Cyber security policy

Incident reporting and security contact information

Effective Date: 16-09-2024
Version: 1.0


Introduction

At Certiff.com, we prioritize the security and integrity of our systems, data, and services. In alignment with our commitment to ISO/IEC 27001 standards, we have established clear channels and procedures for reporting security incidents, vulnerabilities, or any concerns related to information security.


Reporting a security incident or vulnerability

We encourage all users, clients, partners, and external parties to report any suspected security incidents or vulnerabilities. Prompt reporting allows us to address issues swiftly and maintain the highest levels of security.


How to report

Email: Please send detailed information about the incident or vulnerability to service@certiff.com.

Required Information:

– Your contact information (name, email, and phone number).

– A clear and detailed description of the incident or vulnerability.

– The date and time when the issue was discovered.

– Any relevant screenshots, logs, or evidence supporting your report.

– Steps to reproduce the issue (if applicable).

    Our commitment to respond

    Upon receiving your report, we commit to:

    – Acknowledgement: We will acknowledge receipt of your report within 2 business days.

    – Assessment: Our security team will assess the reported issue to determine its validity and impact.

    – Communication: We may contact you for additional information to aid in our investigation.

    – Resolution: Appropriate measures will be taken to address confirmed incidents or vulnerabilities.

    – Notification: If you provided contact information, we will inform you when the issue has been resolved.

    Responsible disclosure policy

    We appreciate the efforts of the security community and individuals who help us maintain the safety of our systems. To promote responsible disclosure, we request that you:

    – Act in good faith: Do not exploit the vulnerability or incident beyond what is necessary to demonstrate its existence.

    – Confidentiality: Do not publicly disclose the vulnerability until we have had a reasonable time to address it.

    – Legal compliance: Do not engage in any activities that are illegal or violate any agreements.

    In return, Certiff.com agrees not to initiate legal action against parties who discover and report security vulnerabilities in accordance with this policy.

     

    Privacy and protection

    Any personal information you provide during the reporting process will be handled in accordance with our Privacy Policy and used solely for the purpose of investigating and resolving the reported issue.

     

    Emergency Situations

    For incidents that require immediate attention (e.g., active data breaches, widespread service outages), please:

    • Mark your email as urgent: When emailing, include “URGENT” in the subject line to expedite our response.

     

    Feedback and questions

    If you have any questions about this policy or need guidance on reporting, please contact us at service@certiff.com.

     

    Continuous improvement

    In line with ISO/IEC 27001 requirements, we continually review and improve our incident response procedures to enhance our security posture.

    en_GBEnglish (UK)
    nl_NLNederlands en_GBEnglish (UK)