PassportCard-Davidshield Group Trust Center
We, as a part of PassportCard-Davidshield Group, are committed to keeping our customers safe and protecting their data with the highest standards. We are also committed to providing them with a highly secure and reliable environment.
PassportCard Labs Ltd., a part of PassportCard-Davidshield Group, provides IT, infrastructure management, user administration, and system and website development services for the companies within the Group.
ISO 27001, ISO 27799
PassportCard Labs Ltd. (hereinafter: “PassportCard”) is certified according to international standards and industry best practices ISO 27001, ISO 27799
How do we secure your data?
PassportCard implements a security-oriented design across multiple layers, including the application layer. The PassportCard application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.
Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, and unit testing that addresses authorization aspects and other aspects. PassportCard developers receive periodic security training to stay updated on secure development best practices.
Another critical layer of security is our infrastructure. We employ multiple defense mechanisms, including:
- Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
- A web application firewall (WAF) for content-based dynamic attack blocking
- DDoS mitigation and rate limiting
- IDS/IPS sensors for early attack detection
- Advanced routing configuration
- Comprehensive logging of network traffic, both internal and edge
PassportCard ensures the encryption of all data, both in transit and at rest:
- Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum.
- User data is encrypted at rest across our infrastructure using AES-256 or better.
- Credentials are hashed and salted using a modern hash function.
External Security Audits and Penetration Tests
Independent third-party assessments are essential for gaining an accurate, unbiased understanding of your security posture. PassportCard conducts annual penetration tests on both the application level and the infrastructure level, performed by reputable independent auditors.
Additionally, PassportCard undergoes external auditing as part of SOX audits, ISO certifications, and other external audits.
We are aware of the security risks posed by your suppliers. Each supplier undergoes a risk survey, signs confidentiality agreements, and enters into contracts that include information security requirements. We also conduct periodic supplier surveys for all critical suppliers.
Our physical security measures in our offices include personal identification-based access control, CCTV, and alarm systems. Our data center is also equipped with security measures, CCTV cameras, access control, and an alarm system.
Disaster Recovery and Backups
PassportCard is committed to providing continuous and uninterrupted service to all its customers. We consistently and continuously backup data. All backups are encrypted and stored in multiple locations.
Our Disaster Recovery Plan undergoes annual testing to assess its effectiveness and to ensure our readiness in case of a service interruption.
Security in Human Resources
PassportCard acknowledges that its security relies on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding, with additional security training provided on a quarterly basis. Additionally, all employees are required to sign our Acceptable Use Policy.
We understand the importance of data privacy and confidentiality. Regular user access reviews are conducted to ensure appropriate permissions are in place, following the need-to-know principle. Employee access rights are promptly updated in case of employment changes.
Customer access to the personal area for self-service or administrator access requires two-factor-authentication (2FA).
For more information, you can contact our CISO (Chief Information Security Officer)