Selector Security and Compliance Posture

Selector System Security and Compliance Information

Selector is highly invested in safeguarding client data and maintaining a robust security posture that meets and exceeds modern regulatory standards. We integrate a proactive “shift-left” approach by building security into the early stages of product planning.

Selector Security and Governance (Assurance)

Our security organization is led by tenured cybersecurity professionals, including a dedicated Chief Information Security Officer (CISO), who ensures policies remain current with regulatory and compliance needs.

Certifications and Audits

Selector demonstrates commitment to stringent industry standards through external, independent verification:

  • SOC 2 Type 2 & ISO 27001 Certification: We engage an independent, third-party auditor (approved by the AICPA) to conduct comprehensive annual assessments of our SaaS infrastructure, development processes, and overall Information Security Management System (ISMS).
  • Continuous Monitoring & Audit Coverage: We implement continuous monitoring across our enterprise and SaaS platform, conducting internal audits and periodic verification of our security controls.
  • Vulnerability Management: We leverage a continuous vulnerability management framework, using tools like Trivy, Dependency Track and Snyk to generate and scan our Software Bill of Materials (SBOM), addressing potential vulnerabilities early in the development lifecycle.
  • Annual Penetration Tests: Independent third-party experts conduct annual penetration tests on our code and infrastructure to proactively identify and remediate vulnerabilities, keeping us strong against evolving threats.

Access and Authentication Policies

We enforce strict controls over who can access our systems and how they authenticate.

  • Role-Based Access Control (RBAC): The Selector platform supports RBAC to manage user privileges and groups, enforcing the Principle of Least Privilege to limit access to only necessary parts of the platform.
  • Strong Authentication and SSO: Selector works with customers to configure Single Sign-On (SSO) using multiple identity providers, including Okta, Azure AD, Active Directory, Google, Ping ID, Generic OIDC, and SAML 2.0.
  • No Backdoor/Local Dev Accounts in Production: Selector does not use backdoor accounts or hardcoded developer usernames and passwords in production systems. We do not maintain local user accounts on the platform’s underlying Operating System (OS).

Product and Customer-Facing Controls (Protection)

These security measures are implemented directly within the S2AP platform and its deployment model to protect customer environments and data.

Network and Instance Security

  • Dedicated SaaS Tenancy: We provide a dedicated SaaS tenancy for each customer, ensuring effective isolation of data and infrastructure.
  • Zero-Trust Network Model: We implement a Zero-Trust approach internally to limit access, and enforce network security via application and traditional firewalls and VPN-only access to our SaaS instances.
  • Strict Access Control: Only allowed IP addresses and authenticated users have access to the hosted infrastructure. Cloud-based security tools continuously monitor user behavior and access to detect anomalies.
  • Local VM Firewalling: Local firewalling is used on the Kubernetes services to ensure only desired traffic is permitted internally.
  • On-Premise Guidance: For on-premises deployments, we work with customers to ensure correct external firewalling is configured and tested.

Data Protection and Privacy

Data Handling on S2AP features:

  • Non-Retention of Sensitive Data: The S2AP platform does not retain any sensitive customer or user data such as MAC addresses, individual IP addresses, PII, PCI, or PHI. This ensures strict adherence to related compliance policies.
  • Read-Only Client/Infrastructure Data: We maintain only client and infrastructure data in a read-only format to facilitate network performance monitoring for customers.
  • Secure Code Practices: We perform continuous automated scans of our code base and leverage security tooling to review libraries for vulnerabilities, actively preventing accidental leaks of sensitive information.

Endpoint and Malware Protection

  • Advanced Threat Detection: We use advanced threat detection and prevention features for our S2AP SaaS platform leveraging Cloud Service Provider capabilities.
  • Endpoint Detection and Response (EDR): Effective EDR tools secure our on-premises and mobile devices, monitoring files and applications in real-time to instantly block and quarantine threats.
  • Device Compliance: Our solution checks every laptop accessing our network to ensure antivirus and anti-malware software (like XProtect, Windows Defender, and Gatekeeper) is active.
  • Email Security: Strong email filtering and quarantine capabilities utilize content-based, heuristic, and Bayesian filtering, to perform real-time scans to isolate suspected spam and harmful messages.

Patching, Resilience, and Incident Management (Operations)

Patch Management

Selector implements a comprehensive, automated patch management strategy across all assets:

  • SaaS Infrastructure: We leverage the native automated patching service provided by our Cloud Service Provider (GCP) for centralized control over Linux and Windows systems.
  • Enterprise and Endpoints: For our internal enterprise assets (Macintosh and Windows laptops), we automate patching using vendor-provided tools, with continuous monitoring from EDR solutions to verify effectiveness.
  • Client-Premise Solutions: For Selector-managed SaaS solutions deployed on client premises, we provide risk-adjusted management solutions that ensure security and compliance proportional to the solution’s impact.
  • Vulnerability Remediation: Vulnerabilities identified through our scanning tools are prioritized based on criticality and impact, with patching deployed efficiently via an automated process.

Backup and Business Continuity

We utilize cloud provider capabilities to ensure service resiliency and swift recovery:

  • SaaS Backup and Redundancy: Our SaaS solution leverages Google Cloud’s infrastructure for real-time data replication, automated backups, redundancy, and global reach to protect customer data.
  • Disaster Recovery (DR) Drills: We run annual drills to test our disaster recovery plans and ensure our team can effectively manage a disruption.
  • On-Premise Guidance: For on-premises solutions, we guide customers on best practices for backups, system redundancy, and disaster recovery tailored to their specific setups.

Incident Response and Recovery

Selector maintains a well-defined Incident Response and Recovery (IRR) plan to minimize downtime and ensure transparency:

  • Proactive Team: The Incident Response Team has clearly defined roles and conducts regular exercises (for example, simulated phishing and ransomware).
  • Response Process: As soon as an issue is detected, the Site Reliability Team (SRE) assesses the situation and coordinates remediation.
  • Communication: Our Business Continuity Plan (BCP) emphasizes clear and timely communication, providing regular, transparent updates to all involved stakeholders throughout the incident lifecycle.
  • Post-Incident Review: After service is restored, a review is conducted to learn lessons and improve future processes.