Clevertap SOC 2 Type 2 Report 2022

Z
Z70
53.04
8:.35
::016
:1209
050T
1-T2
WizRocket Inc.
--031
-2038
230
Independent Service Auditors’ Report on Management's Description of a

20,
xo, m
Service Organization’s System Relevant to Security, Confidentiality,

pm.c
Availability and the Suitability of the Design and Operating Effectiveness

t-ka.
of Controls
pesr
leov
ac@
svs@
For the period, December 01, 2020 to March 31, 2022

lh.o
ndiez
dl.ain
ga,e
(SSAE 18 - SOC 2 Type 2 Report)

asns
lpO,
Tiea
aern
eDv
Cl
Prepared by: Manoj Jain, CPA in association with

www.riskpro.in
Table of Contents
1. Independent Service Auditor's Report .................................................. 4
2. Management of CleverTap’s Assertion .................................................. 8
3. Description of CleverTap’s SaaS Based Customer Lifecycle
Z
Z70
Management and Mobile Marketing Platform throughout the
53.04
period December 01, 2020 to March 31, 2022................................. 10
8:.35
::016
Background and Overview of Services .................................................................. 10
:1209
Subservice Organizations .......................................................................................... 10
050T
1-T2
Boundaries of the System .......................................................................................... 12
--031
-2038
Description of Control Environment, Control Activities, Risk Assessment,
230
Monitoring and Information and Communication ............................................ 12

20,
xo, m
Components of the System ........................................................................................ 15

pm.c
User-Entity Control Considerations .......................................................................26

t-ka.
pesr
leov
ac@
4. Independent Service Auditor's Description of Tests of Controls

svs@
and Results ................................................................................................... 29

lh.o
ndiez
5. Other Information Provided by CleverTap ........................................ 52

dl.ain
ga,e
asns
lpO,
Tiea
aern
eDv
Cl
2
Cl
eDv
aern
Tiea
lpO,
asns
ga,e
dl.ain
ndiez
lh.o
svs@
ac@
leov
pesr
t-ka.
pm.c
xo, m
20,
230
-2038
--031
SECTION 1
1-T2
050T
:1209
::016
8:.35
53.04
Z70
Z
INDEPENDENT SERVICE AUDITOR'S REPORT
1. Independent Service Auditor's Report
To: Management of WizRocket lnc. (CleverTap)
Scope
We have examined the attached WizRocket lnc’s (CleverTap) description of the system titled
“CleverTap SaaS based customer lifecycle management and mobile marketing solution"
(description) throughout the period December 01, 2020 to March 31, 2022 included in Section 3, based
on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a
Z
Description of a Service Organization’s System in a SOC 2 Report (description criteria) and the
Z70
suitability of the design and operating effectiveness of controls included in the description throughout
53.04
the period December 01, 2020 to March 31, 2022 to provide reasonable assurance that CleverTap’s
8:.35
service commitments and system requirements would be achieved based on the trust service criteria
for security, availability and confidentiality set forth in TSP Section 100, 2017 Trust Services Principles
::016
and Criteria for Security Availability, Processing Integrity, Confidentiality and Privacy (applicable trust
:1209
services criteria).
050T
The information included in Section 5, “Other Information Provided by CleverTap” is presented by
1-T2
management of CleverTap to provide additional information and is not a part of CleverTap’s description
--031
of its system made available to user entities during the period December 01, 2020 to March 31, 2022.
-2038
Information about CleverTap’s business continuity planning etc. has not been subjected to the
procedures applied in the examination of the description of the system and of the suitability of the design
230
and operating effectiveness of controls to achieve the related control objectives stated in the description
20,
of the system.
xo, m
The description indicates that certain applicable trust services criteria specified in the description can
pm.c
be achieved only if complementary user-entity controls contemplated in the design of CleverTap’s

t-ka.
controls are suitably designed and operating effectively, along with related controls at the service
pesr
organization. Our examination did not extend to such complementary user entity controls, and we have
leov
not evaluated the suitability of the design or operating effectiveness of such complementary user-entity
ac@
controls
svs@
As indicated in the description, CleverTap uses subservice organizations for data center, workflow
lh.o
ticketing and documenting systems. The description in Section 3 includes only the controls of CleverTap
and excludes controls of the various subservice organizations. The description also indicates that
ndiez
certain trust services criteria can be met only if the subservice organization’s controls, contemplated in
dl.ain
the design of CleverTap’s controls, are suitably designed and operating effectively along with related
ga,e
controls at the service organization. Our examination did not extend to controls of various subservice
asns
organizations for data center services.

lpO,
Service Organization's Responsibilities

Tiea
aern
CleverTap is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance that
eDv
the service commitments and system requirements were achieved.

Cl
CleverTap has provided the accompanying assertion titled, Management of CleverTap’s Assertion
(Assertion) about the presentation of the Description based on the Description Criteria and suitability of
the design and operating effectiveness of the controls described therein to provide reasonable
assurance that the service commitments and system requirement would be achieved based on the
applicable trust services criteria if operating effectively. CleverTap is responsible for (1) preparing the
Description and Assertion; (2) the completeness, accuracy, and method of presentation of the
Description and Assertion; (3) providing the services covered by the Description; (4) identifying the risks
that would threaten the achievement of the service organization’s service commitments and system
4
requirements; and (5) designing, implementing, and documenting controls that are suitably designed
and operating effectively to meet the applicable trust services criteria stated in the Description.
Service Auditor's Responsibilities

Our responsibility is to express an opinion on the presentation of the description based on the
description criteria set forth in CleverTap’s assertion and on the suitability of the design and operating
effectiveness of the controls to meet the applicable trust services criteria, based on our examination.
We conducted our examination in accordance with attestation standards established by the American
Institute of Certified Public Accountants. Those standards require that we plan and perform our
examination to obtain reasonable assurance about whether, in all material respects, (1) the description
Z
Z70
is presented in accordance with the description criteria and (2) the controls are suitably designed and
operating effectively to meet the applicable trust services criteria stated in the description throughout
53.04
the period December 01, 2020 to March 31, 2022.
8:.35
Our examination involved performing procedures to obtain evidence about the fairness of the
::016
presentation of the description based on the description criteria and the suitability of the design and
:1209
operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures
050T
included assessing the risks that the description is not fairly presented and that the controls were not
suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures
1-T2
also included testing the operating effectiveness of those controls that we consider necessary to provide
--031
reasonable assurance that the applicable trust services criteria were met. Our examination also
-2038
included evaluating the overall presentation of the description. We believe that the evidence we
230
obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
20,
xo, m
Inherent Limitations
pm.c
The description is prepared to meet the common needs of a broad range of users and may not,
therefore, include every aspect of the system that each individual user may consider important to his or
t-ka.
her own particular needs. Because of their nature, controls at a service organization may not always
pesr
operate effectively to meet the applicable trust services criteria. Also, conclusions about the suitability
leov
of the design and operating effectiveness of the controls to meet the applicable trust services criteria
ac@
are subject to the risks that the system may change or that controls at a service organization may
svs@
become ineffective.
lh.o
Opinion
ndiez
dl.ain
In our opinion, in all material respects, based on the description criteria described in CleverTap’s
assertion and the applicable trust services criteria:
ga,e
a. the description fairly presents the system that was designed and implemented throughout the
asns
period December 01, 2020 to March 31, 2022.

lpO,
b. the controls stated in the description were suitably designed to provide reasonable assurance
Tiea
that the applicable trust services criteria would be met if the controls operated effectively
aern
throughout the period December 01, 2020 to March 31, 2022, and the subservice organization
eDv
and user entities applied the controls contemplated in the design of CleverTap’s controls
Cl
throughout the period December 01, 2020 to March 31, 2022.

c. The controls operated effectively to provide reasonable assurance that the applicable trust
services criteria were met throughout the period December 01, 2020 to March 31, 2022, and
user entities and subservice organization applied the controls contemplated in the design of
CleverTap’s controls, and those controls operated effectively throughout the period December
01, 2020 to March 31, 2022.
5
Description of Test of Controls
The specific controls we tested and the nature, timing, and results of our tests are presented in the
section 4 of our report titled "Independent Service Auditors' Description of Test of Controls and Results"
Restricted Use
This report, including the description of controls and results thereof in Section 4 of this report, is intended
solely for the information and use of CleverTap; user entities of CleverTap’s systems during some or
all of the period December 01, 2020 to March 31, 2022; and those prospective user entities,
independent auditors and practitioners providing services to such user entities, and regulators who have
Z
sufficient knowledge and understanding of the following:
Z70
 The nature of the service provided by the service organization
53.04
 How the service organization’s system interacts with user entities, subservice organizations or
8:.35
other parties
::016
 Internal control and its limitations
:1209
 User entity responsibilities, Complementary user-entity controls and how they interact with
related controls at the service organization to meet the applicable trust services criteria
050T
 The applicable trust services criteria
1-T2
 The risks that may threaten the achievement of the applicable trust services criteria and how
--031
controls address those risks
-2038
230
This report is not intended to be and should not be used by anyone other than these specified parties.
20,
xo, m
Manoj Jain, CPA

pm.c
(Colorado Membership Number - 0023943)

t-ka.
pesr
leov
ac@
svs@
July 28, 2022

Mumbai, India
lh.o
ndiez
dl.ain
ga,e
asns
lpO,
Tiea
aern
eDv
Cl
6
Cl
eDv
aern
Tiea
lpO,
asns
ga,e
dl.ain
ndiez
lh.o
svs@
ac@
leov
pesr
t-ka.
pm.c
xo, m
20,
230
-2038
--031
SECTION 2
1-T2
050T
:1209
::016
8:.35
53.04
Z70
Z
MANAGEMENT OF CLEVERTAP’S ASSERTION
Cl
eDv
aern
Tiea
lpO,
asns
ga,e
dl.ain
ndiez
lh.o
svs@
ac@
leov
pesr
8
t-ka.
2. Management of CleverTap’s Assertion
pm.c
xo, m
20,
230
-2038
--031
1-T2
050T
:1209
::016
8:.35
53.04
Z70
Z
SECTION 3
Z
Z70
DESCRIPTION OF CLEVERTAP’S “CLEVERTAP SAAS
53.04
BASED CUSTOMER LIFECYCLE MANAGEMENT AND
8:.35
MOBILE MARKETING SOLUTION”
::016
:1209
050T
THROUGHOUT THE PERIOD
1-T2
--031
DECEMBER 01, 2020 TO MARCH 31,2022
-2038
230
20,
xo, m
pm.c
t-ka.
pesr
leov
ac@
svs@
lh.o
ndiez
dl.ain
ga,e
asns
lpO,
Tiea
aern
eDv
Cl
3. Description of CleverTap’s SaaS Based Customer Lifecycle Management
and Mobile Marketing Platform throughout the period December 01,
2020 to March 31, 2022
Background and Overview of Services
CleverTap™, headquartered in Mountain View, San Francisco, is the hub powering omnichannel
content, digital experiences, and personalized customer journeys. It is the industry leader in the
customer lifecycle management business. CleverTap sits at the heart of an award-winning Digital
Experience Platform (DXP) and is an exclusive SaaS.
Z
Z70
CleverTap is a Customer Lifecycle Management and Engagement platform that helps consumer brands
53.04
to retain their users for life. Growth teams across industries use CleverTap’s automation, AI/ML and
personalization capabilities to manage and improve customer lifecycle by delivering the most consistent
8:.35
experience across all touchpoints. With a unique combination of a unified data platform, automated
::016
segmentation and insights, and omnichannel engagement, CleverTap enables brands to optimize and
:1209
scale customer experiences in real time.
050T
Significant Changes during the Review Period
1-T2
--031
There were no significant changes during the audit period.
Impact of Covid and Changes to our Controls

-2038
230
Since March 2020, CleverTap offices have been closed and all work is being carried out while working
from home (WFH). Employees connect to various IT systems directly from home.
20,
xo, m
Access to AWS console panel is protected with login+Password combination (provided by RedHat
pm.c
SSO) + Multifactor Authentication (MFA) provided by Amazon AWS IAM. Remote access to
t-ka.
CleverTap’s production network is granted to authorized personnel through the AWS Systems Manager
Session Manager, which utilizes two-factor authentication
pesr
leov
Subservice Organizations
ac@
CleverTap utilizes the following subservice providers that are not included within the scope of this
svs@
examination. CleverTap’s responsibilities for the applications and services running at these cloud
lh.o
services are audited and are within scope. Our responsibility matrix is defined as part of the SLA and
ndiez
agreements with these sub service organizations.

dl.ain
● Amazon Web Services (AWS) for hosting of CleverTap SaaS application and data
ga,e
AWS is used for hosting of CleverTap application and datastores. Additionally, AWS Partner, GPX
asns
Mumbai, provides AWS Direct Connect services that allows CleverTap to securely and directly connect
lpO,
to AWS environment.
Tiea
AWS has provided an Independent Service Auditor's Report (SOC2) covering security, availability and
aern
confidentiality principles. GPX is SSAE attested data center.

eDv
● Atlassian Suite (Jira + Confluence) SaaS based ticketing, tracking, collaboration and
Cl
documentation service
Atlassian Suite (Jira and Confluence Cloud) has provided an Independent Service Auditor's Report
(SOC2) covering security, availability and confidentiality principles.
● JAMF hosted IT Management tool
JAMF is used as a comprehensive enterprise management software for Apple Platform. JAMF has
provided an Independent Service Auditor’s Report (SOC2) covering security, availability and
confidentiality principles are available.
10
The Criteria that relates to controls at the subservice organizations includes all criteria related to the
Trust Service Principles of Security, Confidentiality, and Availability. The types of controls that are
necessary to meet the applicable trust services criteria, either alone or in combination with controls at
CleverTap include the following:
● The system is protected against unauthorized access (both physical and logical).
● The system is available for operation and use as committed or agreed.
● CleverTap’s information is protected by the system as committed or agreed.
● Policies and procedures exist related to security and availability and are implemented and
followed.
● Subservices personnel are hired after appropriate background vetting and new hires undergo
Z
Z70
proper onboarding and training.
● The subservice organization performs its responsibilities as committed in its agreement or
53.04
terms of services.
8:.35
::016
Principal Service Commitments and System Requirements
:1209
CleverTap designs its processes and procedures related to the System to meet its objectives. Those
objectives are based on the service commitments of CleverTap to user entities, the laws and regulations
050T
that govern the provision of products and services to its clients, and the financial, operational, and
1-T2
compliance requirements that CleverTap has established for the services. Security commitments to
--031
user entities are documented and communicated in customer agreements, as well as in the description
of the service offering provided online. -2038
230
CleverTap establishes operational requirements that support the achievement of security commitments,
relevant laws and regulations, and other system requirements. Such requirements are communicated
20,
xo, m
in CleverTap's system policies and procedures, system design documentation, and contracts with
customers.
pm.c
t-ka.
Information security policies define an organization-wide approach to how systems and data are
protected. These include policies around how the service is designed and developed, how the system
pesr
is operated, how the internal business systems and networks are managed, and how employees are
leov
ac@
hired and trained. In addition to these policies, standard operating procedures have been documented
on how to carry out specific manual and automated processes required in the operation and
svs@
development of the System.

lh.o
Components of the System

ndiez
The System comprises the following components:

dl.ain
● Infrastructure including the physical structures, information technology (IT) and other hardware
ga,e
● Software including application programs (CleverTap Platform: SDK, Online and IT system
asns
software that support application programs

lpO,
● People including executives, sales and marketing, client services, product support, information
Tiea
processing, software development, and IT

aern
● Procedures (automated and manual)

eDv
● Data including transaction streams, files, databases, tables, and output used or processed by
Cl
the system.
The System boundaries include the applications, databases and infrastructure required to directly
support the services provided to CleverTap's clients. Any infrastructure, software, people, procedures,
and data that indirectly support the services provided to CleverTap's customers are not included within
the boundaries of its system.
11
Boundaries of the System
Following are the specific products, services and locations within the scope of the report. Other
products, services and locations are not included.
Products and Services in Scope

The scope of this report is limited to following product
● CleverTap SaaS platform (Development, Maintenance and Hosting)
Geographic Location in Scope
Z
Z70
Office Location Address
53.04
Mumbai, India 19th floor, DLH Park, S.V. Road, Goregaon (W), Mumbai 400064
8:.35
::016
:1209
The report excludes all processes and activities that are executed outside the above locations.
Singapore Office is primarily sales team and no development or Devops is from Singapore. Unless
050T
otherwise mentioned, the description and related controls apply to the above location covered by the
1-T2
report.
--031
Description of Control Environment, Control Activities, Risk Assessment, -2038
Monitoring and Information and Communication
230
20,
xo, m
Control Environment
CleverTap’s internal control environment reflects the overall attitude, awareness and actions of
pm.c
management’s position regarding the importance of controls and emphasis given to them in company
t-ka.
policies, procedures, methods, and organizational structure. The effectiveness of specific controls is
pesr
established and enhanced by various factors, such as:

leov
● Integrity and Ethical Values

ac@
● Management’s philosophy and operating style

svs@
● Organizational structure
● Commitment to competence
lh.o
● Assignment of authority and responsibility

ndiez
● Human Resources policies and procedures

dl.ain
ga,e
Integrity and Ethical Values

asns
CleverTap requires officers and employees to observe high standards of business and personal ethics
in conducting their duties and responsibilities. Honesty and integrity are core principles of the company
lpO,
and all employees are expected to fulfill their responsibilities based on these principles and comply with
Tiea
all applicable laws and regulations. CleverTap promotes an environment of open communication and
aern
has created an environment where employees are protected from any kind of retaliation should a good
eDv
faith report of an ethics violation occur. Executive management has the exclusive responsibility to
Cl
investigate all reported violations and to take corrective action when warranted.
Executive Leadership
Business activities at CleverTap are under the direction of the Executive Leadership Team (ELT). ELT
consists of the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer
(CTO) and Chief Strategy Officer (CSO). The Articles of Incorporation and corporate bylaws govern the
actions and decisions made by the ELT. The ELT meets quarterly. Financial Statements are reviewed
quarterly by the ELT and the company's accounting firm.
CleverTap's Executive Management Team (EMT) meets monthly and consists of the CEO, CFO, CSO,
12
CTO, VP of Sales and the Leadership team of India Operations. The Leadership team of India
Operations, led by the Information Security Officer (ISO), provides the role of Information Security
Forum for overseeing all aspects of information security. There are regular project status meetings for
status and issues related to ongoing projects.
Management’s Philosophy and Operating Style
The Executive Management team at CleverTap assesses risks prior to venturing into business ventures
and relationships. The size of CleverTap enables the executive management team to interact with
operating management on a daily/weekly/need to involve basis.
Risk Assessment
Z
Z70
CleverTap has placed into operation a risk assessment process to identify and manage risks that could
53.04
adversely affect their ability to provide reliable processing for User Organizations. This process consists
of the management identifying any significant risks in their areas of responsibility and implementing the
8:.35
appropriate measures to address these risks.
::016
A risk assessment is performed annually or whenever there are changes in security posture. As part of
:1209
this process, threats to security are identified and the risk from these threats is formally assessed. The
050T
identified risks are mitigated so that risk levels are reduced. Risk assessment is reviewed and approved
1-T2
by the Leadership team of CleverTap.
--031
The output of a risk assessment will include a completed risk assessment sheet. Any action plans will
be tracked to completion and discussed in the Information Security Forum meetings.
-2038
230
Regular management review meetings are held to discuss the status of projects, major changes,
technology trends, training, occurrence of incidents, and security initiatives.
20,
xo, m
Information Security Policies

pm.c
CleverTap has developed Information Security Policies comprising IT, Facilities, HR, Development
t-ka.
Processes, and Governance. These policies are made available to all employees via company
pesr
documentation portal (hosted on Confluence).

leov
ac@
Domains within the IT and Security Policies include

svs@
● Human Resource Security Policy

● Access Control Policy
lh.o
● Asset Management Policy

ndiez
● Risk Assessment Policy

dl.ain
● Incident Management Policy

ga,e
● Business Continuity Planning and Disaster Recovery

● Change Control
asns
● Document Retention Policy

lpO,
● Physical and Environmental Security Policy

Tiea
● Communication Security Policy

aern
● Supplier Relationships Policy

eDv
Cl
Changes to the Information Security Policies are reviewed by the Leadership Team prior to
implementation.
Monitoring
CleverTap monitors information security of its IT Infrastructure based on the ISO 27001: 2013
framework. Logical and physical security, Business continuity, legal and contractual compliance is also
monitored on a periodic basis by CleverTap Management.
13
Security Forum
CleverTap has formed a Security Forum comprising senior management personnel that are in-charge
of monitoring security of information, assets, and supporting facilities. The key objectives of the Security
Forum are:
● Set a clear direction and visible management support for security initiatives; and
● Promote security within the organization through appropriate commitment and adequate
resourcing
● As part of monitoring information security at CleverTap, Security Forum meets quarterly and
performs the following activities:
Z
Z70
o Reviewing and approving information security policy quarterly;
o Approving major initiatives to enhance information security, and mechanisms to
53.04
monitor compliance
8:.35
o Reviewing and monitoring information security incidents
::016
o Support specific methodologies and processes for information security, risk
:1209
assessment, security classification system
o Support organization-wide information security initiative, for example security
050T
awareness program
1-T2
o Promote the visibility of business support for information security throughout the
--031
organization
-2038
o To ascertain that security is part of the information planning process
o Assess the adequacy and co-ordinate the implementation of specific information
230
security controls for new systems or services

20,
o Monitoring significant changes in the exposure of information assets to major threats

xo, m
o Agree specific roles and responsibilities for information security across the
pm.c
organization.
t-ka.
Monitoring at Project Level

pesr
leov
Application development activities are reviewed at project level by their respective leads on a daily basis
ac@
based on their work tool application dashboard (maintained on Atlassian Jira + Confluence). The status
svs@
of the projects is communicated to the Senior Management through dashboard.

lh.o
System Monitoring
ndiez
dl.ain
The company uses log monitoring tools such as Splunk for log management services for access and
ga,e
error logs generated in AWS related to CleverTap’s products. Application logs and CloudTrail logs are
asns
monitored on AWS.
lpO,
Production systems and infrastructure are monitored through Amazon AWS CloudWatch, Sensu and
Tiea
Pingdom, that monitors compliance with infrastructure and network performance commitments. The
aern
Pingdom system is used to send alerts/notifications based on certain security events. A self-assessment
eDv
scan of vulnerabilities is performed using Tenable on a periodic basis (preferably monthly).

Cl
Vulnerabilities are evaluated and remediation actions are monitored and completed. Results and
recommendations for improvement are reported to the management. The real time uptime of the landing
pages for the APIs and the console is monitored through internal statuspage application of CleverTap.
Audit and Reviews
The reconciliation of user access accounts is carried out on half yearly basis across various
departments. List of all privileges access given to the users (system administrators) is maintained by
14
corporate IT operations and reviewed half yearly by IS officer. All privileged access rights are re-
evaluated if there is any change in the roles and responsibilities. Physical access permissions allocated
to demarcated secure areas and work areas will be reviewed half yearly basis by IS officer.
Company performs annual ISO 27001 related internal audit program at CleverTap with following
objectives:
● To use objective evidence to verify compliance to documented procedures
● To establish a consistent and effective audit process
● To check conformance to the Quality and ISMS requirements of CleverTap that must be
adhered to by the various support groups and functions
Z
● To ascertain timely, effective, corrective and preventive action.
Z70
53.04
Information and Communication
8:.35
CleverTap has documented procedures covering significant functions and operations for each major
::016
work group. Policies and procedures are reviewed and updated based on changes and business
:1209
requirements. Departmental managers monitor adherence to CleverTap’s policies and procedures as
part of their daily activities. All policies and procedures are maintained on Confluence where they can
050T
be accessed by employees.
1-T2
--031
CleverTap’s management holds daily/weekly team status meetings, along with quarterly business
review and strategic planning meetings to identify and address service issues, customer problems, and
-2038
project management concerns. There are personnel who have been designated to interface with the
230
customer if processing or systems development issues affect customer organizations.
20,
Electronic messaging has been incorporated into many of CleverTap's processes to provide timely
xo, m
information to employees regarding daily operating activities, general announcements, project/team

pm.c
discussions and to expedite management’s ability to communicate with employees.

t-ka.
External Communication
pesr
leov
CleverTap has established various communication channels to communicate with external stakeholders
ac@
such as customers, media and government. Any external communication such as press releases is
svs@
vetted by a team who is responsible for this particular task. Communication with the customers happens
on a regular basis by the concerned teams through emails, telephone calls, and personal meetings.
lh.o
Also, CleverTap publishes all the important media communication on its corporate website. CleverTap
ndiez
team also goes through QBR (Quarterly Business Review) process with key customers and publishes
dl.ain
regular reports on the SLA + CSAT level maintained.

ga,e
Components of the System

asns
CleverTap Platform Architecture

lpO,
Tiea
CleverTap architecture consists of a Data Collection layer, fronted by AWS Elastic Load Balancers
aern
(ELBs), that accept data via HTTPS from client-side SDKs (as well as our public REST API). To remain
responsive, our Data Collection layer does only minimal validation before dropping data into a separate
eDv
Data Processing layer for preparation and delivery to our Data Store layer, where it is immediately
Cl
available for querying. A separate Message Delivery Service (MDS) is responsible for querying the Data
Store to generate and deliver messages via email, push notifications, and other channels.
15
Z
Z70
Infrastructure
53.04
The infrastructure comprises of physical and hardware components of the System including facilities,
8:.35
equipment, software, and networks.
::016
Data Center
:1209
The production server(s) and platform for CleverTap SaaS is hosted on AWS.
050T
1-T2
The production/staging server are connected using AWS Systems Manager Session Manager and the
--031
connections are authenticated using AWS IAM + MFA. These connections are https only; logged +
monitored for audit purpose. The Mumbai office provides uninterrupted power supply using battery
-2038
backup (UPS), DG set, and an internet connection in addition to physical space for CleverTap’s network
230
hardware. Utilities including redundant power supply is provided by property manager for Mountain
View and Singapore locations.
20,
xo, m
Network Overview
pm.c
The production infrastructure at AWS is monitored and managed 24/7 by company staff in India in the
t-ka.
form of remote support, as an when monitoring alerts are trigged. Offices are equipped with the latest
pesr
hardware, software, and networking infrastructure. Offices are connected to the internet using high
leov
speed communication links backed by redundant networks.

ac@
The production environment can only be accessed through an AWS Session Manager, which is a
svs@
capability on AWS Systems Manager. This connection is authenticated using AWS IAM Services. Single
lh.o
Sign-on (SSO) integrated with IAM is used for password protection and multifactor authentication. The
ndiez
office IP address is whitelisted and two-factor authentication is enabled for added security. Local
accounts have been selectively configured for authorized users who need access to the production
dl.ain
environment.
ga,e
Remote users can only access the system remotely through the use of the OpenVPN. Only
asns
authorized users can use the VPN clients from remote locations to connect the AD server and then to
lpO,
other regions.
Tiea
aern
JAMF service is used for configuration management at user device level.

eDv
Cl
16
NETWORK DIAGRAM
Office network diagram:
Z
Z70
53.04
8:.35
::016
:1209
050T
1-T2
--031
-2038
AWS Data Collector Architecture diagram:
230
20,
xo, m
pm.c
t-ka.
pesr
leov
ac@
svs@
lh.o
ndiez
dl.ain
ga,e
asns
lpO,
Tiea
aern
eDv
Cl
Traffic flow
1. As users interact with an application that integrates the CleverTap SDK, their actions are
recorded. These actions are batched and sent using HTTP wrapped in a TLS connection to
primary stack collection endpoint (wzrkt.com in case of eu1 and in.wzrkt.com in case of in1)
2. The ELB maps to our front-end application called log collector or lc. It's an app that runs on a
Jetty web server. TLS is offloaded on the ELB. ELB to lc is HTTP
17
a. For an incoming request, lc reads the request and in most cases pipelines to Redis
b. If a request needs to evaluate past behavior, an HTTP request is made to the
account's eventstore
3. lc loads account information from MongoDB for all accounts and caches it. This cache is
refreshed every five seconds. This enables lc to silently drop data for accounts that are
inactive or have been disabled without having to make a database call for every incoming
request and pipe data to the account specific Redis.
Physical Security Overview

CleverTap’s power management system at the office (Mumbai and Mountain View) is designed to
Z
provide uninterrupted power. UPS units and backup generators supply power to the center in the event
Z70
of a power failure. All components are covered by maintenance contracts and tested regularly for
53.04
Mumbai office. CleverTap office in Singapore operates from WeWork and all facilities are handled by
8:.35
WeWork. Physical access to Mumbai and office is guided by card-based security lock as per policy.
::016
Video surveillance cameras and equipment, fire detection units are provided by the building manager
in Mumbai and Mountain View Office. WeWork maintains this for CleverTap in the Singapore office.
:1209
Fire safety equipment is checked regularly in accordance with the manufacturer's instructions for the
050T
Mumbai and Mountain View office. Fire extinguishers are available in case of any fire incidents at both
1-T2
locations. Singapore office facilities are managed by WeWork and the policies are in accordance with
--031
CleverTap policies. WeWork in Singapore has their own security and visitor procedures which are
-2038
followed by all tenant organizations. These procedures are in accordance with the CleverTap standards
and logs are obtained whenever required.
230
Physical and environmental controls including power supply at AWS data center is provided and
20,
xo, m
managed by AWS as part of their responsibilities.

pm.c
Connectivity
t-ka.
Internet connectivity to internal users from Mumbai office is provided by routing the traffic through
pesr
VPC which hosts the EC2 instance with pfsense firewall and AD services using AWS Direct Connect
leov
through an AWS partner in Mumbai. Redundant fiber links provide connectivity from Mumbai office to
ac@
AWS endpoint for AWS Direct Connect. There is encrypted GRE (Generic Routing Encapsulation)
svs@
tunnel between Mumbai office and AWS through AWS Direct Connect and dedicated lines. BGP
(Border Gateway Protocol) security gateway is used for routing information between office and AWS
lh.o
endpoints. Users are provided Wi-Fi access with WPA2 AES 256 encryption.
ndiez
dl.ain
CleverTap Mountain View office is connected to the internet using leased lines. This connection is
ga,e
routed via pfsense firewall and backup is provided by AT&T connection.

asns
Physical Access
lpO,
Tiea
There is a security desk manned 24X7 at the main entrances to CleverTap offices. Entry to all of
aern
CleverTap work areas is restricted to authorized personnel through proximity card-based access control
eDv
devices. Card scanner + locks that use card are placed on all door openings. Attendance is recorded
Cl
through a card system. A visitor register is maintained at the security desk for all visitors who are not
employees of the company. All visitors have to sign the visitors register and have to be escorted when
in the office.
Employees are required to show their picture ID cards at the security entrance and use a card-based
access management system to enter work areas. Employees are granted access only to those areas
to which they require access. Access to areas marked as sensitive is tightly controlled on an as needed
basis and is approved by the Leadership team. The management team has access to all areas except
sensitive areas (server and accounts rooms).
ID cards are issued to new employees based on a card requisition initiated by the Human Resource
18
(HR) team. The HR team sends an Email requesting the Administration team to issue an ID card to the
new employee and setup their access. The Administration team ensures that their access in the card
system is configured with the appropriate level of access. Upon issuing the card, the Administration
team obtains an acknowledgement from the employee stating access was given to them.
Upon an employee’s separation from the organization, the HR team initiates the exit process and
coordinates with the parties involved in terminating access. Based on this, the employee’s privileges in
the access control system are revoked and access control records are deleted. The employee ID card
is stored with the Admin personnel with proper identification and tracking.
Surveillance cameras have been installed at various critical points within and around the facility. Backup
Z
of recordings is stored for future review in the event of any malicious activity.
Z70
Access to the Server Room/Garage Room
53.04
The server room access is controlled with a card-based access control unit. Access to the server room
8:.35
is granted only to selected IT personnel. Third parties are allowed access to the server room only under
::016
the supervision of IT team members.
:1209
The processes and controls managed by AWS are excluded from the scope of this report. CleverTap
050T
manages the access to the database, configuration of the monitoring services, and backups of customer
1-T2
data. As such, these are in scope for this report.
--031
Servers
-2038
AWS provides Infrastructure as a Service (“IaaS”) and the initial creation of the virtual servers, which
230
run CleverTap Platform. The software and operating system configurations are managed by
CleverTap’s DevOps team. CleverTap manages their own datastores (EventStore, Redis and Mongo
20,
xo, m
dB) via AWS.

pm.c
Database
t-ka.
CleverTap's primary datastore is an EventStore within the private network, which is hosted in AWS and
pesr
managed by the CleverTap DevOps Team. The CleverTap data architecture includes a leader and
leov
multiple followers and its nodes are spread out across multiple Availability Zones for fault-tolerance and
ac@
redundancy.
svs@
Cache & Message queue is stored within a Redis cluster, which is also managed by the CleverTap
lh.o
team, and also hosted within the private network on AWS.

ndiez
Static files are stored within AWS S3 to increase durability, and to segregate attachments using a
dl.ain
unique identifier that is stored in the CleverTap data architecture.

ga,e
The data in all of the above cases is encrypted at rest through key management services.
asns
Software
lpO,
Tiea
Firewalls
aern
Production hosts and Security Groups in AWS VPC (which are the equivalent of Firewalls) are hardened
eDv
according to Industry best practices (CIS Amazon Linux Benchmark). Only the required ports are
Cl
opened for inbound access at the load balancer level. Access to user data is restricted to authorized
applications through VPC whitelisting.
A Firewall has been implemented in the office network to control external access to the CleverTap’s
network. Firewall events are logged. Connections are established using VPN to safeguard the network.
Firewalls are hardened according to industry best practices. Unusual activities/traffic are monitored via
pfsense and alerted to the IT team which takes corrective action on priority. CleverTap has configured
pfsense to automatically block traffic from originating IP addresses if it is not as per the defined
acceptable policies. CleverTap Mountain View office follows the same setup and WeWork in Singapore
provides these services as per the CleverTap policy.
19
CleverTap’s network is designed around the principle of least access. Data Center firewall at AWS has
been configured to allow access to production servers only via AWS Systems Manager Session
Manager. Additionally, only limited IT staff have access to production servers.
Production hosts and Security Groups are hardened according to industry best practices. CleverTap is
hosted in a Virtual Private Cloud (VPC) with public subnets for the application servers and private
subnets for the database servers. Only the required ports are opened for inbound access at the load
balancer level. The hosts inside the VPC are accessible only from the associated load balancers. The
Database access is internal only and is limited to only the machines within the same VPC.
Network and Endpoint Protection / Monitoring
Z
Z70
The IT/DevOps team ensures that all production endpoints are scanned for any vulnerabilities - this
includes public IPs and services hosted on the AWS. CleverTap gets a third-party penetration test report
53.04
every year. Additionally, IT/DevOps ensures that any malware is dealt with efficiently and in a timely
8:.35
manner. CleverTap also uses Tenable for vulnerability scanning performed regularly during low traffic
::016
period and all alerts/vulnerabilities are handled as per security policy and prioritization. Jfrog Xray is
:1209
used to identify vulnerabilities on docker images
050T
CleverTap has devised and implemented adequate monitoring controls to detect unauthorized
information processing activities. Sensu allows the System and Network Engineering team to monitor
1-T2
'eventstore_health' and 'eventstore_capacity' metrics for all Eventstore hosts. Sensu allows the System
--031
and Network Engineering team to monitor 'memory' metric for all Redis hosts. Alerts are sent from
-2038
Sensu to the IT/DevOps team. Critical servers and systems are configured to log user activities,
230
exceptions, and information security events. System administrator and system operator activities are
logged and reviewed on a periodic basis.
20,
xo, m
Capacity management controls are put in place to make certain CleverTap ’s resources are monitored,
pm.c
tuned and projections are made to ensure system performance meets the expected service levels and
to minimize the risk of systems failure and capacity related issues. Addition of new information systems
t-ka.
and facilities, upgrades, new version and changes are subject to formal system analysis, testing, and
pesr
approval prior to acceptance.

leov
ac@
All CleverTap laptops are centrally managed using Chef with following control applied in Chef- login
svs@
windows banner, password complexity configuration, screensaver, lockout and idle timeout, firewall
configuration, full disk encryption. Password policy on laptops is minimum 8 char, complex, history of
lh.o
10 and expiry and 90 days. USB ports are not restricted. The ability to install software on laptops is
ndiez
restricted to Corp IT support personnel through MDM solution.

dl.ain
ga,e
Patch Management
asns
The IT/DevOps team ensures all systems in AWS are up to date with the latest security patches and
lpO,
fixes are tested prior to going into production. For AWS servers and other production systems, operating
Tiea
system patches are applied based on vulnerability assessments as well as nature of patches. User
aern
laptops are upgraded through a device management MDM solution (JAMF).

eDv
Virus Detection
Cl
Anti-virus software has been installed on all local desktops/laptops, as well as production servers on
AWS wherever applicable. Updates to the virus definition files are managed and downloaded by the
software on a daily basis.
All inbound and outbound Emails are scanned for viruses and any infected data is automatically
cleaned.
20
People
Organizational Structure
The organizational structure of CleverTap provides the overall framework for planning, directing and
controlling operations. It has segregated personnel and business functions into groups according to job
responsibilities. This approach enables the organization to define responsibilities and lines of reporting
and communication. It helps the employees to focus on the specific business issues impacting
CleverTap’s clients.
Z
CleverTap is organized in a Functional Organization Structure and evaluates reporting lines, authorities
Z70
and responsibilities as part of its planning and management process. Revisions are made, when
53.04
necessary, to help meet changing commitments and business requirements. A formal organization
8:.35
structure is prepared and approved by management.
::016
The management team meets periodically to review business unit plans and performances. Weekly,
:1209
monthly meetings and calls with senior management, and department heads are held to review
operational, security and business issues, and plans for the future.
050T
CleverTap’s Information Security policies define and assign responsibilities/accountabilities for
1-T2
information security. Regular management meetings are held to discuss the security level, changes,
--031
technology trends, occurrence of incidents, and security initiatives.
Information Security Officer (ISO)
-2038
230
The role of the ISO is as follows:

20,
xo, m
● Responsible for fulfilling management’s intention of goals and principles related to information
security
pm.c
● Coordinating with different teams for development of security policies and procedures
t-ka.
● Driving implementation of Information Security Management System (ISMS)

pesr
● Taking the necessary approvals of the policies and procedures from Security Forum
leov
● Taking budget approvals for implementing necessary controls

ac@
● Periodically report on the effectiveness of the Information Security Program

svs@
● Manage and provide information security training and awareness.

lh.o
Engineering Services
ndiez
● Development and delivery of the CleverTap Platform and Product

dl.ain
● Drive and improve product quality and innovation, team productivity, manage simultaneous
ga,e
projects in an agile fashion, customer satisfaction and product supportability

asns
● Coordinate multiple streams of software development, involving multiple teams, geographic

distribution and indirect reports
lpO,
● Collaborate with Product Management by contributing to roadmaps, setting priorities, and

Tiea
providing estimates
aern
● Collaborate with Customer Support to help ensure customer success and drive quality
eDv
improvements
Cl
● Promote, define, refine, and enforce best practices and process improvements that fit
CleverTap’s agile methodology
● Provide visibility across organization through metrics and project status reporting (Jira +
Confluence)
21
DevOps Team
● Application and infrastructure planning, testing and provisioning + development
● Maintaining CI/CD pipelines
● Automation implementation
● On-call, incident response and incident management
● Monitoring + uptime
● Create visibility and deepen collaboration
Human Resource (HR) team
Z
Z70
The role of the HR is as follows:
53.04
● Implement HR policies and processes
● Effectively implement programs of recruitment, background checks, performance management,
8:.35
career planning
::016
● Grievance handling and query resolution
:1209
050T
Facilities and Logistics team
1-T2
The role of the Facilities and Logistics team is as follows:
--031
● Implement secure, hygienic, well-maintained facilities and work environment-2038
● Responsible for physical security within the premises
230
● Responsible for physical access management of employees, contractors and visitors
● Provide effective utilization of space and workstation management of the facilities
20,
xo, m
● Check for compliance with all government and statutory rules and regulations related to
premises
pm.c
t-ka.
Commitment to Competence
pesr
leov
CleverTap's formal job descriptions outline the responsibilities and qualifications required for each
ac@
position in the company. Training needs are identified on an ongoing basis and are determined by
svs@
current and anticipated business needs. Employee performance reviews are conducted on an annual
basis, where growth opportunities and new training requirements are identified.
lh.o
ndiez
Assignment of Authority and Responsibility

dl.ain
Management is responsible for the assignment of responsibility and delegation of authority within
CleverTap.
ga,e
asns
Human Resources Policies and Procedures

lpO,
CleverTap maintains written Human Resources Policies and Procedures. The policies and procedures
Tiea
describe CleverTap’s practices relating to hiring, training, performance appraisal and employee
aern
termination. The Human Resources department periodically reviews these policies and procedures to
eDv
ensure they reflect changes within the organization and its operating environment. Employees are
informed of these policies and procedures during the new hire induction. These policies are available
Cl
on Confluence. Violation of these policies and procedures may result in disciplinary action, including
employee termination.
New Hire Procedures
New employees are required to review CleverTap's corporate policies and procedures. Hiring
procedures require that the proper knowledge levels have been attained along with required job-related
certifications, if applicable, and industry experience. If a candidate is qualified, interviews are conducted
with various levels of management and staff.
22
After hiring, candidates undergo background investigations consisting of prior employer references,
criminal record analysis and educational references. Discrepancies noted in background investigations
are documented and investigated by the Human Resources team in conjunction with a third-party
verification agency. Any discrepancies found in background investigations result in disciplinary actions,
up to and including employee termination. All employees must sign an employee non-disclosure
agreement with CleverTap for ethical conduct and commitments regarding security and confidentiality.
New employees are required to attend an induction and training program where they are made aware
of CleverTap's practices, direction, and where to find relevant information. All new employees have to
go through security awareness training, which is conducted annually thereafter. New joiners sign/submit
an induction training form (also feedback about training) hosted on google form as an acknowledgement
Z
Z70
that they have attended training and understood Company’s policies.
53.04
Training and Development
8:.35
On an ongoing basis, CleverTap examines its training and development needs from a business
::016
standpoint. CleverTap compares these needs to the current skills held by its employees and may offer
:1209
training to meet the current and anticipated needs of the organization. Periodically, CleverTap conducts
in-house training on relevant topics for its employees. Additionally, security awareness training is
050T
provided annually to employees.
1-T2
Performance Evaluation
--031
-2038
CleverTap has a performance review and evaluation program to recognize employees for performance
and contributions. CleverTap’s performance evaluation process is also used to help employees improve
230
their performance and skill levels. Employee performance reviews, promotion and compensation
20,
adjustment are performed every 12 months. The performance evaluation is reviewed with the employee
xo, m
and signed by both, the employee and their manager.

pm.c
New Joiner Trainings

t-ka.
The HR coordinates to provide information security awareness programs to all employees as part of
pesr
the induction process. Once a new employee joins their team, additional process training is conducted
leov
either on a one-to-one basis or in a classroom setting. The HR maintains records of information security
ac@
awareness training attendees and feedback forms from employees.

svs@
Employee Terminations
lh.o
When an employee leaves the organization, HR initiates the exit process by notifying key stakeholders
ndiez
- this typically consists of IT/DevOps, Administration and Finance. IT/DevOps deactivates

dl.ain
service/application accounts (AWS, GitHub, Atlassian Suite, Emails and Slack) and restricts email
ga,e
access, Finance suspends any financial accounts such as company credit cards and expense accounts.
asns
Laptops/desktops are collected and wiped prior to reassignment. On the last day, the employee ID card
is collected. HR closely tracks the exit process to ensure it is properly executed. Clearance form is used
lpO,
to get confirmation from all teams about completion of exit tasks.

Tiea
aern
Procedures
eDv
Change Management
Cl
The Change Management process describes a methodical approach to handle the changes to the
system. Each change is subject to a formal Change Management process, which covers products,
systems, IT infrastructure, and network components.
All major changes must be initiated by the appropriate personnel, analyzed for impact, tested and
approved before deployment. Post implementation performance will be checked as part of this process.
Jira+Confluence is used to record and track the changes. All changes to the IT infrastructure are
managed through a request for change in Jira and approval process. All changes to production
infrastructure are requested, maintained, approved and logged on Jira Workflow.
23
CleverTap services follow software as a service model for delivery of its own platform, services, SDK,
API etc. Terms of services are provided on the website or in master service agreements signed with
customers. Changes to platform, services, system, networks are communicated to clients, if it impacts
their operations. There is a formal release process for releasing builds for platform, APIs and SDKs.
Release notes contain what all is released in the release. Changes in CleverTap product are initiated
through a Change Request Form (CRF)/Product feature request. If approved, a CRF is sent to the team
members and management to initiate QA testing. The testing team does the complete testing of the
release. Once the testing is complete, QA signs off and initiates the appropriate team through official
channels to implement the change. On receipt of sign off from the testing team/relevant stakeholders
the release is deployed on production servers. After the change has been implemented, the QA team
Z
conducts a sanity check of the change on the production environment and notifies all parties that the
Z70
change was successful. The change is further announced to customers via emails and blog posts if
53.04
required. Documentation of change, along with all the steps involved is maintained for future reference.
8:.35
Incident Reporting and Resolution
::016
Procedures for the incident response, including identification and escalation of security breaches and
:1209
other incidents are included in the Incident Response policy. Incidents/complaints are reported over
050T
Jira Service Desk ticketing system; however, some may be walk-ups, phone calls, or emails depending
on circumstances. Every single incident is reported and tracked using Jira Service Desk Tickets.
1-T2
--031
When an incident is detected or reported, a defined incident response process is initiated by the
-2038
authorized personnel. Corrective actions are implemented in accordance with defined policies and
procedures. CleverTap’s production systems are monitored by the IT team. Any security related incident
230
that is noticed or reported triggers the Incident Response process.

20,
xo, m
Hosting and Maintenance

pm.c
CleverTap stores client content on MongoDB + EventStore, which is hosted in AWS. Users can access
application data based on the roles and permissions assigned to them. Security is maintained on
t-ka.
production servers with quarterly vulnerability scans, as well as annual penetration testing performed
pesr
by a third party. Scripts are run on a regular basis to identify database queries with irregular latency to
leov
optimize performance. Downtime due to this or other maintenance is seldom; when needed, prior notice
ac@
containing the scope and impact of the maintenance is communicated to clients.

svs@
Logical Access
lh.o
ndiez
Security Authorization and Administration

dl.ain
HR emails/uses Jira ticketing system to IT for all new employees that require a new workstation
configured with minimum default access to company resources and applications. Additional access is
ga,e
recommended by management and approved by authorized personnel.

asns
CleverTap's Information Security Policy covers access to computing resources. Default access has
lpO,
been defined for all non-public resources. Any additional access requires approval from designated
Tiea
officers. Only the IT/DevOps team has the access to change a user profile or grant higher access.
aern
eDv
Access to CleverTap’s network and systems is managed through an AWS IAM + MFA and RedHat
SSO. Access is granted to an authenticated user based on the user’s identity through a unique login ID
Cl
that is authenticated by an associated password by SSO Solution provided by Redhat and roles + MFA
are enforced by AWS IAM. Assets are assigned to owners who are responsible for evaluating the
access based on job roles. Roles are periodically reviewed and updated by asset owners. Privileged
access to sensitive resources is restricted to defined user roles and access to these roles is approved
by management. This access is reviewed by authorized personnel on a quarterly basis.
By default, employees cannot access data output. Operational employees do not have access to
printers. Access to confidential reports is provided to authorized individuals based on approval. Access
to storage, backup data, systems and media is limited to the IT/DevOps team through the use of
24
physical and logical access controls.
Security Configuration
Employees establish their identity on the local network and remote systems through the use of a valid
unique user ID that is authenticated by an associated password. Password policy has been documented
and requires minimum length, expiry and complexity.
Unattended desktops are locked within five minutes of inactivity. Users are required to provide their
password to unlock the desktop.
Access to AWS console panel is protected with login+Password combination (provided by RedHat
Z
SSO) + Multifactor Authentication (MFA) provided by Amazon AWS IAM.
Z70
Remote access to CleverTap’s production network is granted to authorized personnel through the AWS
53.04
Systems Manager Session Manager, which utilizes two-factor authentication.
8:.35
Passwords are controlled through AWS’s password policy, which includes forced password changes
::016
as well as expiry and complexity requirements – currently passwords are set to expire every 90 days.
:1209
Guest and anonymous logins are not allowed on production systems. Administrator privilege is
050T
restricted to the DevOps Team and is not available to other users. Administrator access for non-DevOps
personnel must be approved by management with a valid business justification.
1-T2
--031
Company has established hardening standards for production infrastructure includes EC2 instances,
AWS account and other services. Laptops are included on device management solution to configure
-2038
hardening. Production hosts and Security Groups (which are the equivalent of Firewalls) are hardened
230
according to Industry best practices (CIS Amazon Linux Benchmark). Only the required ports are
opened for inbound access at the load balancer level. All user-level passwords to AWS must comply to
20,
xo, m
password norms in the password policy in Red Hat SSO solution. Password policy on chef server and
pm.c
mac devices is system enforced and manually enforced on firewall, switches and routers.
t-ka.
Administrative Level Access

pesr
Administrative rights and access to administrative accounts are granted only to individuals that require
leov
them to perform their jobs. CleverTap is primarily concerned with administrative access to its production
ac@
infrastructure on AWS as there are no critical systems or data on premises. All administrative level
svs@
access must be justified to and approved by the management.

lh.o
Security and Administration Within CleverTap (End User Product)

ndiez
Since CleverTap is an enterprise content management system, it may have many users with varying
dl.ain
permissions working together. All the member accounts of a stack are called “users” in CleverTap.
ga,e
Depending on the permissions, users are classified into various roles – each with a different level of
access. RBAC (Role Based Access Control) is defined in the application for controlling the access to
asns
the data. Users access CleverTap application through login, API calls, server-side SDK using encrypted
lpO,
https channels.
Tiea
aern
To ensure that the end user data within CleverTap is secure and guarded against potential threats, the
following features have been built into the product: Single Sign-on (SSO), Two-Factor Authentication,
eDv
and an Account Lockout Policy. CleverTap platform maintains a strict password policy where the
Cl
complexity is customizable by administrator under the umbrella of CleverTap Password Policy.

Confidentiality
Access to data is restricted to authorized applications through access control software. No confidential
customer related data is stored on CleverTap’s office network. All agreements with related parties and
vendors include confidentiality commitments consistent with the company's confidentiality policy.
25
Data
EBS volumes are encrypted with AWS KMS. No customer related data is stored on CleverTap’s offices.
The HR data, Finance data and server/firewall configuration files are stored in an encrypted container
on cloud-based solutions. Access to this data is restricted to authorized users and senior management.
CleverTap has developed formal policies and procedures relating to backup and recovery and the same
are available on an internal portal. The Backup policy is defined in the Information Security Policy
Manual. Suitable backups are taken and maintained (including storing of backups offsite).
Our production environment utilizes three AWS availability zones, if one goes down the other two take
over without any disruption of service. Databases are backed up on following platforms, Amazon S3
Z
Z70
and AWS backup services, each backup is stored on separate AWS regions as a contingency. End-
user data is stored in a proprietary database which stores persisted data on encrypted EBS volumes.
53.04
8:.35
Backups of user data are taken using EBS snapshots every 4 hours and retained for 14 days.
::016
Snapshots are stored in Amazon S3 and are replicated across multiple Availability Zones within a
Region for redundancy.
:1209
050T
Platform operational data (data required for the operations of CleverTap platform) is stored in a
1-T2
MongoDB replica set database which stores persisted data on encrypted EBS volumes. Backups are
--031
taken using EBS snapshots every 2 hours and retained for 14 days. Snapshots are stored in Amazon
S3 and are replicated across multiple Availability Zones within a Region for redundancy.
-2038
Backups for end-user and platform operational data are automatically triggered using Amazon Data
230
Lifecycle Manager. Policies are checked by monitoring system that loops over every AWS region and
20,
xo, m
every lifecycle policy to ensure that all policies are in "Enabled" state
pm.c
Local office backup such as finance data is carried out on S3 buckets.

t-ka.
Data Restoration Procedure

pesr
Restoration is done in two cases:

leov
ac@
1) When a project team makes a request to recover lost data, and

svs@
2) During the Disaster Recovery process/testing. The relevant DevOps personnel ensures that the data
lh.o
is restored appropriately.
ndiez
Applicable Trust Services Criteria and related Controls

dl.ain
The security, availability and confidentiality trust services categories and CleverTap related controls are
ga,e
included in section 4 of this report, “Independent Service Auditor's Description of Tests of Controls and
asns
Results”.
lpO,
CleverTap has determined that Processing Integrity and Privacy trust services Categories are not
Tiea
relevant to the system.

aern
eDv
User-Entity Control Considerations

Cl
Services provided by CleverTap to user entities and the controls of CleverTap cover only a portion of
the overall controls of each user entity. CleverTap’s controls were designed with the assumption that
certain controls would be implemented by user entities. In certain situations, the application of specific
controls at user entities is necessary to achieve the services outlined in this report to be achieved solely
by CleverTap. This section highlights those internal control responsibilities that CleverTap believes
should be present for each user entity and has considered in developing the controls described in the
report. This list does not purport to be and should not be considered a complete listing of the controls
relevant at user entities. Other controls may be required.
26
● User Organizations are responsible to ensure their use of CleverTap’s service is within
compliance of applicable laws and regulations
● User Organizations are responsible for ensuring the end user’s privacy and complying with
applicable privacy laws.
● User Organizations are responsible for ensuring that complete, accurate and timely data is
provided to CleverTap for processing.
● User Organizations are responsible for their security policy and access management for their
networks, application and data.
Z
Z70
● User Organizations are responsible for defining criteria for processing and rejecting items
53.04
input into their systems.
8:.35
● User Organizations are responsible for working with CleverTap to jointly establish service
::016
levels and revise the same based on changes in business conditions.
:1209
050T
1-T2
--031
-2038
230
20,
xo, m
pm.c
t-ka.
pesr
leov
ac@
svs@
lh.o
ndiez
dl.ain
ga,e
asns
lpO,
Tiea
aern
eDv
Cl
27
Cl
eDv
aern
Tiea
lpO,
asns
ga,e
dl.ain
ndiez
lh.o
svs@
ac@
leov
pesr
t-ka.
pm.c
xo, m
20,
230
-2038
--031
SECTION 4
1-T2
050T
:1209
::016
8:.35
53.04
TESTS OF CONTROLS AND RESULTS
Z70
Z
INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF
4. Independent Service Auditor's Description of Tests of Controls and Results
Ref Controls Implemented by CleverTap Test Procedures Test Results
1 Control Environment:
CC1.1 Integrity and Ethics: COSO Principle 1: The entity demonstrates a commitment to
integrity and ethical values.
The Company has documented the Inspected the mission/ vision statement No exceptions noted
Mission and Vision statement in the of the company mentioned in the
Z
induction training deck and is induction training deck to determine that
Z70
communicated to all new joiners during the vision statement is documented.
53.04
induction.
8:.35
The entity has code of conduct that Inspected the code of conduct policies No exceptions noted
::016
establishes standards and guidelines to determine that the entity has
for personnel ethical behaviour. established standards and guidelines for
:1209
personnel ethical behaviour including
code of conduct.
050T
1-T2
All new employees have to read and Selected a sample of new joiners and No exceptions noted
sign the Confidentiality inspected personnel file to determine
--031
Agreement/NDA upon joining. that Confidentiality agreements / NDA
are signed.
-2038
230
Acceptable Use Policy (AUP) provides Inspected the acceptable usage policy No exceptions noted
guidelines on the acceptable usage of to determine that it is documented
20,
xo, m
the company assets and their usage.

pm.c
Customer can provide their issues, Inspected the customer resolution No exceptions noted
complaints or feedback through email clauses in a customer Statement of
t-ka.
to Business Heads. Work (SOW) template and determined

pesr
that customer have a mechanism to

leov
Employees can raise their complaints communicate with the company.

ac@
and grievances to HR or HRBP as per

the Redressal policy.
svs@
The company has the ISO 27001: Inspected the following certifications to No exceptions noted
lh.o
2013 valid certificate. determine these are in place and valid.

ndiez
1. ISO 27001
dl.ain
CC1.2 Board Oversight: COSO Principle 2: The board of directors demonstrates independence
from management and exercises oversight of the development and performance of
ga,e
internal control.
asns
Meetings are conducted periodically to Selected a sample of Jira board tickets No exceptions noted
lpO,
discuss the security level, changes, and recurring meeting invites to

Tiea
technology trends, occurrence of determine that security related meetings

aern
incidents, and security initiatives. are held on a periodic basis to discuss

them.
eDv
Meeting minutes are confidential in

Cl
nature due to which it is only shared

with limited number of people.
Business meetings are conducted, and Selected a sample of management No exceptions noted
the scope of discussions are recorded meetings held and inspected the
in minutes of meeting. minutes to determine that management
meetings are held on a periodic basis.
CC1.3 Management Structures: COSO Principle 3: Management establishes, with board
oversight, structures, reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
29
Organization charts are established Inspected the organization chart in the No exceptions noted
that depicts authority, reporting lines induction training deck for an
and responsibilities for management of understanding of the hierarchy and to
its information systems. determine that these are communicated
to everyone during induction.
These charts are communicated to
employees during the induction and Enquired with Management to determine
are updated as needed that organisation charts are updated
periodically.
Information Security Policy & Inspected ISMS Manual and related IT No exceptions noted
Z
Procedures are reviewed and Policies to determine that these are
Z70
approved by ISWG at least annually. documented approved.
53.04
Information Security Policy & Inspected ISMS Manual and related IT No exceptions noted
8:.35
Procedures related to HR policies are Policies to determine that changes
reviewed and approved by the during the audit period are approved by
::016
Management at least annually. ISWG
:1209
The responsibility of managing Inspected the Information Security No exceptions noted
050T
Information Security is assigned to policies to determine that Information
The responsibility of
information security officer. Security activities are responsibility of
1-T2
managing
information security officer.
--031
Information Security
Allocation of information security
-2038 were not assigned to
responsibility is documented in
information security
information security policy.
230
officer.
CC1.4 Attract and Retain Talent: COSO Principle 4: The entity demonstrates a commitment to
20,
xo, m
attract, develop, and retain competent individuals in alignment with objectives.

pm.c
The company has documented HR Inspected the HR Policies and No exceptions noted
t-ka.
Policies and procedures including procedures to determine that these are

recruitment, training and exit documented
pesr
procedures.
leov
ac@
Job requirements are documented in Inspected the HR Policies and a sample No exceptions noted
the job descriptions, and candidates’ of related job description to determined
svs@
abilities to meet these requirements that requirements for each role are
lh.o
are evaluated as part of the hiring and documented and are evaluated as part
transfer process. of the hiring process.
ndiez
dl.ain
Selected a sample of new joiners and

inspected the personnel files for the
ga,e
competency checks such as interview

asns
notes.
lpO,
New employees sign offer letter as Selected a sample of new joiners and No exceptions noted
Tiea
their agreement and acceptance of inspected the offer letter / appointment

aern
broad terms of employment including a letter to determine that new joiner

brief description of position and other accept the terms of employment.
eDv
terms.
Cl
Management evaluates the need for Inspected a sample email to determine No exceptions noted
additional resources in order to that resource planning is reviewed
achieve business objectives these are periodically.
communicated via email to the HR
department
External third-party background Selected a sample of new joiners and Exceptions noted
verification checks are carried out for inspected the BGV reports to determine
experienced new hires. This includes that background verifications are carried For 1 out of 18 new
education qualification verification, out by external agencies. joiner sample
employment verification, address selected it was
check and where necessary criminal observed that BGV
checks. process initiation
30
was delayed by 4
BGV for interns is usually not done days.
unless required by client process.
Negative BGV reports require further
management action.
Newly hired personnel are provided Enquired with HR Head that all new No exceptions noted
sufficient training before they assume employees undergo induction training.
the responsibilities of their new
position. Each team has a training plan
that includes both on the job as well as
Z
technical trainings.
Z70
There is an induction training given by Inspected New Hire Induction Training No exceptions noted
53.04
HR which includes information security Presentation to ensure that it includes
8:.35
training. In this training the HR, policies on security and also covers
physical access and security policies identification and report of security
::016
are explained. breaches
:1209
Selected a sample of new joiners and
050T
inspected the induction attendance/
1-T2
training records to determine that new
--031
joiner undergo information security
trainings. -2038
An awareness refresher training is Inspected training records for a sample No exceptions noted
230
provided to all employees on at least of existing employees and determined

annual basis. that annual training is completed.
20,
xo, m
For WFH, remote personnel or Enquired with Head HR that web based, No exceptions noted
pm.c
employees during extended business and email delivery of ISMS training /

disruption, ISMS training and induction induction training is carried out for new
t-ka.
training is carried out through web joiners during business disruptions.

pesr
meetings or by sending the induction

leov
/joining material over email. For

ac@
personnel who could not be provided

regular induction training / ISMS
svs@
training, batch trainings are provided

lh.o
subsequently.
ndiez
CC1.5 Accountability: COSO Principle 5: The entity holds individuals accountable for their
dl.ain
internal control responsibilities in the pursuit of objectives.

ga,e
Roles and responsibilities are defined Inspected the IT policies / Roles and No exceptions noted
in written job descriptions and responsibilities document to determine
asns
communicated to employees and their that roles and responsibilities are

lpO,
managers. defined.
Tiea
Job descriptions are reviewed by entity Inspected updated job descriptions to No exceptions noted
aern
management on an annual basis as determine that job descriptions and roles

eDv
part of performance appraisals. and responsibilities are revised as an

when required.
Cl
Performance appraisals are performed Inspected a sample of performance No exceptions noted

at least annually. These appraisals are appraisals for existing employees to
used to provide feedback about determine that performance appraisals
performance, identify training needs are performed at least annually
and decide bonus and increments.
Appraisal discussions are used to set
goals for the next appraisal period.
2 Communication and Information:
31
CC2.1 Internal Communication and Information: COSO Principle 13: The entity obtains or
generates and uses relevant, quality information to support the functioning of internal
control.
Business meetings are conducted at Inspected a sample of QBRs to No exceptions noted
quarterly intervals. The MIS is determine that major departments carry
generated and recorded in minutes of out internal departmental reporting
meeting as QBR.
Business QBRs are confidential in
Z
Z70
At the start of each quarter, every Inspected a sample of weekly No exceptions noted
53.04
Function Leader needs to outline his/ departmental meeting minutes to
8:.35
her Objective and Key Results determine that these are held.
(OKR’s). Individual OKRs are aligned
::016
with Company level OKRs. Thus,
:1209
weekly business meetings are being
done at to hold status updates.
050T
1-T2
--031
Remote meetings are held to discuss
-2038
Selected a sample of emails evidencing No exceptions noted
issues relating to business operations, remote meetings to determine that
230
disruptions and information security. adhoc meetings are held during remote
20,
Email based agenda and minutes are working / WFH.

xo, m
maintained.
pm.c
CC2.2 Internal Communication: COSO Principle 14: The entity internally communicates
t-ka.
information, including objectives and responsibilities for internal control, necessary to

support the functioning of internal control.
pesr
leov
System boundaries in terms of logical Inspected the Information Security No exceptions noted
ac@
and physical boundaries are policies (and scope document, if

svs@
documented. Network diagrams are in available) and the network diagram to

place. determine that the Company has
lh.o
defined system boundaries.

ndiez
System Boundaries are shared with

the customers when it is required.
dl.ain
Security policies are published on Inspected the Corporate Intranet site / No exceptions noted
ga,e
Confluence portal. These are available SharePoint to determine that IT security

asns
to all internal users. policies available to internal users.

lpO,
An organizational wide incident Inspected ISMS / Information Security No exceptions noted

Tiea
management process is in place Policies to determine that incident

management process is documented.
aern
eDv
All system changes that affect internal Inspected ISMS and related change No exceptions noted
and external users are communicated management policies to determine how
Cl
in a timely manner changes to system are communicated to

users.
External Client communication is Enquired with the management that No exceptions noted
carried out on a timely manner by the communication with is client done as per
Project Manager / IT Head using a the standard client specific escalation
standard client specific escalation matrix
matrix
Emails and banners on client facing Enquired with management to determine No exceptions noted
applications are used for that only major changes are
communicating changes or downtime communicated to clients through
such as maintenance window.
32
banners announcing changes or
maintenance windows.
CISO team is responsible for decisions Enquired with CISO about procedures to No exceptions noted
regarding changes in confidentiality authorize changes in confidentiality
practices and commitments. commitments and subsequent
communication to customers.
New employees hired at senior levels Inspected a sample of HR emails / No exceptions noted
are communicated to stakeholders by periodic management meetings to
HR through Email determine that senior management hires
are communicated internally and if
Z
Z70
necessary, externally.
53.04
Enquired that there was no senior level
8:.35
management hiring during the period for
senior employees.
::016
CC2.3 External Communication: COSO Principle 15: The entity communicates with external
:1209
parties regarding matters affecting the functioning of internal control.
050T
Company's security, availability and Inspected sample of Client contracts / No exceptions noted
1-T2
confidentiality commitments regarding SOW / SLA and determined that terms
--031
the system are included in the client related to delivery of services such as
contracts / SOW availability and confidentiality are
-2038
covered.
230
Customer specific SLA are monitored Inspected a sample of client specific No exceptions noted
20,
on a regular basis. These are shared SLA monitoring reports and dashboards
xo, m
with customers based on the to determine topics that business

contractual obligations and customer operations are monitored and
pm.c
requirements. communicated to clients.

t-ka.
pesr
CleverTap team also goes through Selected a sample of periodic SLA and
leov
QBR (Quarterly Business Review) CSAT reporting to determine that SLA

ac@
process with key customers and are monitored.

publishes regular reports on the SLA +
svs@
CSAT level maintained.

lh.o
ISMS training is carried out through Inspected New Hire Induction Training No exceptions noted
ndiez
web meetings or by sending the Presentation to ensure that it includes

induction /joining material over email in policies on security and also covers
dl.ain
pandemic period. In case, an identification and report of security

ga,e
employee could not be provided breaches

regular training / ISMS training, batch
asns
trainings are provided subsequently. Selected a sample of new joiners and

lpO,
inspected the induction attendance/

Tiea
training records to determine that new

joiner undergo information security
aern
trainings.
eDv
Customer can provide their issues, Inspected the customer resolution No exceptions noted
Cl
complaints or feedback through email clauses in a customer Statement of

to Business Heads. Work (SOW) template and determined
that customer have a mechanism to
Employees can raise their complaints communicate with the company.
and grievances to HR.
Customer responsibilities are Inspected a sample of customer SOW No exceptions noted
described in the customer contracts for the roles and responsibilities and
and in system documentation determined that roles and
responsibilities are clearly defined.
33
CleverTap services follow software as Enquired with CISO that changes to No exceptions noted
a service model for delivery of its own system boundaries are communicated
platform, services, SDK, API etc. internally and externally
Terms of services are provided on the
website or in master service
agreements signed with customers.
Changes to platform, services, system,
networks are communicated to clients,
if it impacts their operations.
Incidents impacting external users are Selected a sample of incident reporting No exceptions noted
Z
communicated to them through emails emails to clients / external users to
Z70
along with root cause analysis, if determine that major incidents are
53.04
required. reported to clients along with root cause.
8:.35
3 Risk Assessment:
::016
CC3.1 Business Objectives: COSO Principle 6: The entity specifies objectives with sufficient
:1209
clarity to enable the identification and assessment of risks relating to objectives.
050T
Risk Assessment Scales (Risk Rating Inspected Risk Management Procedure No exceptions noted
scales) are defined to evaluate and document to determine that the
1-T2
assess the significance of Risk. This is Company has a defined and
--031
part of the Risk Management documented risk assessment process
Framework. -2038
that includes risk assessment scales.
230
CC3.2 Risk Assessments: COSO Principle 7: The entity identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for determining how the risks
20,
xo, m
should be managed.
pm.c
Policies and procedures related to risk Inspected Risk Assessment policy and No exceptions noted
management are developed, process to determine that the Company
t-ka.
implemented, and communicated to has a defined and documented risk

pesr
personnel. assessment process.

leov
A risk assessment is performed Inspected Risk Assessment performed Exceptions noted

ac@
annually or whenever there are during the audit period to determine

svs@
changes in security posture. updation of asset inventory, threats and Risk assessment
risks and to determine that risk was not reviewed
lh.o
As part of this process, threats to assessment is carried out at least on an during the audit
ndiez
security are identified and the risk from annual basis. period
these threats is formally assessed.
dl.ain
Identified risks are rated and get Inspected Risk Management process No exceptions noted
ga,e
prioritized based on their likelihood, performed during the year to determine

asns
impact, detection and the existing identified risks are rated.

control measures.
lpO,
Tiea
CC3.3 Fraud Risk: COSO Principle 8: The entity considers the potential for fraud in assessing
aern
risks to the achievement of objectives.

eDv
User laptops are kept updated through Enquired for patch application of laptops No exceptions noted
Cl
a device management MDM solution through a device management MDM

(JAMF). solution (JAMF) and validated the report
generated by CISCO AMP for End
For AWS servers and other production Points.
systems, operating system patches are
applied based on vulnerability For AWS servers and other production
assessments as well as nature of systems, inspected Vulnerability
patches. scanning using Tenable is done.
Company has defined a formal risk Inspected Risk Assessment policy and No exceptions noted
management process for evaluating process to determine that the Company
risks based on identified vulnerabilities, has a defined and documented risk
assessment process.
34
threats, asset value and mitigating
controls.
CC3.4 Changes to Systems and Risks: COSO Principle 9: The entity identifies and assesses
changes that could significantly impact the system of internal control.
Emerging technology and system Inspected sample of Risk Assessment Exceptions noted
changes are considered when performed during the audit period to
performing risk assessment determine that risk assessment is Risk assessment
carried out for emerging technology and was not reviewed
system changes. during the audit
Z
period
Z70
4 Monitoring Activities:
53.04
CC4.1 Evaluation of Internal Controls: COSO Principle 16: The entity selects, develops, and
8:.35
performs ongoing and/or separate evaluations to ascertain whether the components of
::016
internal control are present and functioning.
:1209
External third-party agency conducts Inspected a sample of internal audit No exceptions noted
050T
periodic security audits. Results and reports & the corrective action taken to
recommendations for improvement are determine that internal audits and
1-T2
reported to management. system reviews are performed
--031
periodically.
Audit calendar is established to cover
-2038
Inspected the Annual Audit Calendar / No exceptions noted
all in-scope locations, business units Audit Plan to determine that all locations
230
and the frequency is adjusted to and major departments are covered.

20,
address high risks.

xo, m
The reconciliation of user access Inspected the information security Exceptions noted
pm.c
accounts is carried out on half yearly policies containing access controls to

t-ka.
basis across various departments determine that these are documented. System access
Results and recommendations for reviews were not
pesr
improvement are reported to Inspected a sample of system access conducted during the
leov
management. review reports to determine that access audit period

ac@
rights are reviewed regularly, and user

svs@
access lists are reconciled against

active HR records.
lh.o
CC4.2 Internal Control Deficiencies: COSO Principle 17: The entity evaluates and
ndiez
communicates internal control deficiencies in a timely manner to those parties

dl.ain
responsible for taking corrective action, including senior management and the board of
ga,e
directors, as appropriate.
asns
Internal audits are carried out as per Inspected a sample of internal audit No exceptions noted
the audit schedule by external reports & the corrective action taken to
lpO,
consultant. determine that internal audits and

Tiea
system reviews are performed

aern
Results and recommendations for periodically.

eDv
improvement are reported to

management
Cl
AWS Firewall is configured to log Inspected the firewall configuration No exceptions noted
events that are reviewed on a periodic settings to determine that the firewall is
basis. configured to log events.
Vulnerability assessment & penetration Inspected the latest vulnerability No exceptions noted
tests are performed quarterly intervals assessment /penetration test report
by a third party. The vulnerabilities are performed by a third party and
tracked and were closed. determined that VA/PT are carried out
periodically and that vulnerabilities were
tracked and closed.
Vulnerability assessment and Inspected the vulnerability assessment No exceptions noted
penetration tests are performed /penetration test report performed by a
35
quarterly by a third party. Penetration third party and determined that VA/PT VA-PT for Q1 was
testing is performed by on a periodic are carried out periodically and that not performed due to
basis. Vulnerability scanning using vulnerabilities were closed. pandemic.
Tenable is done regularly. Jfrog Xray is
used to identify vulnerabilities on
docker images.
5 Control Activities:
CC5.1 Risk Mitigation: COSO Principle 10: The entity selects and develops control activities
that contribute to the mitigation of risks to the achievement of objectives to acceptable
Z
levels.
Z70
Segregation of duties is in place for Inspected the Information Security No exceptions noted
53.04
critical functions and departments. Policy and Procedures to determine that
8:.35
There are 5 roles Developer Role, these define segregation of roles for
Developer Lead (Engineering), SNE major controls.
::016
Developer, SNE Developer lead
:1209
CC5.2 General Controls over Technology: COSO Principle 11: The entity also selects and
050T
develops general control activities over technology to support the achievement of
1-T2
objectives.
--031
AWS Config tool is used for AWS Inspect AWS Config settings to No exceptions noted
configuration settings. AWS Config tool -2038
determine that configurations history
records configurations of RDS, IAM, and configuration snapshots of RDS,
230
S3, EC2 VPC and load balancer. IAM, S3, EC2 VPC and load balancer
are recorded by AWS Config tool.
20,
xo, m
Comprehensive information security Enquired with IT Head about measures No exceptions noted
pm.c
measures are applied for endpoint taken for WFH staff to determine that
protection and data leakage for comprehensive endpoint protection and
t-ka.
personnel working remotely / WFH data leakage prevention and detection

pesr
using Cloud flare. measures are in implemented.

leov
CC5.3 Policies and Procedures: COSO Principle 12: The entity deploys control activities
ac@
through policies that establish what is expected and in procedures that put policies into
svs@
action.
lh.o
The Company has implemented major Inspected the list of policies and No exceptions noted
ndiez
policies and SOPs across business procedures implemented in the

functions. Procedures are documented company to determine that major
dl.ain
using various formats, such as policies and procedures are

ga,e
narratives, flowcharts, and control implemented.

matrices.
asns
6 Logical and Physical Access Controls:

lpO,
Tiea
CC6.1 Logical Access: The entity implements logical access security software, infrastructure,
aern
and architectures over protected information assets to protect them from security events
eDv
to meet the entity's objectives.

Cl
Company has documented procedure Inspected the access control policy and No exceptions noted
for logical access controls procedure and determined that these
are documented.
Access is granted on least privileges Inspected access control procedure No exceptions noted
basis as default and any additional document and determined that access is
access needs to be approved. granted on least privileges basis as
default and any additional access needs
to be approved.
Company has established CIS Inspected IT policies and procedures to No exceptions noted
hardening standards for IAM account determine that hardening standard have
hardening, logging, monitoring, been established.
Networking and EC 2 instance that
36
include requirements for
implementation of security groups,
access control, configuration settings,
and standardized policies.
Company does not allow customers or Enquired with IT team that external user No exceptions noted
external users to access its systems. cannot access company's network
systems
Infrastructure components and Inspected the screens for Active No exceptions noted
software are configured to use the Directory and Group policies to
Redhat single sign authentication with determine that authentication is through
Z
Z70
MFA. Active Directory.
53.04
Observed a user sign-on process to
8:.35
determine if an ID and password were
required to verify identity.
::016
Client user's access to Entity Inspected a sample of client requests for No exceptions noted
:1209
applications hosted on AWS is granted user setup within application to
050T
self-service process. User credentials determine that users are created by
for client employees is setup by client entity only against authorised client
1-T2
them self. request.
--031
Access to cloud application instances Selected a sample of clients and
-2038 No exceptions noted
hosted for the clients is restricted to IT inspected the user list for application
230
support team and select client project instance for those clients to determine
team members who need access. that only IT team and select client
20,
xo, m
(RBAC) project teams have access to client's

production instances.
pm.c
IT Support team has admin rights and

can add additional Entity's users on
t-ka.
the client instances as per business

pesr
requirements and approvals.

leov
Systems not using the shared sign-on Enquired with IT Head that systems not No exceptions noted
ac@
functionality are required to be using Active directory have separate

svs@
implemented with separate user ID user id and password requirement

and password submission.
lh.o
Relevant groups have been added in Inspected the IAM settings and security No exceptions noted
ndiez
IAM for different teams as under: groups to determine that several groups
dl.ain
Developer Role, Developer Lead, have been formed for different teams
SNE-Developer, SNE-Lead and and only the production group has
ga,e
Default Role. access to production resources.

asns
Thus, production group has access to

production resources.
lpO,
Direct access to cloud infrastructure is Inspected the encrypted access to the No exceptions noted
Tiea
possible only via SSL and using cloud infrastructure (VPC Group) via
aern
Amazon Systems Manager Session Cloudflare Zero trust and determined

eDv
Manager. that the inbound connection to instances

Cl
in the VPC is set to be accessed on an

Connections to the AWS-hosted encrypted connection.
servers are through authenticated
RedHat SSO sessions. The Inspected SSH settings in SSH client to
authenticated browser session is using determine that encrypted SSH key is
HTTPS. required for connecting to AWS / Cloud
infrastructure.
MFA is implemented at RedHat SSO. Inspected the screens for RedHat SSO No exceptions noted
This is used for connecting to AWS to determine that only restricted users
environment. have access to AWS using Multi Factor
authentication
37
The Company has a remote working Enquired with IT staff about external No exceptions noted
policy that requires that access is to access by employees and determined
AWS resources is over SSO. Remote that external access is not allowed.
users can only access the system
remotely through the use of the SSO Inspected Information Security Policy
authentication. Only authorized users and determined that Company has
can use the SSO clients from remote remote working policies that are
locations to connect the AD server and documented and covers WFH
then to other regions. procedures and guidelines.
The IT department maintains an up-to- Inspected the software list maintained No exceptions noted
Z
date listing of all software. by the IT to ensure that it is up to date.
Z70
53.04
List of all hardware is maintained as Inspected the asset register and No exceptions noted
part of asset register with ownership of determined that assets and their owners
8:.35
assets. are clearly documented.
::016
Account sharing is prohibited unless Inspected Access Control procedure No exceptions noted
:1209
approved by management. about account sharing and determined
that it is prohibited unless authorized in
050T
writing.
1-T2
External connections are over secure Enquired with CISO about the No exceptions noted
--031
https through transport layer security authentication via user organization
(TLS). As users interact with an VPN. -2038
application that integrates the
230
CleverTap SDK, their actions are Inspected firewall configuration screens

batched and sent using HTTP wrapped showing the list of whitelisted IP
20,
xo, m
in a TLS connection to data collection addresses.

endpoint
pm.c
The following password parameters Inspected the default password security No exceptions noted
t-ka.
are in place for RedHat SSO services: setting in the RedHat SSO Services to
pesr
determine that password settings are:

leov
1. length of 7-character length

ac@
2. complexity is enabled 1. length of 7-character length

svs@
3. password expires in 90 days 2. complexity is enabled

4. Password history is set at 3 3. password expires in 90 days
lh.o
4. Password history is set at 3

ndiez
Users from CleverTap are configured Inspected group policy of the domain No exceptions noted
dl.ain
to use Red Hat single sign-on and determined that access requires a
integrated with AWS IAM (for combination of user ID and unique
ga,e
authentication and privilege password.

asns
management). Password policy and

two factor authentication is enabled at
lpO,
SSO level authentication for all logins

Tiea
to AWS. Further, role-based Security

aern
groups are enabled in IAM setup.

All incoming traffic is authenticated and Inspected firewall console and No exceptions noted
eDv
whitelisted before accessing determined that incoming connections

Cl
production system. are from whitelisted IPs only.
AWS provides protection against

DDOS/DOS external attacks.
Employees don’t have access to Enquired with IT team that no printer No exceptions noted
printers or any other output device. access is given to employees and
determined based on enquiry that output
access is controlled.
All confidential data is classified as per Inspected information security policies to No exceptions noted
the data classification policy determine that data classification
policies are documented.
38
CC6.2 Granting Logical Access: Prior to issuing system credentials and granting system
access, the entity registers and authorizes new internal and external users whose access
is administered by the entity. For those users whose access is administered by the entity,
user system credentials are removed when user access is no longer authorized.
On the day of joining, HR will send a Inspected the Access Control procedure No exceptions noted
mail to IT Helpdesk providing the and determined that granting, modifying
details of the new joiners. The IT then or deactivating access is only done
provides necessary access as per against written authorization.
request
Inspected access request forms / emails
Z
Z70
Employee user accounts are removed for a sample of employees to determine
from various application and network that written authorisation is in place.
53.04
system as of the last date of
8:.35
employment manually based on Inspected access revocation request
access revocation request sent by HR /exit checklist for a sample of employees
::016
department. to determine that written authorisation
:1209
for deactivation is in place.
050T
When an employee leaves the Selected a sample of exited users and No exceptions noted
organization, the employee’s manager inspected Email from HR to IT and Exit
1-T2
initiates the 'Exit Process'. HR informs Checklist to determine that the exit
--031
respective teams / IT team within 24 process and related account
hours to deactivate/delete the user ID -2038
deactivation is as per defined
from the email system and all procedures.
230
applications.
20,
xo, m
An exit checklist is used to ensure

compliance with termination
pm.c
procedures.
t-ka.
HR team sends the user deactivation Inspected access revocation mail from No exceptions noted
pesr
list to IT team within 24 hours from the HR to IT for sample off-boarded

leov
time an employee is terminated or the employees & verified their disabled

ac@
last working day. status in AD server.

svs@
The allocation and use of privileged Inspected sample cases of User Access No exceptions noted
access rights is restricted and Management for privilege access to
lh.o
controlled. Privileged access to determine that administrator privileges

ndiez
sensitive systems is restricted to for the domain were limited to IT team.

defined user roles and access to these
dl.ain
roles must be approved. Selected a sample of requests for

ga,e
privileged access and inspected the

authorization email to determine that
asns
privileged access is min access was

lpO,
authorized.
Tiea
Company does not allow non- Enquired with IT staff about access to No exceptions noted
aern
employees to access its systems. non-employees.

eDv
Company does not employ contract Enquired with IT staff about access to No exceptions noted
Cl
staff in its offices. non-employees to determine that there

are no contractors.
CC6.3 Revoking or modifying Logical Access: The entity authorizes, modifies, or removes
access to data, software, functions, and other protected information assets based on
roles, responsibilities, or the system design and changes, giving consideration to the
concepts of least privilege and segregation of duties, to meet the entity’s objectives.
A role-based security process is setup Inspected the security groups in the No exceptions noted
in Active directory with groups and domain and determined that security
roles based on job requirements. groups based on departments and roles
have been defined
39
A role-based security process has Inspected the AWS console screens to No exceptions noted
been defined within AWS - IAM determine that security groups based on
infrastructure based on job departments and roles have been
requirements. defined
Reactivation of IDs is prohibited for an Inspected IT policy about reactivation of No exceptions noted
exited employee unless the employee IDs and determined that it is prohibited.
re-joins the company.
Employees whose last working day is Selected a sample of exited employees Exceptions noted
during an extended business whose last date was during an extended
disruption or lockdown are required to lockdown and inspected the exit Evidence of physical
Z
Z70
follow the normal exit procedures to checklist, logical access revocation and access deactivation
the extent possible. physical access revocation to determine is not maintained.
53.04
that all exit formalities were completed
8:.35
Logical access is revoked within 24 as per HR procedures and any
hours. Exit formalities such as physical deviations were documented and
::016
access deactivation and return of approved.
:1209
assets are carried out as soon as
feasible. Until all exit formalities are
050T
complete, relieving letters are not
1-T2
issued.
--031
CC6.4 Physical Access: The entity restricts physical access to facilities and protected
-2038
information assets (for example, data center facilities, back-up media storage, and other
sensitive locations) to authorized personnel to meet the entity’s objectives.
230
All entry points to all premises are Enquired with Facilities team that all No exceptions noted
20,
xo, m
restricted to authorized personnel. offices are restricted.

These also include any delivery and
pm.c
loading areas as well.

t-ka.
Physical access control system has

pesr
been implemented to secure the

leov
facilities.
ac@
Physical access to office premises is Observed via video call that the CCTV No exceptions noted
svs@
monitored through CCTV installed at are located across the premises and
key points within the premises. that the CCTV are working.
lh.o
There is a security desk at the office Physically observed the security staff at No exceptions noted
ndiez
entry manned by a security guard the reception who ensure that all visitors
dl.ain
and employees are screened before

entering the office.
ga,e
All visitors have to enter their details in Inspected the visitor register for a No exceptions noted
asns
the visitor register. sample of dates to determine that visitor

lpO,
register is maintained.
Tiea
Visitor badges are for identification Enquired with Facilities that visitor No exceptions noted
aern
purposes only and do not permit badges are for identification purposes
eDv
access to the facility. only and do not permit access to any

Cl
secured areas of the facility.

All visitors must be escorted by a Physically Observed that all visitors are No exceptions noted
Company employee when visiting escorted by a Company employee when
office facilities. visiting Company office.
ID cards that include an employee Inspected a photo of sample ID card to No exceptions noted
picture must be worn at all times when determine that employees are provided
accessing or leaving the facility. with picture ID.
Physical access is setup by the HR Selected a sample of new employees No exceptions noted
Dept for new joiners after all HR and inspected that the access rights
formalities are completed. ID cards by were granted in the physical access
system only to authorised new joiners.
40
default does not have access to any of
the sensitive areas.
Physical access to sensitive areas / Inquired with IT Team that access to No exceptions noted
server rooms is granted only to server room and other sensitive areas is
privileged users / IT Team granted only to IT team.
Access to such restricted zone is given

against written request by the MD.
Upon the last day of employment, HR Inspected the exit ticket for a sample of Exceptions noted
Team initiates the exit procedure on exited users to determine that physical
Z
Evidence of physical
Z70
the Confluence tool that triggers a set access deactivation by the admin team
access revocation
of exit procedures, requesting for was carried out on a timely basis.
53.04
are not maintained.
deactivation of physical access for
8:.35
terminated employees. Physical
access is deactivated by the Admin
::016
Team
:1209
Employees are required to return their Enquired with the admin team that ID No exceptions noted
050T
ID cards on the last day, and all ID cards are returned by the exited
badges are disabled. employees as part of the exit process
1-T2
--031
On a half yearly basis, HR performs a Inspected a sample of physical access Exceptions noted
reconciliation that physical access for reviews to determine that physical
-2038
terminated employees has Infact been access reviews / reconciliations are Evidence of physical
230
deactivated in the physical access performed periodically. access review are
system. not maintained
20,
xo, m
No contractor is given access card. Enquired with facilities about contractor No exceptions noted
access and determined no contractor
pm.c
has been given ID card for entering the

t-ka.
office.
pesr
The sharing of access badges and Enquired with Facilities team that No exceptions noted
leov
tailgating are prohibited by policy. access badges are not shared & no
ac@
tailgating observed.
svs@
CC6.5 Media Handling: The entity discontinues logical and physical protections over physical
assets only after the ability to read or recover data and software from those assets has
lh.o
been diminished and is no longer required to meet the entity’s objectives.

ndiez
dl.ain
Procedures is implemented for the Inspected the Asset management policy No exceptions noted
management of removable media in which covers the media handling policy
ga,e
accordance with the classification to determine that it is documented.

scheme adopted by the organization.
asns
Media handling policy is implemented

lpO,
in the Asset Management policy for

Tiea
procedures relating to disposal of

aern
information assets/equipment in a
secure manner.
eDv
Cl
When media is worn, damaged or Inspected the exit employee tickets to No exceptions noted
otherwise no longer required, it shall determine that for all media that is
be disposed-off in a secure manner. disposed off, data is erased from these
To prevent the compromise of prior to allocating to any other employee
sensitive information through careless or disposal or reuse.
or inadequate disposal of computer
media, formal procedures are
established for secure media disposal
CC6.6 Network Security: The entity implements logical access security measures to protect
against threats from sources outside its system boundaries.
Production hosts and Security Groups Inspected AWS screens containing rules No exceptions noted
(which are the equivalent of Firewalls) about ports, incoming connection types,
41
are hardened according to Industry whitelisted IPs and type of traffic and
best practices (CIS Amazon Linux determined that configuration is in
Benchmark). Only the required ports compliance with the policy and incoming
are opened for inbound access at the connection are allowed only from
load balancer level. whitelisted IPs.
Connections for CleverTap users to

AWS EC2 instances are managed via
AWS Systems Manager Session
Manager via https. Access to AWS
Session Manager is controlled via
Z
Z70
AWS IAM and is encrypted end-to-end
and audit logged in Session Manager
53.04
Logging Service on AWS Infra. There
8:.35
are no firewalls installed at the office
locations.
::016
Production hosts and Security Groups Inspected AWS settings to determine No exceptions noted
:1209
(which are the equivalent of Firewalls) that VPC has been setup and direct
050T
are hardened according to Industry access to production instances is only
best practices (CIS Amazon Linux through 2048-bit SSH keys.
1-T2
Benchmark). Only the required ports
--031
are opened for inbound access at the
load balancer level. -2038
230
Connections for CleverTap users to

AWS EC2 instances are managed via
20,
xo, m
AWS Systems Session Manager (i.e.,

https). Access to AWS Session
pm.c
Manager is controlled via AWS IAM.

t-ka.
Traffic is encrypted and events are

logged. There are no firewalls installed
pesr
at CT office locations.
leov
ac@
Splunk is used to collect application Inspected settings to determine that No exceptions noted
logs and send alerts based on threats Splunk collects application logs,
svs@
assessments. All application logs are analyzes them and send alerts for
lh.o
aggregated in the Splunk centralized threats and abnormal activities.

logging server. Application logs and
ndiez
CloudTrail logs are monitored on AWS.

dl.ain
Incoming connections are accepted Inspected incoming connection No exceptions noted

ga,e
only from authenticated SDK devices configuration in the firewall and

and the same is validated at service determined that whitelisted IPs are used
asns
level before allowing the access in to manage connections.

lpO,
production VPC. AWS provides

Tiea
protection against DDOS/DOS external

aern
attacks.
eDv
Company has implemented filtering Inspected firewall setting for content No exceptions noted
rules at firewall (cloud flare) that blocks filtering to determine that content
Cl
access to certain sites such as filtering is applied.

personal emails, storage etc.
Administrative access to instances and Inspected the user list on firewall No exceptions noted
services hosted in AWS is restricted to application to determine that access to
Infra team who need access for modify firewall rules is restricted to
administration. Administrators/IT team.
There is no data stored outside Enquired with management about data No exceptions noted
production systems for any purposes stored outside its environment to
such as DR test. determine that there is no data stored
outside of production systems for any
DR test.
42
The customer confidential data does Enquired with IT Staff about customer No exceptions noted
not reside in office premises. confidential information and determined
that no customer information resides in
office network.
Logical access to Company systems is Inspected the access control policy for No exceptions noted
restricted through RedHat SSO access control procedures and
authentication which is equivalent to requirements of configurations
domain policies.
End-user data is stored in a proprietary Inspected evidence of encryption of data No exceptions noted
database which stores persisted data storage both at EBS volume and
Z
Z70
on encrypted EBS volumes. EBS encrypted with AWS KMS.
volumes are encrypted with AES 256-
53.04
bit encryption with keys managed by
8:.35
AWS KMS.
::016
Use of removable media is allowed as Enquired with IT team that USB ports No exceptions noted
a business policy. and removable media are permitted.
:1209
Connections for CleverTap users to Inspected AWS settings to determine No exceptions noted
050T
AWS EC2 instances are managed via that direct access to production
1-T2
AWS Systems Manager Session instances is only through SHA 256 RSA
--031
Manager via https.
-2038
Access to AWS Session Manager is
230
controlled via AWS IAM. Traffic is
encrypted. Logs are enabled in
20,
xo, m
Session Manager Logging Service on

AWS Infra.
pm.c
CC6.7 Encryption Controls: The entity restricts the transmission, movement, and removal of
t-ka.
information to authorized internal and external users and processes, and protects it
pesr
during transmission, movement, or removal to meet the entity’s objectives.

leov
CleverTap policies prohibit the Inspected the information security No exceptions noted
ac@
transmission of sensitive information policies to determine that transmission

svs@
over the Internet in clear text unless it of sensitive information over the internet
is encrypted. happens only when the information is
lh.o
encrypted.
ndiez
All the connections to AWS are Inspected evidence for implementation No exceptions noted
dl.ain
encrypted (https) and only permitted of https encryption to determine that

users can access AWS instance after secure https connections are used and
ga,e
RH SSO authentication RHSSO authentication is used for two

asns
factor authentication.
lpO,
Storage for workstations and laptops Enquired with Head IT that all storage No exceptions noted
Tiea
are not encrypted as a business policy. for workstations and laptops is

aern
encrypted or not encrypted with some Storage for laptops

approval. is not encrypted as a
eDv
business policy.
Cl
Backup media for office backups are Enquired with Head IT that all backup No exceptions noted
taken on AWS S3 which is encrypted. media are encrypted during creation
Periodic Backups are taken using EBS
snapshots every EOD and retained for
14 days. Snapshots are stored in
Amazon S3 and are replicated across
multiple Availability Zones within a
Region for redundancy. Amazon S3 is
encrypted.
43
CC6.8 Malicious software and Vulnerabilities: The entity implements controls to prevent or
detect and act upon the introduction of unauthorized or malicious software to meet the
entity’s objectives.
CrowdStrike Antivirus software is Inspected a sample of desktops and No exceptions noted
installed on laptops. Signature files are servers and determined that antivirus is
updated daily. System scan prior to installed, and signature files are
copy data on USB media. updated.
Inspected the antivirus/firewall console

for configuration details about updating
Z
and alerts.
Z70
53.04
Crowd Strike -Falcon is implemented Inspected Crowd Strike -Falcon No exceptions noted
as an AV on system and definition are implementation as an AV on system and
8:.35
updated near to real time. Orka scans observed that the definitions are
::016
all the instances/ end points and updated near to real time. Orka scans all
generates the MIS report for the instances/ end points and generates
:1209
monitoring. the MIS report for monitoring.
050T
The ability to install software on Inspected the Information Security No exceptions noted
1-T2
laptops is restricted to Corp IT support Policies to determine that users are not
--031
personnel through MDM solution. All allowed to install any software.
laptops are centrally managed using -2038
Chef with control over software Inspected the screenshots for MDM
updates and application installation. solution (Chef) to determine that
230
Local admin access is granted on a administrative access to users is not

20,
need-based approval. permitted unless approved.

xo, m
Any viruses discovered are reported to Inspected the antivirus/firewall console No exceptions noted
pm.c
Corp IT team either by the antivirus for configuration details about updating
t-ka.
system or by the affected employees. and alerts.

pesr
Inspected the security training pack for

leov
the instructions to employee about virus

ac@
incidence reporting.
svs@
7 System Operations:
lh.o
CC7.1 System Operations: To meet its objectives, the entity uses detection and monitoring
ndiez
procedures to identify (1) changes to configurations that result in the introduction of new
dl.ain
vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

ga,e
Management has defined configuration Inspected IT policies and procedures to No exceptions noted
standards and hardening standards for determine that hardening standard have
asns
IAM account hardening, logging, been established in AWS cloud.

lpO,
monitoring, Networking and EC 2

Tiea
instance.
aern
CC7.2 Monitor events and attacks: The entity monitors system components and the operation of
eDv
those components for anomalies that are indicative of malicious acts, natural disasters,
Cl
and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to
determine whether they represent security events.
Inspected evidence of the alert settings No exceptions noted
Clever Tap hosts the EC2 instance for the firewalls in place to determine IT
with Pfsense firewall. Splunk is used to team is notified.
collect logs and send alerts based on
threats assessments. Logs are
enabled in firewall setup.
IT team receive requests for support Inspected a sample of IT support ticket No exceptions noted
through ticketing system, phones and emails reported by users to determine
emails, which may include requests to that support tickets are logged as
reset user passwords etc. emails.
44
CC7.3 Security Incidents: The entity evaluates security events to determine whether they could
or have resulted in a failure of the entity to meet its objectives (security incidents) and, if
so, takes actions to prevent or address such failures.
Clever Tap has documented incident Inspected ISMS / Information Security No exceptions noted
management process. Policies to determine that incident
When any of the incidents or other management process is documented.
event occurs, which breach the
security policy of Clever Tap should be
reported immediately at
security@clevertap.com
Z
Z70
Incidents are reported to the Corp IT Inspected the screenshot of the incident No exceptions noted
53.04
team (for office related incidents) and management tool to determine that
Infra team (for AWS and related infra) incidents are tracked.
8:.35
through ticketing system. All actions
::016
are recorded and tracked.
:1209
Root cause analysis is performed for Inspected a sample of incident report to No exceptions noted
major incidents. Lessons learned are determine that incidents covered
050T
analyzed, and the incident response severity, date, time, details, status and
1-T2
plan and recovery procedures are root cause (if major) to determine that
--031
improved. For each incident, priority, incidents are handled as per defined
severity, date, time, actions details are process. -2038
recorded.
230
CC7.4 Response to security incidents: The entity responds to identified security incidents by
executing a defined incident response program to understand, contain, remediate, and
20,
xo, m
communicate security incidents, as appropriate.

pm.c
All security incidents are also reviewed Inspected minutes of management No exceptions noted
and monitored by management. meetings for discussion on incidents.
t-ka.
Corrective and preventive actions are

pesr
completed for incidents.

leov
ac@
Change management requests are Inspected Incident Management No exceptions noted

opened for events that require Procedure and determined that for some
svs@
permanent fixes. incidents, change requests are opened

as part of resolution.
lh.o
ndiez
CC7.5 Recover from Security incidents: The entity identifies, develops, and implements
activities to recover from identified security incidents.
dl.ain
Root cause analysis is performed for Inspected a sample of incident reports to No exceptions noted
ga,e
major incidents. Lessons learned are determine that root cause analysis is
asns
analyzed, and the incident response performed for critical / major incidents.
plan and recovery procedures are
lpO,
improved.
Tiea
aern
8 Change Management:
eDv
CC8.1 Change Management: The entity authorizes, designs, develops or acquires, configures,
Cl
documents, tests, approves, and implements changes to infrastructure, data, software,

and procedures to meet its objectives.
CleverTap has defined its change Inspected the change management No exceptions noted
management, release management policy and determined that change
and approval processes in its management policy and procedures are
information security policies. defined.
Software design and development Inspected the SDLC procedures to No exceptions noted
change procedures for CleverTap APIs determine that software design and
and development change procedures are
SDK are defined in its information documented.
security policy.
45
All coding changes, development tasks Selected a sample of change requests No exceptions noted
and change requests are initiated in to determine that these are logged and
Jira and workflow managed in Jira. that major changes are approved by
Product Head / Management.
All code changes must be peer Enquired with management to determine No exceptions noted
reviewed by another programmer for that informal code review is performed
adherence to coding standards and by a peer programmer.
consistency purposes.
Security vulnerability scans on Inspected the static code analysis tool No exceptions noted
developed source are performed. and reports to determine that continuous
Z
Z70
Quarterly penetration testing of code analysis is part of the development
application environment is performed process and covers code's reliability,
53.04
by third party. security, maintainability, duplications.
8:.35
QA testing is done before production Inspected test plans for sample of No exceptions noted
::016
release System and regression testing releases to determine that test plans
is prepared by the testing team using included steps for regression testing,
:1209
approved test plans, automated testing security testing
050T
and dummy test data.
1-T2
Software code is maintained in GitHub. Inspected screenshot of GitHub to No exceptions noted
--031
Approved coding changes are determine that software code is
incorporated in production environment maintained. -2038
by merging into production branch.
230
QA testing is done before production Inspected a sample of change requests No exceptions noted
release System and regression testing for software development to determine
20,
xo, m
is prepared by the testing team using that QA/UAT testing is carried out.
approved test plans, automated testing
pm.c
and dummy test data

t-ka.
There is a formal release process for Selected a sample of releases during No exceptions noted
pesr
releasing builds for platform, APIs and the audit period and inspected the
leov
SDKs. Release notes contain what all release notes and the related approval
ac@
is released in the release. The testing to determine that all releases are tested
svs@
team does the complete testing of the and approved before deployment
release.
lh.o
On receipt of sign off from the testing

team/relevant stakeholders the release
ndiez
is deployed on production servers.

dl.ain
Separate environments are used for Enquired with the management to No exceptions noted
ga,e
development, testing, and production. determine that separate environments

asns
Production master branch for code is are maintained for development, testing
accessible to authorized personnel. and production and also to understand
lpO,
Developers do not have the ability to about process to carry out major
Tiea
make commit changes to production changes.

aern
master branch in Git.

eDv
Major change requests are submitted Inspected a sample of change requests No exceptions noted
Cl
with implementation and there is to determine that they had rollback plans
process of automatic rollback. included.
Details about releases of APIs and Enquired with management that No exceptions noted
SDK are communicated to the changes are communicated to clients
appropriate and end users if it has impact on those
client and user community if the users.
change has any potential impact on
the user base.
The change management process has Inspected the Change Management No exceptions noted
defined roles and assignments thereby Policy and Procedures to determine that
providing segregation of roles in the these define segregation of roles for
change management process. change management.
46
Policies and procedures related to risk Inspected the risk management No exceptions noted
management are developed, procedures to determine if change
implemented, hosted on Confluence requests are created based on identified
and communicated to personnel. needs.
An organizational wide incident Inspected Incident Management No exceptions noted
management policy is in place for Procedure and determined that for some
responsibilities, reporting, response incidents, change requests are opened
and analysis of security events and as part of resolution.
incident.
A process exists to manage Inspected Change Management policy No exceptions noted
Z
Z70
emergency changes. In case of to determine that the policy considers
emergency when a change has to be process to manage emergency changes
53.04
made immediately without going
8:.35
through the standard change
management workflow, a member on
::016
the team with a Rescue account may
:1209
login and make changes in the console
directly.
050T
Emergency changes, due to their
1-T2
urgent nature, may be performed
--031
without prior review.
Dummy data is used in testing. There -2038
Enquired with management that SQL No exceptions noted
are test plans and automated testing scripts are used to obfuscate test data
230
suites used in testing. and no actual data is used in testing

20,
xo, m
There is no data stored outside Enquired with management that any No exceptions noted
production systems for any purposes storage of data outside of production
pm.c
such as DR test. environment is approved.

t-ka.
9 Risk Mitigation:
pesr
CC9.1 Risk mitigation: The entity identifies, selects, and develops risk mitigation activities for
leov
risks arising from potential business disruptions.

ac@
svs@
Entity has a documented BCP and DR Inspected the policies and procedures No exceptions noted
guideline to be used in the event of an relating to disaster recovery & Business
lh.o
event necessitating systems Continuity plans to determine that a plan

infrastructure recovery. and procedure has been documented
ndiez
with clear responsibilities on those

dl.ain
required to respond.
ga,e
Business continuity and disaster Inspected the Business Continuity No exceptions noted
asns
recovery plans, including restoration of Planning Policy and determined that

backups, are tested annually. BCP plans are tested at least annually.
lpO,
Tiea
Inspected the evidence relating to the

aern
BCP/DR testing to determine that

periodic testing is carried out.
eDv
Cl
CC9.2 Risk mitigation: The entity assesses and manages risks associated with vendors and
business partners.
New Third Party Service Providers are Enquired with Management that vendors No exceptions noted
selected based on a Vendor Selection and third-party service providers are
Process. selected based on a vendor due
diligence.
Security risk assessment is a key part
of the vendor selection process.
Company obtains and reviews Inspected sample certification and No exceptions noted
compliance reports and certificates attestation reports of Company's
such as PCI DSS, ISO 27001, SOC1 vendors to determine that the company
or SOC2 for its key vendors. Opinion
47
section and relevant controls are receives such reports that are used in
reviewed for any exceptions. This is monitoring controls.
part of vendor monitoring.
A formal contract is executed between Inspected a sample of vendor contracts No exceptions noted
Company and Third-Party Service to determine that vendors contracts are
Providers before the work is initiated. in place.
Agreement includes terms on
confidentiality, responsibilities of both
parties.
There is no information sharing with Enquired with Management that no No exceptions noted
Z
Z70
vendors or any third party. confidential information is shared with
vendors or third parties
53.04
A ADDITIONAL CRITERIA FOR AVAILABILITY:
8:.35
::016
A1.1 Processing Capacity Monitoring: The entity maintains, monitors, and evaluates current
processing capacity and use of system components (infrastructure, data, and software)
:1209
to manage capacity demand and to enable the implementation of additional capacity to
050T
help meet its objectives.
1-T2
CleverTap monitors system processing Inspected a sample of capacity No exceptions noted
--031
capacity and usage and takes monitoring reports to verify that the
correction actions to address changing capacity demand is documented and
-2038
requirements. reviewed by management.
230
Amazon tools, custom scripts and
Splunk as repository and alerts
20,
xo, m
assigned using OpsGenie.

pm.c
There is a workflow for monitoring

capacity management for AWS
t-ka.
resources required for running

pesr
CleverTap SaaS platform. Autoscaling

leov
is enabled for capacity expansion.

ac@
There is a workflow for monitoring Inspected CloudWatch settings to No exceptions noted

svs@
capacity management for AWS determine that alerts & thresholds have
resources required for running been setup for abnormal conditions such
lh.o
CleverTap SaaS platform. as low CPA utilization, network out, free

ndiez
storage etc.
dl.ain
Autoscaling is enabled for capacity

expansion.
ga,e
Critical infrastructure components have Inspected redundancy measures for No exceptions noted
asns
been reviewed for criticality firewall and determined that there is a

classification and assignment of a backup firewall in a high availability
lpO,
Tiea
minimum level of redundancy. configuration

aern
A1.2 Environmental Controls and Backup: The entity authorizes, designs, develops or
eDv
acquires, implements, operates, approves, maintains, and monitors environmental

protections, software, data back-up processes, and recovery infrastructure to meet its
Cl
objectives.
Environmental controls (fire Observed that fire extinguisher across No exceptions noted
extinguishers, fire sprinklers and all office premises that these are in
smoke detectors) have been installed working condition.
in Mumbai office to protect perimeter
area. CCTV are installed at key points Observed other environmental controls.
for surveillance. environmental controls
at other offices are managed by
property managers. Devices are
checked on a periodic basis and
checklists are prepared.
Cloud service providers providing data
48
center services are responsible for
providing suitable environmental
controls. Annually CleverTap obtains
and reviews their SOC2 or SOC1
reports.
Fire drill is conducted annually. Observed the fire drill report and verified No exceptions noted
that there were no exceptions noted.
The fire drill was not
conducted due to
Covid 2019
Z
Z70
Uninterruptible power supply (UPS) Enquired with Facilities team that UPS No exceptions noted
devices are in place to secure critical and DG Set are installed at the
53.04
IT equipment against power failures premises.
8:.35
and fluctuations.
::016
DG set of sufficient capacity is
:1209
provided to provide power during
outage.
050T
Redundant fibre links provide Inspected the network diagram to No exceptions noted
1-T2
connectivity from Mumbai office to determine that the company has multiple
--031
AWS endpoint for AWS Direct Connect ISPs in place.
in case one of the links fails. -2038
230
Direct connect is configured to peer

with a VPC in AWS's ap-south-1
20,
xo, m
region. This enables AWS VPC and

DLH Park network to reach each other.
pm.c
Environmental controls (fire Inspected MSAs, building lease and No exceptions noted
t-ka.
extinguishers, fire sprinklers and vendor contract for maintenance of

pesr
smoke detectors) have been installed various environmental controls.

leov
in Mumbai office to protect perimeter

ac@
area. CCTV are installed at key points

for surveillance. environmental controls
svs@
at other offices are managed by

lh.o
property managers. Devices are

checked on a periodic basis and
ndiez
checklists are prepared.

dl.ain
Uninterruptible power supply (UPS) Inspected environmental control check No exceptions noted
ga,e
devices are in place to secure critical report and determined that maintenance
IT equipment in the office against reviews are carried out.
asns
power failures and fluctuations.

lpO,
Inspected the UPS and DG preventive

Tiea
DG set of sufficient capacity is maintenance reports, vendor

aern
provided by property managers to maintenance contracts to determine that

provide power during outage. preventive maintenance is performed
eDv
periodically.
Cl
Cloud service providers providing data

center services are responsible for
providing suitable redundant power
supply. Annually CleverTap obtains
and reviews their SOC2 or SOC1
reports.
Backups for end-user and platform Inspected information security policies to No exceptions noted
operational data are automatically determine that backup schedules,
triggered using Amazon Data Lifecycle frequency of backups are documented.
Manager. The procedures are defined
and documented.
49
Backups are taken using EBS Inspected screenshots of the backup No exceptions noted
snapshots multiple times a day and systems to determine that backups are
retained for 14 days. Platform scheduled to be taken on a regular
operational data (data required for the basis.
operations of CleverTap platform) is
stored in a MongoDB. Backups are
taken using EBS snapshots every 8
hours and retained for 14 days.
Snapshots are stored in Amazon S3

and are replicated across multiple
Z
Z70
Availability Zones within a Region for
redundancy.
53.04
Backups are taken using EBS Inspected a sample of automated alerts No exceptions noted
8:.35
snapshots every 2 hours and retained for backup to determine that these are
::016
for 14 days and alerts are notified configured in the backup systems
through clod trail services regarding
:1209
backup completion status.
050T
A1.3 Business Continuity: The entity tests recovery plan procedures supporting system
1-T2
recovery to meet its objectives.
--031
CleverTap has a documented BCP Inspected disaster recovery & Business No exceptions noted
plan to be used in the event of an
-2038
Continuity plans to determine that these
event necessitating systems are documented.
230
infrastructure recovery.
20,
xo, m
CleverTap production environment

utilizes three AWS availability zones, if
pm.c
one goes down the other two take over

t-ka.
without any disruption of service.

pesr
Business continuity plans, including Inspected BCP/DR test report to No exceptions noted
leov
restoration of backups, are tested at determine that BCP plans have been
ac@
least annually. tested.

svs@
C ADDITIONAL CRITERIA FOR CONFIDENTIALITY:

lh.o
C1.1 Data Retention: The entity identifies and maintains confidential information to meet the
ndiez
entity’s objectives related to confidentiality.

dl.ain
The data retention depends upon Inspected the retention policy to No exceptions noted
ga,e
container sizes that client has paid for determine that the Company retains
via. their contracts. The entity securely information as per the defined policies.
asns
destroys or deletes all data as soon as

lpO,
it is no longer needed. Max data

Tiea
retention is 10 years and minimum are

3 months governed by MSA with client.
aern
The retention period is set by client as

eDv
per contract.
Cl
C1.2 Data Deletion: The entity disposes of confidential information to meet the entity’s
objectives related to confidentiality.
The data retention depends upon Inspected the retention policy to No exceptions noted
container sizes that client has paid for determine that the Company retains
via. their contracts. The entity securely information as per the defined policies.
destroys or deletes all data as soon as
it is no longer needed. Max data
retention is 10 years and minimum are
3 months governed by MSA with client.
The retention period is set by client as
per contract.
50
Cl
eDv
aern
Tiea
lpO,
asns
ga,e
dl.ain
ndiez
lh.o
svs@
ac@
leov
pesr
t-ka.
pm.c
xo, m
20,
230
-2038
--031
SECTION 5
1-T2
050T
:1209
::016
8:.35
53.04
Z70
Z
OTHER INFORMATION PROVIDED BY CLEVERTAP
5. Other Information Provided by CleverTap
The information provided in this section is provided for informational purposes only by CleverTap. Independent Auditor
has performed no audit procedures in this section.
What makes CleverTap the industry leader in CLM

Performance, Security, and Scale are important factors when designing a CLM analytics and engagement platform that
Z
can parse billions of data points on any given day.
Z70
53.04
We use mostly customized tools and technologies but we also build custom applications when third-party solutions do
not fit our needs.
8:.35
::016
This is exactly what we did when we realized that there was no database solution in the market that could handle the
scale and throughput demands of our product. This is when we decided to build our own in-memory database that would
:1209
provide us the optimal cost-throughput balance. We run our queries in real time without the need to pre-aggregate data.
050T
Our EventStore differentiates us in the way we build segments AND the granularity of our customer engagement.
1-T2
More information is available at www.clevertap.com
--031
-2038
Disaster and Recovery Services
230
The AICPA has published guidance indicating that business continuity planning, which includes disaster recovery, is a
20,
xo, m
concept that addresses how an organization mitigates future risks as opposed to actual controls that provide user
auditors with a level of comfort surrounding the processing of transactions. As a result, a service organization should
pm.c
not include in its description of controls any specific control procedures that address disaster recovery planning.
t-ka.
Therefore, CleverTap’s disaster recovery plan descriptions of control procedures are presented in this section.
pesr
In addition to the physical controls, CleverTap has implemented controls to safeguard against an interruption of service,
leov
CleverTap has developed a number of procedures that provide for the continuity of operations in the event of an
ac@
extended interruption of service at its data center. The CleverTap data nodes are spread out across multiple Availability
svs@
Zones for fault-tolerance and redundancy. CleverTap production environment utilizes three AWS availability zones, if
one goes down the other two take over without any disruption of service. Backups on Snapshots are stored in Amazon
lh.o
S3 and replicated across multiple Availability Zones within a Region for redundancy. These can be restored in the event
ndiez
of any failure of data sets. Company will follow work from home in the event of any operational disruption in the Mumbai,
dl.ain
Mountain View or Singapore offices.

ga,e
asns
lpO,
Tiea
aern
eDv
Cl
52

Clevertap SOC 2 Type 2 Report 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Clevertap SOC 2 Type 2 Report 2022

Uploaded by

Copyright:

Available Formats

Z

Independent Service Auditors’ Report on Management's Description of a

Service Organization’s System Relevant to Security, Confidentiality,

Availability and the Suitability of the Design and Operating Effectiveness

For the period, December 01, 2020 to March 31, 2022

(SSAE 18 - SOC 2 Type 2 Report)

Prepared by: Manoj Jain, CPA in association with

1. Independent Service Auditor's Report .................................................. 4

2. Management of CleverTap’s Assertion .................................................. 8

3. Description of CleverTap’s SaaS Based Customer Lifecycle

Monitoring and Information and Communication ............................................ 12

Components of the System ........................................................................................ 15

User-Entity Control Considerations .......................................................................26

4. Independent Service Auditor's Description of Tests of Controls

and Results ................................................................................................... 29

5. Other Information Provided by CleverTap ........................................ 52

To: Management of WizRocket lnc. (CleverTap)

be achieved only if complementary user-entity controls contemplated in the design of CleverTap’s

organizations for data center services.

Service Organization's Responsibilities

the service commitments and system requirements were achieved.

Service Auditor's Responsibilities

period December 01, 2020 to March 31, 2022.

throughout the period December 01, 2020 to March 31, 2022.

Manoj Jain, CPA

(Colorado Membership Number - 0023943)

July 28, 2022

Impact of Covid and Changes to our Controls

agreements with these sub service organizations.

confidentiality principles. GPX is SSAE attested data center.

development of the System.

Components of the System

The System comprises the following components:

software that support application programs

processing, software development, and IT

● Procedures (automated and manual)

Products and Services in Scope

Geographic Location in Scope

established and enhanced by various factors, such as:

● Integrity and Ethical Values

● Management’s philosophy and operating style

● Assignment of authority and responsibility

● Human Resources policies and procedures

Integrity and Ethical Values

Information Security Policies

documentation portal (hosted on Confluence).

Domains within the IT and Security Policies include

● Human Resource Security Policy

● Asset Management Policy

● Risk Assessment Policy

● Incident Management Policy

● Business Continuity Planning and Disaster Recovery

● Document Retention Policy

● Physical and Environmental Security Policy

● Communication Security Policy

● Supplier Relationships Policy

security controls for new systems or services

o Monitoring significant changes in the exposure of information assets to major threats

Monitoring at Project Level

of the projects is communicated to the Senior Management through dashboard.

scan of vulnerabilities is performed using Tenable on a periodic basis (preferably monthly).

Audit and Reviews

information to employees regarding daily operating activities, general announcements, project/team

discussions and to expedite management’s ability to communicate with employees.