P13. Security oversight

The company should clearly disclose information about its institutional processes to ensure the security of its products and services.

Elements
  1. Does the company clearly disclose that it has systems in place to limit and monitor employee access to user information?
  2. Does the company clearly disclose that it has a security team that conducts security audits on the company’s products and services?
  3. Does the company clearly disclose that it commissions third-party security audits on its products and services?
Research guidance

Companies have access to immense amounts of information about users and should take the highest possible measures to keep this information secure. Just as companies should clearly disclose their oversight processes related to freedom of expression and privacy, they should also provide information about their oversight processes for keeping user information secure. We therefore expect companies to clearly disclose that they have systems in place to limit and monitor employee access to user information. We also expect the company to clearly disclose that it deploys both internal and external security teams to conduct security audits on its products and services.

Potential sources:

  • Company privacy policies
  • Company security guide