Risk assessment questionnaire

Yes, Tapper maintains governance measures to support the implementation of cybersecurity and data protection controls across its environment. This includes defined security practices, controlled access to systems and data, monitoring of infrastructure, and documented handling of security and data protection responsibilities appropriate to the nature and scale of the service.

Yes, Tapper reviews and updates its cybersecurity and data protection practices periodically and when significant operational, technical, or regulatory changes occur. This is done to ensure that relevant controls, procedures, and safeguards remain appropriate, effective, and aligned with the organization's environment and risk profile.

Yes, Tapper assigns responsibility for cybersecurity and data protection oversight to designated qualified personnel, who are responsible for coordinating, implementing, and maintaining relevant security and data protection measures across the organization. These responsibilities are managed centrally and supported according to the company's size, operating model, and risk profile.

Yes, Tapper aligns its cybersecurity and data protection practices with industry-recognized standards, including SOC 2 Type II principles. The organization follows controls and processes consistent with SOC 2 requirements across security, availability, and confidentiality.

No, Tapper does not currently maintain formal participation in external cybersecurity or data protection information-sharing groups or associations. Relevant threat, vulnerability, and security information is monitored through internal security practices, infrastructure monitoring, and trusted technology providers.

No, Tapper does not collect or maintain personal data records for the purpose of identifying individuals, and therefore does not receive or process requests relating to updating or correcting personal data. The platform processes limited technical traffic signals solely for fraud detection purposes.

Yes, Tapper clearly defines and communicates its role in the data processing ecosystem through its customer-facing documentation and contractual materials. The service is positioned as a technical fraud prevention layer that processes limited technical traffic signals for a defined purpose, with responsibilities and scope described transparently to customers and partners.

Yes, Tapper restricts data use to the specific and authorized purpose for which it is processed, namely the detection and prevention of invalid or fraudulent traffic. The service applies data minimisation and purpose-limitation principles, and data is not used for unrelated purposes.

Yes, Tapper delivers web application and related service traffic over encrypted channels using industry-standard transport security protocols (e.g., HTTPS/TLS). This helps protect data in transit against interception and tampering.

Yes, Tapper implements personnel security measures appropriate to its size and operating model. This includes controlled access to systems and data, role-based responsibilities, and internal practices designed to support secure onboarding, access management, and the handling of company and customer information.

Yes, Tapper manages personnel security risk through appropriate pre-access checks and internal approval processes before granting access to company systems or data. Access is provided based on role requirements and is limited to authorized personnel only, in line with the sensitivity of the environment and applicable legal requirements.

Yes, Tapper ensures personnel are made aware of applicable cybersecurity and data protection requirements on an ongoing basis, including through internal communication, onboarding, and recurring policy familiarization as appropriate to their role. Personnel are expected to understand and adhere to these requirements as part of their responsibilities.

Yes, Tapper uses managed cloud infrastructure and standard operational processes to keep security-relevant software and supporting components up to date, including the timely application of stable security updates where applicable. Update practices are designed to reduce exposure to known vulnerabilities while maintaining service stability.

Yes, Tapper maintains applicable systems and security-relevant software on supported and stable versions as part of its operational security practices. Security updates are applied in a timely manner, taking into account risk, compatibility, and service continuity requirements.

Yes, Tapper performs security testing of its technology assets, applications, and services as part of its broader security assurance practices. This includes assessment activities designed to identify and remediate material security weaknesses in internet-facing systems and core service components.

Yes, Tapper applies patch management practices across deployed systems and applications to address security and stability requirements. Security-related patches are implemented in a timely manner based on risk, system applicability, and operational impact, with updates managed as part of standard maintenance processes.

Yes, Tapper protects logs and monitoring-related records through access controls and restricted administrative access. Logging and audit-related data are maintained within controlled environments to help prevent unauthorized access, alteration, or deletion.

Yes, Tapper uses logging and monitoring controls appropriate to its database environment to record relevant access and activity events, including successful and unsuccessful access attempts where supported by the underlying platform and service configuration. These records are used to support security monitoring, investigation, and access oversight.

Yes, Tapper monitors its environment for unauthorized or anomalous activity through infrastructure monitoring, access controls, and operational security practices. This includes oversight of accounts, system access, connections, and other relevant activity to help identify and respond to suspicious or unauthorized behavior.

Yes, Tapper maintains logging and monitoring capabilities that support the review and reporting of relevant system and security events. These capabilities assist in identifying, investigating, and assessing anomalous or potentially unauthorized activity within the environment.

Yes, Tapper addresses security incidents, including any incident involving unauthorized access to or disclosure of data, in accordance with applicable legal, regulatory, and contractual requirements. Incident handling includes investigation, containment, remediation, and notification where required based on the nature of the incident and the obligations in place.

Yes, Tapper maintains incident response processes and supporting documentation to enable a coordinated response to cybersecurity and data protection-related incidents. These processes are designed to support timely identification, escalation, containment, remediation, and internal coordination across the organization.

Yes, Tapper's incident handling process covers the core stages of incident management, including preparation, detection and intake, analysis, containment, remediation, and recovery. Monitoring and operational controls support the identification and escalation of potential incidents, with response activities coordinated according to the nature and severity of the event.

Yes, Tapper applies appropriate technical and organizational safeguards to protect data processed in support of its contractual services. This includes access controls, encrypted transmission, controlled infrastructure, and security monitoring measures designed to protect data against unauthorized access, disclosure, alteration, or misuse, in line with the nature of the service and contractual obligations.

Yes, Tapper controls remote access through approved methods and restricted administrative access to production systems and supporting infrastructure. Remote access is granted based on role and business need, and is managed through secure access controls and periodic review appropriate to the sensitivity of the environment.

Yes, Tapper protects wireless access through standard security controls, including authenticated access and strong encryption appropriate to the environment. Wireless connectivity used for business operations is restricted and secured to help prevent unauthorized access.

Yes, Tapper's infrastructure is configured following a least-privilege and default-deny approach, where network access is restricted by default and only explicitly permitted traffic is allowed based on defined rules and service requirements. This helps minimize exposure and limit unauthorized access.

Yes, Tapper uses industry-standard cryptographic protocols (e.g., HTTPS/TLS) to protect data in transit over public networks. These controls are designed to safeguard data against unauthorized access, interception, and tampering during transmission.

Yes, Tapper maintains and updates operational security practices to support the implementation and maintenance of network security controls across its environment. These controls are governed in line with the organization's infrastructure, risk profile, and service requirements, and are reviewed as needed to remain effective.

Yes, Tapper implements network access restrictions and rule-based controls to ensure that traffic flows are limited to authorized services, systems, and communication paths only. Access control measures are governed according to least-privilege principles and are maintained as part of the organization's broader network security practices.

Yes, Tapper supports secure interoperability between system components and integrations through controlled API design and standard security measures. APIs and related interfaces are protected using appropriate authentication, encrypted transport, and access controls to help ensure that only authorized systems and services can interact with them.

No, Tapper's cloud environment is currently hosted on Google Cloud Platform (GCP) in Belgium and is not currently deployed in the Saudi Arabia region. The service is hosted within a secure cloud environment with appropriate technical and organizational safeguards. Tapper's processing is limited to technical traffic signals for fraud detection and does not involve the collection or storage of sensitive personal or financial data. If required, Tapper can explore deploying a workload in a dedicated instance to support data residency or internal governance requirements.

Data stored within Tapper's cloud environment is protected using encryption at rest provided within Google Cloud Platform (GCP), together with encrypted transmission over HTTPS/TLS for data in transit. Tapper relies on managed cloud security controls and access restrictions to protect data processed within its environment.

Yes, Tapper applies internal review and control processes before production use of hosted technology assets, applications, or services. Access to and use of such systems is permitted only once appropriate security and data protection measures have been implemented and verified in line with the intended use and risk profile.

Yes, Tapper applies secure-by-default configuration practices to reduce the risk of systems, applications, and services being deployed with unnecessary exposure or weak security settings. Configuration choices are aligned with least-privilege, restricted access, and the operational requirements of the environment.

Yes, Tapper incorporates ongoing monitoring of cybersecurity and data protection control effectiveness into its development and operational practices. Relevant systems and services are subject to continuous oversight through monitoring, logging, and review processes appropriate to their role, exposure, and risk profile.

Yes, Tapper uses code review and security-focused development practices, including static analysis where appropriate, to help identify and remediate common code-level flaws before deployment. Findings are addressed through the development workflow and supporting review processes.

Yes, Tapper ensures that security controls and their intended functionality are defined and understood as part of the development and deployment process. Relevant documentation and internal practices support analysis, validation, and testing of these controls in line with the system's role and risk profile.

Yes, Tapper protects data stored within its environment using encryption at rest and managed cloud security controls designed to prevent unauthorized access to stored data. These measures help ensure that protected data is not readable in storage without authorized access through the applicable systems and controls.

Yes, Tapper implements data protection controls appropriate to the nature of its service and the data it processes. These include access restrictions, encrypted transmission, protected cloud storage, controlled infrastructure, and operational safeguards designed to protect data against unauthorized access, disclosure, alteration, or misuse.

Yes, Tapper applies secure information disposal practices appropriate to the type of data and system involved. Data is deleted, erased, or otherwise disposed of through controlled processes designed to prevent unauthorized recovery or continued access, in line with operational, legal, and contractual requirements.

Yes, Tapper uses managed identity and access controls that enforce password strength requirements through automated authentication mechanisms, including minimum length, complexity, and related access security controls as supported by the applicable identity provider or platform.

Yes, Tapper restricts access to security-sensitive functions and administrative capabilities to authorized privileged personnel only. Such access is granted based on role and business need, and is controlled through access management practices designed to enforce least-privilege and reduce unauthorized use.

Yes, Tapper uses managed authentication controls that support protections against repeated failed login attempts, including account lockout, throttling, or equivalent automated safeguards provided by the applicable identity provider or platform. These controls help reduce the risk of unauthorized access through credential-based attacks.

Yes, Tapper supports Single Sign-On (SSO) through its authentication framework, enabling users to access services using centralized identity providers. This is implemented alongside secure authentication controls and role-based access restrictions.

Yes, Tapper includes appropriate cybersecurity and data protection requirements in its agreements with relevant third-party service providers and suppliers, aligned with the nature of the services they provide. These requirements are intended to ensure that third parties maintain security and data protection standards consistent with Tapper's operational and contractual obligations.

Yes, Tapper implements third-party management controls appropriate to the services provided by external vendors and suppliers. This includes review of relevant providers, contractual protections, and oversight measures designed to support cybersecurity and data protection requirements in line with Tapper's risk profile and operational needs.

Tapper delivers its service through cloud infrastructure and does not operate customer-facing data center facilities that require visitor access record management for production environments. Physical access controls for underlying hosting facilities are managed by the relevant cloud infrastructure provider.

Tapper operates its production environment on managed cloud infrastructure and does not maintain its own data center facilities. Fire detection, suppression, and related physical environmental controls for the hosting environment are managed by the relevant cloud infrastructure provider.

Tapper's production systems and data are hosted on managed cloud infrastructure, and Tapper does not maintain physical access to underlying critical hosting systems or storage media. Physical access controls for those environments are managed by the cloud infrastructure provider, while Tapper enforces logical access controls to systems and data through authenticated and role-based access restrictions.

Yes, Tapper controls access to its office environment through visitor identification and authorization procedures appropriate to the facility. Visitors are permitted access only through controlled entry and are monitored in accordance with normal office and building management practices.

Tapper's production systems and data are hosted on managed cloud infrastructure, and Tapper does not operate physical data center environments. Physical and environmental protection controls (e.g., facility security, power, cooling, fire protection) for hosting environments are managed by the cloud infrastructure provider. Tapper applies logical and access-based controls within its systems and services.

Yes, Tapper identifies and addresses security and operational risks through appropriate remediation actions based on severity, likelihood, and potential impact. Risks are managed to acceptable levels in line with the organization's environment, service model, and risk tolerance.

Yes, Tapper performs recurring assessments of security and operational risk across its technology assets, applications, services, and data. These assessments consider the likelihood and potential impact of threats such as unauthorized access, disclosure, disruption, modification, or destruction, and are used to inform appropriate safeguards and remediation actions.

Yes, Tapper takes into account applicable statutory, regulatory, and contractual requirements as part of its security, data protection, and customer delivery practices. Relevant obligations are identified and reflected through internal controls, contractual commitments, and operational processes appropriate to the nature of the service and the jurisdictions in which it operates.

Yes, Tapper reviews and addresses instances of non-compliance with applicable statutory, regulatory, or contractual obligations through internal processes. Where relevant, findings are assessed and appropriate remediation or mitigation actions are implemented in line with the organization's risk management practices.

Yes, Tapper defines and maintains the scope of its cybersecurity and data protection controls in alignment with applicable statutory, regulatory, and contractual requirements. These controls are documented and applied in a manner consistent with the organization's service model, risk profile, and compliance obligations.

Yes, Tapper implements cryptographic protections using industry-standard and widely trusted technologies for securing data in transit and at rest. These controls are based on established public standards and are applied as part of the organization's broader security architecture and cloud infrastructure practices.

Yes, Tapper uses cryptographic protections and managed cloud security controls to protect data stored on underlying storage media. Encryption at rest is applied within the cloud environment to help preserve the confidentiality and integrity of stored data and reduce the risk of unauthorized access.

Yes, Tapper restricts the execution and use of applications and services within its environment through controlled deployment, access management, and infrastructure governance practices. Only authorized applications, tools, and services are permitted within production and administrative environments, with unauthorized software use restricted through internal controls and access limitations.

Yes, Tapper uses endpoint security controls appropriate to its operating environment, including continuously enabled anti-malware or equivalent endpoint protection measures on applicable systems. These protections are managed to prevent unauthorized disabling or modification by non-privileged users, except where specifically approved and controlled.

Yes, Tapper uses endpoint security controls appropriate to its environment, including host-based firewall protections or equivalent operating system and device-level network security controls on applicable endpoint devices, where technically feasible. These controls help restrict unauthorized inbound and outbound connections.

Yes, Tapper restricts software installation rights to authorized personnel with the appropriate privileged access. Endpoint and access management controls are used to prevent unauthorized users from installing software without explicit approval or elevated permissions.

Yes, Tapper provides cybersecurity and data protection awareness appropriate to employee and contractor responsibilities, including onboarding, internal guidance, and role-relevant security expectations. This is designed to ensure personnel understand and follow the security and data protection requirements relevant to their job function.

Yes, Tapper maintains contingency and operational resilience measures to support the continuity of its technology assets, applications, and services. This includes cloud-based infrastructure resilience, monitoring, backup and recovery considerations, and internal response practices designed to support service continuity and recovery from disruption.

Yes, Tapper evaluates the effectiveness of its operational resilience and contingency measures through testing, validation, and practical operational experience. These activities help ensure readiness to respond to disruptions and support the continuous improvement of recovery and continuity capabilities.

Yes, Tapper's cloud-based architecture and operational practices are designed to support timely recovery and restoration of services following a disruption. Recovery objectives are aligned with the nature of the service and infrastructure, enabling the resumption of core business functions within defined and reasonable timeframes.

Yes, Tapper maintains change management practices to support the controlled implementation of changes across its systems, applications, and infrastructure. Changes are reviewed, tested, and deployed through internal processes designed to reduce operational and security risk while maintaining service stability.