo requires vulnerability scanning in our Secure Development Lifecycle (SDLC):
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
Static analysis security testing (SAST) of code during pull requests and on an ongoing basis
Dynamic analysis security testing (DAST) of running applications.
Sitoo engages with external independent penetration testing firms at least annually. All areas of the Sitoo products (APIs, backoffice web app, POS apps (iOS and Android) and cloud infrastructure are in-scope for these assessments.
Sitoo utilizes a structured employee on-boarding process involving background checks, reference checks, and interviews with relevant Sitoo employees. All Sitoo employees have reviewed and accepted all relevant policies and procedures.
Sitoo provides comprehensive security training to all employees upon onboarding and annually. In addition, all new employees attend a live onboarding session with the Sitoo Security Team centered around security principles guiding the company’s work. All new engineers also attend mandatory training focused on secure coding principles and practices.