Security at Benchmark

Governance  

Benchmark’s Technology teams establish policies and controls, monitor compliance with those controls, and prove our security & compliance to third party auditors.  

Our policies are based on the following foundational principles.

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.  

Security controls should be implemented and layered according to the principle of defence-in-depth.  

Security controls should be applied consistently across all areas of the enterprise.  

The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.  

security and compliance at benchmark

Benchmark is working towards SOC 2 Type II attestation compliance certification. Our SOC 2 Type II report will be available by Q3 2023. 

Data protection

data at rest

All datastores with customer data, in addition to S3 buckets, are encrypted at rest. Sensitive collections and tables also use md5 hash encryption.  

Data in transit

Benchmark uses AWS CloudFront with T TLSv1.2 via the TLSv1.2_2021 policy.  

Benchmark uses AWS AppStream 2.0 which utilises both encryption in transit and encryption at rest.  

We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.  

Secret management

Encryption keys are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Amazon and Benchmark. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs.  

Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.  

Product security

Penetration testing

Benchmark engages with one of the best penetration testing consulting firms in the industry at least annually. Our current preferred penetration testing partner is Zirilio, who fully align with International Security standards.    

All areas of the Benchmark product and cloud infrastructure are in-scope for these assessments.  

We can supply summary penetration test reports to client on request.  

Enterprise security

Endpoint protection

All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.  

Secure remote access

Benchmark secures remote access to internal resources using FortiClient and Pritunl, modern VPNs.  

Azure AD is used as a federated identity when using SaaS platforms.  

We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.  

Security education

Benchmark provides comprehensive security training to all employees upon onboarding and annually through educational modules.  

Identity and access management

Benchmark uses MS Azure to secure our identity and access management. We enforce the use of phishing-resistant authentication factors.  

Benchmark employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.  

Vendor security

Benchmark use a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:  

• Access to customer and corporate data  
• Integration with production environments  
• Potential damage to the Benchmark brand  

Access to systems is granted on the principle of least privilege and vendors do not have access to production systems & data.

‍