| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Question | Answer | ||||||||||||||||||||||||
2 | Company Name | MediaCore | ||||||||||||||||||||||||
3 | Company Address | 4 MediaCore Lane | ||||||||||||||||||||||||
4 | Year Founded | 2010 | ||||||||||||||||||||||||
5 | Do you have a help center or customer facing documentation? | Yes, docs.mediacore.com | ||||||||||||||||||||||||
6 | Security Contact Name | Bob Core | ||||||||||||||||||||||||
7 | Security Contact Title | Head of Security | ||||||||||||||||||||||||
8 | Security Contact Email | bob@mediacore.com | ||||||||||||||||||||||||
9 | Security Contact Phone Number | 777-777-7777 | ||||||||||||||||||||||||
10 | What is the company stock ticker? | N/A | ||||||||||||||||||||||||
11 | Application URL | app.mediacore.com | ||||||||||||||||||||||||
12 | Will you be providing a call center? | No. | ||||||||||||||||||||||||
13 | Are you in compliance with PCI DSS? | N/A | ||||||||||||||||||||||||
14 | Do you enter into Business Associate Agreements (BAAs) in cases where the system might process PHI? | N/A | ||||||||||||||||||||||||
15 | Is the system used for automated decision making? | No. | ||||||||||||||||||||||||
16 | Have you completed the CAIQ? | No. | ||||||||||||||||||||||||
17 | Will your application be integrating with other services? | MediaCore typically integrates with you content management tools and video hosting solutions. | ||||||||||||||||||||||||
18 | Does the application we are evaluating support multi-factor authentication (MFA)? If yes, what forms of MFA are supported (ie. Google Authenticator, hardware token, SMS)? | We support MFA with TOPT or Hardware Token. | ||||||||||||||||||||||||
19 | Does the application we are evaluating support multi-factor authentication (MFA)? | Yes. | ||||||||||||||||||||||||
20 | How and where is the data/application hosted (e.g., on-prem or with a cloud provider)? | The application and supporting databases are hosted with AWS in the USA. | ||||||||||||||||||||||||
21 | Did your latest SOC 2 have any exceptions? | Yes, please see the report in our Conveyor trust portal. | ||||||||||||||||||||||||
22 | Do you have an ESG program? | No today. | ||||||||||||||||||||||||
23 | Do you have a public facing security page? | Yes, see Conveyor. | ||||||||||||||||||||||||
24 | What does the product do? | Media management. | ||||||||||||||||||||||||
25 | What is the approximate headcount of your organization? | 300 | ||||||||||||||||||||||||
26 | Do you maintain Cyber Insurance? | Yes, with a $5,000,000 policy limit. | ||||||||||||||||||||||||
27 | What countries is your data stored in? | USA | ||||||||||||||||||||||||
28 | Is your company privately held or public? | Private | ||||||||||||||||||||||||
29 | Does your product have a status page? | Yes, please see status.mediacore.com | ||||||||||||||||||||||||
30 | Is your company financially viable? | Yes, we are cash flow positive and well funded. | ||||||||||||||||||||||||
31 | How can we contact customer support? | Email or Slack. | ||||||||||||||||||||||||
32 | Are you currently a party in any active lawsuits? | No. | ||||||||||||||||||||||||
33 | How many customers do you have? | 500+ | ||||||||||||||||||||||||
34 | Who are some example customers you work with? | GloboCorp. | ||||||||||||||||||||||||
35 | Do you have a Terms of Service page? | Yes, see website. | ||||||||||||||||||||||||
36 | Do we have an account manager? | Yes. | ||||||||||||||||||||||||
37 | Is your company compliant with HIPAA? | N/A: We do not store, access, or process PHI. | ||||||||||||||||||||||||
38 | Please describe the PII data you will collect. | Basic PII and the contents of your media you store on MediaCore. | ||||||||||||||||||||||||
39 | How is authentication into the production environment handled? (ssh, rdp, vnc, etc.) | SSH | ||||||||||||||||||||||||
40 | Does your application have management and/or customer service functionality? If so, do your team members have special logins to the application to gain access to it? | We rely on impersonation for approved customer support reps. Access is logged and reviewed. | ||||||||||||||||||||||||
41 | Can developers access production servers from the public Internet? How do they do that? | We use Teleport to manage remote access in a secure manner. | ||||||||||||||||||||||||
42 | How do you limit the use of shared accounts and logins? | A unique user ID is granted to each employees. Any service accounts are managed in 1Password and closely monitored. | ||||||||||||||||||||||||
43 | Do any software developers in your organization have "full admin" or equivalent access in your cloud account? How about the root/billing account? | No, we limit the use of the AWS Root account to emergency situations. | ||||||||||||||||||||||||
44 | What is the process for provisioning access for employees? | HR onboarding checklist. | ||||||||||||||||||||||||
45 | What is the process for revoking user access after termination or role change of an employee? | HR notifies IT and kick off a standard process. | ||||||||||||||||||||||||
46 | What forms of multi-factor authentication (MFA) are your employees required to use? How is consistent use of MFA enforced? | Yes. We track it and include it in training. | ||||||||||||||||||||||||
47 | What is the process for revoking user access at the vendor after termination or role change? | HR kicks off an automated workflow that removes access from core systems instantly. | ||||||||||||||||||||||||
48 | What is the process for provisioning internal user access at your company? | HR manages an onboarding checklist. System owners approve access to new employees. | ||||||||||||||||||||||||
49 | Is internal user access at your company based on a defined set of roles? | Yes, RBAC. | ||||||||||||||||||||||||
50 | Do you require multi-factor authentication (MFA) for internal access to sensitive systems and data? | We require MFA anywhere is is technically supported. | ||||||||||||||||||||||||
51 | After how many failed login attempts will an account be locked? | 10 attempts. | ||||||||||||||||||||||||
52 | Do you use a centralized identity management solution such as Single Sign On? | Internally we use Okta wherever possible. | ||||||||||||||||||||||||
53 | How do you review internal user access and authorizations on a periodic basis? | System owners conduct reviews of all accounts (admin and regular) on a quarterly basis. | ||||||||||||||||||||||||
54 | If you have any on-prem infrastructure, how is physical access to that infrastructure restricted? | N/A | ||||||||||||||||||||||||
55 | What types of roles and access controls exist for users of your application? | We have two roles: Admin and Standard. | ||||||||||||||||||||||||
56 | What authentication methods are available for client access to the application? (e.g. username/password, SAML 2.0, SSO) | Username/password, SAML 2.0, and login via Google. | ||||||||||||||||||||||||
57 | Are your engineers trained on secure coding? | Yes, annual OWASP training. | ||||||||||||||||||||||||
58 | How are your encryption keys managed? | AWS KMS. | ||||||||||||||||||||||||
59 | Do you perform any kind of routine automated scans of your exposed network services? If so, with what tools? | Monthly API scanning via Detectify. Container scanning via Snyk. | ||||||||||||||||||||||||
60 | How does the application protect against HTTP Response Splitting attacks? | We sanitize user input and do not write unsanitized user provided values into our HTTP response headers. | ||||||||||||||||||||||||
61 | How does the application protect against Cross-Site Request Forgery (CSRF) attacks? | We generate secure, per-session CSRF tokens which are validated by our API server. The token is not automatically sent on every request, it is stored on local storage and attached on the header of every request that requires authorization. In a CSRF attack, the attacker would not be able to retrieve this token. | ||||||||||||||||||||||||
62 | How is data encrypted at rest? | AES-256 | ||||||||||||||||||||||||
63 | How is data encrypted in transit? | TLS 1.2 | ||||||||||||||||||||||||
64 | How is the API authenticated? | Basic authentication. | ||||||||||||||||||||||||
65 | Do you have an API? | Yes. | ||||||||||||||||||||||||
66 | What is on the security roadmap? | Supporting SCIM. We are also looking into more robust DLP rules via Google Workspace. | ||||||||||||||||||||||||
67 | Can clients bring their own encryption key? | BYOK is not supported. | ||||||||||||||||||||||||
68 | How are passwords stored? | Hashed using bcrypt. | ||||||||||||||||||||||||
69 | How does the system know that a session identifier is no longer valid? | Sessions are managed through token based authentication. The session termination information is stored within the token. By default, sessions time out after 7 days. | ||||||||||||||||||||||||
70 | How are client secrets stored for accessing the application? | Hashed using bcrypt. | ||||||||||||||||||||||||
71 | What software development "stack" do you use? (Rails, Django, Java Spring, etc, but also major frontend frameworks like React) | Oracle Cloud Database, Java, JavaScript | ||||||||||||||||||||||||
72 | How is the application source code managed? | GitHub. | ||||||||||||||||||||||||
73 | How long does a session last? | A session token lasts for 2 weeks. | ||||||||||||||||||||||||
74 | How does the application make sure that errors are handled securely? | Raw error messages are not surfaced directly to end users. The are securely sent to Sentry for further analysis by the Conveyor team. | ||||||||||||||||||||||||
75 | Is customer data logically separated from other customers? | Customer data is logically segmented using unique identifiers to scope data to a given organization. | ||||||||||||||||||||||||
76 | Is customer data used for testing? | No, only fabricated test data. | ||||||||||||||||||||||||
77 | Has DKIM/SPF been configured? | Yes and DMARC reports are regularly reviewed. | ||||||||||||||||||||||||
78 | What security and audit logs are captured? | We have verbose logging enabled for all in scope systems that include details about who took an action, what action they took, and when they action occurred. | ||||||||||||||||||||||||
79 | How long are security and audit logs stored? | 365 days. | ||||||||||||||||||||||||
80 | Describe the nature of any integration(s), the data that will be exchanged, and the level of access needed in other systems. | The permissions for each integration vary. Please see docs.mediacore.com/integrations. Most integrations rely on a read only OAUTH flow. | ||||||||||||||||||||||||
81 | Is the API rate limited? | Yes, to 200 requests per minute. | ||||||||||||||||||||||||
82 | Does the API support encryption? | Yes, via https. | ||||||||||||||||||||||||
83 | What is the session timeout for the application? | 7 days | ||||||||||||||||||||||||
84 | How do you protect against SQL injection? | By using input validation. | ||||||||||||||||||||||||
85 | How does the application protect against session replay or man-in-the-middle attacks? | All customer data-in-transit is encrypted using TLS 1.2. | ||||||||||||||||||||||||
86 | How does the application ensure authentication and authorization controls are enforced at all points within the application? | Private data can only be accessed by authenticated users. Users belong to organizations and roles which are used to determine what resources they are authorized to access. | ||||||||||||||||||||||||
87 | Are application logs able to be ingested by the customer? | No today, but please reach out to us if that is of interest to you. | ||||||||||||||||||||||||
88 | How do you protect against XSS? | By using frameworks that are less susceptible to XSS and continuous testing. | ||||||||||||||||||||||||
89 | How does the application protect against URL manipulation or parameter tampering attacks? | Private data can only be accessed by authenticated users. Users belong to organizations and roles which are used to determine what resources they are authorized to access. Users cannot access unauthorized resources, even if URL or parameters are manually provided. Parameters are individually validated on server side. | ||||||||||||||||||||||||
90 | Do separate environments exist for development, testing, and production? | Yes. | ||||||||||||||||||||||||
91 | Do you complete regression testing, continuous integration, or unit testing? | We use GitHub action for CI testing as well as manual QA and smoke testing. | ||||||||||||||||||||||||
92 | Do firewalls deny by default? | Yes. | ||||||||||||||||||||||||
93 | How do you handle wireless security? | All connections are encrypted in transit, and all networks are treated as untrusted. | ||||||||||||||||||||||||
94 | How often are firewall rules reviews? | Quarterly by the security engineer. | ||||||||||||||||||||||||
95 | What countries is data accessed from? | USA and Canada | ||||||||||||||||||||||||
96 | Is the API publicly available? | Yes. | ||||||||||||||||||||||||
97 | How do you manage cloud credentials/authentication? Do you require 2FA for some/all operations? | 2FA is required wherever possible. | ||||||||||||||||||||||||
98 | Do you use firewalls? | Yes, via AWS ACLs. | ||||||||||||||||||||||||
99 | How is physical security managed? | This is handled by our cloud provider. | ||||||||||||||||||||||||
100 | How do you protect against DDoS? | AWS Shield |