All employees must complete a security onboarding checklist when they join the company.
This includes mandatory completion of a security awareness training module.
These best practices are reinforced at regular company-wide meetings.
We also conduct periodic workstation security audits (see dates at the beginning of this section).
Finally, we apply best practices in day-to-day tools. For example, when developers need to reproduce a production issue requiring a specific customer environment, they work with an anonymized copy of the database. The original, non-anonymized copy is never stored on a workstation.
Dedicated Internal Resources (TPoC + DevOps)
A rotating developer assumes the role of Technical Point of Contact (TPoC) alongside a member of the DevOps team. These two contacts are always available and known to the entire Elevo team. They are responsible for escalating incidents when necessary.
Detection
Incident Handling
In the event of an incident, the TPoC immediately suspends ongoing tasks to assess the situation and organize the response.
The incident is logged in JIRA and assigned a severity level according to its impact and exploitability (Low, Moderate, Urgent, Severe). The TPoC triages the issue, escalates if necessary, defines a resolution timeline, and communicates with Support, who in turn informs affected clients.
All incidents are reported to the Customer Success (CS) team, which coordinates communication with impacted customers.
For Urgent or Severe incidents, the TPoC creates a “War Room” in Slack and Google Meet to coordinate response efforts, including the CS team, and escalates the issue to a member of [email protected] (VP Engineering, CTO, or CEO), who will contact the relevant legal authorities if required.