We, at Ometria, are proud of the value our platform delivers to our Clients, but we are also highly aware of the sensitivity of our clients’ customers’ information and the importance of protecting not only their privacy, but also the protection of all personally identifiable or commercially sensitive data we handle whether it belongs to us or not.
This is why one of our five values is:
Respect for the trust we’ve been given
Core to this value is our capability to provide appropriate assurances to all Ometria’s stakeholders* of the stability of our business, the security of our products and services and the confidentiality of their information whilst in our care.
To achieve this, Ometria has identified and will adhere to the following information security objectives:
- To ensure the appropriate level of security control is applied to information through a process of risk assessment which defines the necessary security requirements and identifies the probability and impact of security breaches in respect of that information.
- To ensure the confidentiality of information belonging to all stakeholders by restricting access to information on a need-to-know basis.
- To ensure the security of the Ometria platform and professional services in accordance with secure coding standards and best practices in software development and systems engineering.
- To ensure the careful selection and management of suppliers in accordance with the needs and expectations of our stakeholders and relevant regulations and to mitigate the risks they may present to information security.
- To ensure all employees, contractors and suppliers receive awareness training and guidance appropriate to their role, and their impact on information security, throughout the lifetime of their relationship with Ometria.
- To meet all contractual, legislative and regulatory requirements of our stakeholders.
- To ensure that any suspected or actual breach of information security policies and procedures is reported to the Data Protection Officer and handled in accordance with Ometria’s formal information security incident management procedures.
- To ensure that any actual breach of information security is reported to the stakeholder(s) affected and to the relevant National Data Protection Authorities (e.g. the Information Commissioner’s Office), as appropriate.
- To ensure the achievement and ongoing certification of Ometria’s information security management system (ISMS)** to the ISO 27001 international standard for information security management systems by a UKAS-accredited certification body through continual improvement of the ISMS.
* stakeholders include clients and their customers, employees, suppliers, investors, directors and partners.
** The scope of certification is defined as, “Providers of a cross-channel dynamic marketing platform for creative marketing experiences in the retail sector across the world”.
These objectives and Ometria’s performance in achieving these are regularly reviewed, to ensure their ongoing relevance, to ensure the necessary resources are made available to achieve these, and to promote continual improvement.
Ivan Mazour – CEO
Ometria Ltd
Ometria shall take the following technical and organisational security measures to protect Personal Data:
- Organisational management and dedicated employees responsible for the development, implementation, and maintenance of Ometria’s information security management system.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Ometria, monitoring and maintaining compliance with Ometria’s policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
- Maintain information security policies and ensure that policies and measures described therein are regularly reviewed and where necessary, improve them.
- Communication with Ometria applications utilises cryptographic protocols such as TLS to protect information in transit over public networks.
- Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilisation of commercially available and industry-standard encryption technologies.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Ometria possession.
- Change management procedures and tracking mechanisms designed to test, approve and monitor changes to Ometria’s technology and information assets.
- Incident management procedures designed to allow Ometria to investigate, respond to, mitigate and notify events related to Ometria technology and information assets.
- Correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Formal vendor management program, including vendor security reviews for critical vendors to ensure compliance with Ometria’s information security policies.
- A Data Protection Officer who is independent and who regularly reviews Ometria’s data protection risks and controls.
Vulnerability Disclosure Programme
Ometria is dedicated to the protection of our clients’ data and their users, our employees and shareholders. We value the members of the independent security research community who find security vulnerabilities and work with us to establish security fixes.
This vulnerability disclosure programme is operated by Ometria Ltd and applies to any vulnerabilities you are considering reporting to us.
Scope
Ometria’s vulnerability disclosure programme initially covers the following products:
Whilst we develop other products, we ask that all security researchers submit vulnerability reports only for the stated product list. We may increase our scope in the future as other products are developed or updated.
Please note that WordPress and WordPress plugin vulnerabilities less than 60 days old are out of scope.
We will not take legal action if you follow the terms of this vulnerability disclosure programme.
Safe Harbour
- Ometria Ltd will not engage in legal action against individuals who submit vulnerability reports through our vulnerability disclosure programme. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Ometria or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure programme.
- Test on products without:
- affecting our ability to provide our services to our clients;
- affecting our clients ability to use the Ometria platform;
- receiving permission/consent from clients before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of our clients’ location and the location of Ometria Ltd (United Kingdom) or its affiliates (United States of America).
- Refrain from disclosing vulnerability details to the public before the expiry of the mutually agreed-upon timeframe.
Reporting, Preference, Prioritisation, and Acceptance Criteria
If you believe you have found a security vulnerability, please complete the vulnerability disclosure form on the page. We encourage you to contact our security team using our encryption key. Your report should include details of:
- The website, IP or page where the vulnerability can be observed.
- A brief description of the type of vulnerability, for example; “Weak Encoding for Password”
- Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
- Please include how you found the vulnerability, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
It would be helpful if you could use Mitre’s Common Weakness Emulation type when describing the vulnerability.
By submitting information about a security vulnerability and/or solution proposals (together referred as “Feedback”) to Ometria:
- You commit yourself to the principle expressed in this vulnerability disclosure programme to avoid any harm to Ometria, employees and shareholders, it’s clients and their users and you, therefore, agree not to publicise information about vulnerabilities of Ometria’s software or platform before a fix and/or patch has been made available by Ometria.
- You agree that we may use such Feedback to update and/or improve its software; and you grant to Ometria Ltd a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to our licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner we choose and to display, perform, copy, make, have made, use, sell, and otherwise dispose of our products or services embodying Feedback in any manner and via any media we choose, without reference to the source. We shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to you and/or your representatives.
We will use the following criteria to prioritise and triage submissions. What we would like to see from you:
- Well-written reports in English will have a higher chance of resolution.
- Reports that include proof-of-concept code that equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
You can see the Ometria’s security.txt file at at: Ometria security file
What you can expect from us:
- A timely response to your email (within 2 business days).
- After triage, we will send an expected timeline and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
Credit after the vulnerability has been validated and fixed.
If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as NCSC) to assist in determining how best to handle the vulnerability
Guidance
You must NOT:
- Break any applicable law or regulations.
- Access unnecessary, excessive or significant amounts of data.
- Modify data in our systems or services.
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Attempt any form of denial of service, e.g. overwhelming a service with a high volume of requests.
- Disrupt our services or systems.
- Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
- Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
- Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
- Social engineer, ‘phish’ or physically attack Ometria’s employees or infrastructure.
- Demand financial compensation in order to disclose any vulnerabilities.
You must:
- Always comply with data protection rules and must not violate the privacy of our or our clients’ users, employees, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Ometria or its affiliates to be in breach of any legal obligations.
Acknowledgments
Ometria encourages the responsible disclosure of security vulnerabilities through the Vulnerability Disclosure Programme.
Ometria would like to thank the following individuals and organisations for responsibly disclosing a security vulnerability in an Ometria online service or website, and for working with Ometria to help protect our customers.
To be eligible for this list, you must be the first person to disclose the issue in accordance with our vulnerability programme.
Independent security researchers
