Security of client data

When making requests to Vound for security information, the following should be understood before any requests are made. Requests that do not consider the information mentioned below may be ignored:

1. At no time does Vound process, store, or access your data.
2. We do not process your data or client records as part of your purchase.
3. At no time does Vound have access to your network.
4. The software you purchase from Vound is 100% managed by your staff.
5. Vound sells your organization the requested software; after purchase, Vound has no visibility of how your staff uses our software or what data they are processing.
6. Vound does not offer services to our clients.
7. Vound is a software design company.

Understanding our products when requesting documentation

Vound offers two variants of our Intella program.

1. Desktop software. This covers the products Intella Viewer/10/100/250/Pro, W4
2. Server-based software: Intella Investigator or Intella Connect

Intella Desktop products are stand-alone products. They have no network settings, connections, or requirements. They do not require or manage user access controls, passwords, or permissions. Desktop products do not need an internet connection to run. They can be run on an offline computer. External network security testing is not relevant to these products.

Vound's server-based products require network access (but not Internet access). These products are regularly tested by third-party security.

Security Audit requests

Vound strongly recommends and encourages all clients to review their security and controls constantly.

We supply the following to help you manage and budget any security assistance you may need from Vound.

The following outlines Vound's policy on supplying information, documentation, or meeting requests to discuss the security of our products.

The main areas of requests are:

1. Secure code reviews
2. Vulnerability management
3. Security questionnaires
4. Security implementation on your site
5. Data security of client data or records
6. Requests for NDAs

Secure code reviews

Vound has several policies and procedures that ensure we continually develop secure code. As the code Vound develops is considered our Intellectual Property, we will not agree to 3rd party review under any circumstances.

Vulnerability management

Vound consistently monitors for any vulnerabilities in the libraries we incorporate into our products. If Vound is notified of a vulnerability in a library, we check whether we are using the library in such a way that the vulnerability is relevant. If so, we update that library as soon as possible. However, it should be noted that using a library flagged as vulnerable may not mean we are using that library in a way that makes our product exploitable. An example of this is the Log4j vulnerability. While we did use a section of the Log4j library, we did not use the vulnerable sections. Hence, the vulnerability was not relevant to our products.

Note: Vound undertakes security testing of our products using 3rd party consultants. Vound will not supply these results as they are considered intellectual property.

Note on results from automated scanners (Nessus, Qualys, etc)
Due to the high number of false positives produced by automated scanners, Vound will not act or comment on a customer's automated scanner results. Vound will, however, take action if the organization can supply manual verification of the automated scanner results. This should comprise a set of detailed screenshots of the vulnerability being successfully executed by the user to achieve the result mentioned in the CVE.

Security questionnaires

Vound is an ISO certified company. Based on the ISO certification audit we have created the following document covering most areas of security we are asked about in questionnaires. Generic Security Questions document. This document is the entirety of what Vound will supply your organization re our security policies, procedures or independent testing.

Requests for Vound to take part in answering or filling out your organization's specific security questionnaire, compliance portal or documentation are not covered under the original purchase or yearly MA.

Reviewing or supplying details on areas such as those below or other than what is supplied in our security questionnaire above will be charged based on “time and materials.” Please contact your Vound rep to discuss pricing before asking Vound to review your security questionnaire, compliance portal or documentation.

• Physical Security
• Personal Security
• Information Security
• Operational Security
• Network Security
• Application Security
• Data Security
• Endpoint Protection
• Incident Response and Recovery
• Pen testing

Note on requesting security information
A detailed description must accompany any requests for security information:

• Who will have access to our information?
• How will that information be used?
• How will the requestor store the information?
• How will the information be deleted?
• What breach notification will we be supplied if the information is shared outside of the agreed personnel?
• How would Vound be compensated if our information is mismanaged?

Security implementation on your site

Requests for Vound to participate in system architecture design or validation are not covered under the original purchase or yearly MA.

System design requests or assistance will be charged based on “time and materials.” Please contact your Vound rep to discuss pricing.