Headset, Inc. SOC2 Type 1 Attestation Details

Firewall rulesets are configured and in place to help prevent unauthorized access threats from outside the application and infrastructure environment.

Rules are configured to apply network controls within cloud service to restrict access to sensitive data to the appropriate locations and parties.

Production systems are configured to authenticate users through multi factor authentication methods, where available.

Logical Access Policy and Procedures are in place which define the authorization, modification, removal of access, role-based access, and the principle of least privilege. The policy is reviewed annually.

Internal users' screensavers are configured to lock after a specified period of time of inactivity and to require a password to unlock.

Internal users' screensavers are configured to lock after a specified period of time of inactivity and to require a password to unlock.

Access to API's is authenticated and encrypted by the transport layer security (TLS) protocol over hypertext transfer protocol secure (HTTPS).

Production system access is encrypted to ensure communications with servers are secured.

All data at rest is encrypted using industry standard algorithms.

Access to the source code repository is restricted to authorized employees.

Access to cloud administration or other critical systems is restricted to authorized users through multi factor authentication.

Administrator access to the application, database, network, VPN, and operating system is restricted to authorized users.

Access to system logs are restricted to appropriate IT personnel.

Procedures are in place to ensure that no PII (or confidential data) is used in non-production environments.

The new hire screening process includes a consideration of skills and competencies of the candidate. Each job candidate is interviewed by personnel within the employing department to determine if education, experience, and technical competency are appropriate for the job function. Background/reference checks are also performed prior to hire.

Users are allowed to install authorized software on issued devices. Devices are scanned for malicious and suspicious applications.

The employee handbook is in place for employees to follow and sanction procedures are to be enforced and acknowledged by all employees upon hire, and is reviewed at least annually. The employee handbook is available to employees via the human resources site.

A code of conduct exists and is required to be signed by all employees upon hire. The code of conduct is updated by management as needed, and available to employees via the human resources site.

A staffing roadmap of the expertise needed to build the product and related costs are closely managed through use of a forecast model that includes headcount; the forecast model is prepared by management and shared at every board meeting.

Management presents status on corporate goals and objectives to all hands quarterly; this includes sales updates, department updates, and key operational metrics.

Management is made aware of departmental staffing needs and approves staffing requests.

The CEO presents corporate goals and objectives to all hands annually, or as business needs change; the CFO presents periodic financial updates to all hands quarterly.

The Board of Directors or executive management come from diverse backgrounds and operate independently from process owners/management.

The new hire screening process includes a consideration of skills and competencies of the candidate. Each job candidate is interviewed by personnel within the employing department to determine if education, experience, and technical competency are appropriate for the job function. Background/reference checks are also performed prior to hire.

Relevant professional development opportunities are approved as they are requested. Training requests are approved by management.

A formal performance evaluation procedure is in place and employees are evaluated at least annually.

Internal control responsibilities are assigned to control owners who are responsible for monitoring controls for deficiencies, documenting deficiencies in a corrective action plan, and communicating them to management for review.

A documented incident response plan is in place to guide employees in identifying, reporting, and acting on breaches and incidents.

A documented incident response plan is in place to guide employees in identifying, reporting, and acting on breaches and incidents.

Security incidents that require a change to in-scope systems follow change management procedures.

IT security related policies are reviewed and approved annually or as business needs change.
Procedure documents related to access control, change management, and incident management are
updated as processes change.

Internal control responsibilities are assigned to control owners who are responsible for monitoring
controls for deficiencies, documenting deficiencies in a corrective action plan, and communicating
them to management for review.

A Business Continuity Plan has been developed and reviewed in the event of a catastrophic event.
The plan identifies a process, roles, and milestones for maintaining business continuity and restoring
system functionality.

An inventory of information assets, including hardware, software, processing facilities and data, is
maintained and updated at least annually. All assets have an assigned asset owner. All assets are
classified based on the data classification convention.

The privacy notice is written in understandable language, includes the date it was last updated, and is
prominently displayed on the website. The privacy notice includes:
The purpose for collecting personal information
Types of personal information collected
Methods of collection
Use, retention, and disposal of personal information
Access to personal information
Disclosure of personal information to third parties
Security for privacy
Quality of personal information
Collection from other sources

Cybersecurity insurance is utilized.

A documented incident response plan is in place to guide employees in identifying, reporting, and
acting on breaches and incidents.

Critical data is entered, processed, outputted completely and accurately.

Vulnerability scans are performed on a (frequency) basis to help identify security risks and results are
triaged and actioned per Service Level Agreement.

Processing activities are methodically logged within the cloud to monitor its quality.

Antivirus is installed on workstations and servers to help protect against viruses and malicious
software on the systems.

Internal users' screensavers are configured to lock after a specified period of time of inactivity and to
require a password to unlock.

A Change Management Policy and Procedures are in place to request, document, test, and approve
changes.

Automation is maintained to enforce required approval on all changes to production environments.

IT infrastructure monitoring tools are configured to monitor IT infrastructure availability and
performance, generate alerts when specific predefined thresholds are met, and forecast capacity
requirements to ensure system performance.

Security incidents that require a change to in-scope systems follow change management procedures.

Disc encryption is enforced, by centrally managed data loss prevention rules, on all employee devices.

An industry-standard tool is used to monitor the provisioning of security updates for workstations,
servers, and network devices.

Users are allowed to install authorized software on issued devices. Devices are scanned for malicious
and suspicious applications.

A system is in place to monitor uptime and alert team members in the event of an outage.

Email is scanned for malware and phishing attempts prior to and after email delivery, respectively.

A centralized ticketing and workflow tool tracks software change activity, including development,
approvals and testing.

The organization monitors the activity of outsourced system development and a completed contract
is in place.