Q: Does your organization conduct credit and criminal background checks on all employees and contractors?
A: We do not engage contractors for sensitive tasks—only for non-core activities such as marketing materials and sales content. For major suppliers like Microsoft, background checks are not applicable.
For our employees, given that they are based in 12 different countries, conducting formal background checks across all jurisdictions would be complex. However, we primarily hire from reputable platforms where candidates have established work histories and reviews. Most of our team members have worked for 5-6 years on platforms like Upwork or Freelancer, where they have consistently received positive feedback. We initially engage them as freelancers, and after approximately one year of full-time work with us, we bring them on board as internal employees—by which time we have a strong understanding of their work ethic and reliability.
Additionally, we take a proactive approach to security by enforcing strict access controls based on the principle of least privilege. Sensitive access is limited and retained only by company partners, who have worked together for over 30 years and have established a high level of trust. Partners have also signed a shareholders’ agreement that includes provisions addressing any illegal activities.
Q: Does your organization have a standard process for disabling or removing access to our data upon employee/contractor termination or changes in status, role, or department?
A: Yes, we have a strict process in place for access removal. In the case of termination, access is revoked a few minutes before the employee is officially notified. This is coordinated with the management team to ensure a seamless and secure transition.
For changes in status, role, or department, access adjustments are made after notifying the employee. These changes are typically planned and requested by the employee, minimizing any associated risk.
Q: Does your organization provide regular cybersecurity and privacy awareness training for all employees and contractors, covering their responsibilities regarding data protection and the protection of Personally Identifiable Information (PII)?
A: Yes, we conduct cybersecurity and privacy awareness training through group meetings on a bi-annual basis. These sessions ensure that all employees and contractors understand their responsibilities related to data protection and PII security.
Q: Are employees informed of their roles and responsibilities to ensure awareness and compliance with established policies, procedures, and applicable legal, statutory, or regulatory requirements?
A: Yes, employees are regularly informed of their roles and responsibilities. In addition to making policies accessible on GitLab, we hold weekly department meetings where department heads address any updates, changes, or concerns, ensuring ongoing awareness and compliance.
Q: Are contractors required to sign confidentiality agreements before accessing sensitive data?
A: Yes. However, we use very few contractors. All employees sign confidentiality agreements. The only third parties we work with are certification consultants (SOC2, ISO27001) and server providers (Microsoft, OVH).
Q: Do you perform ongoing monitoring of employee/contractor access to ensure compliance with role-based access control (RBAC) policies?
A: Yes, this is standard. We also remove access before termination, ensuring security is maintained.
