______________________________________________________________________________________________________
(septembre 2023)
The main goal of Shiji is to deliver and maintain exceptional service to our customers. Our mission is to provide the hospitality, food service, retail and entertainment industry with a complete and modern technology stack that is secure, scalable, and ready for the future. Security is a foundational element underpinning the achievement of this goal. To ensure the highest security level of the software and information processed by Shiji, the company's Board of Directors decided to implement a Comprehensive Security Strategy and Information Security Management System, addressing the strategy.
The principles of the Information Security Management System, related to the Shiji products have been defined in accordance with the requirements of the standard ISO/IEC 27001:2017 “Information technology - Security techniques - Information Security Management Systems”. Moreover, Shiji Group implemented controls described in the ISE/IEC 27018 standard regarding personal data protection in cloud solutions.
The Information Security Policy covers all employees and contractors, and third parties having access to or processing sensitive information. The Information Security Policy contains rules ensuring Shiji products’ security in the following domains:
Shiji implemented a set of information security policies describing the security strategy, direction, and technical requirements. The policies were published and communicated to all employees. All security policies meet the requirements of the ISO/IEC 27001 standard.
Shiji established a security management framework, assigned roles and responsibilities for information security. Shiji also implemented a risk management process, ensuring that risks are identified, assessed, and treated according to the risk appetite.
Shiji informs employees about the implemented security policies and their obligations and responsibilities related to information security. Periodically, employees must acknowledge those requirements. Employees are regularly trained to improve their security awareness.
Shiji maintains inventories of information assets. All assets are assigned to the owners and classified to ensure they receive appropriate level of protection, based on the criticality of the assets. Customers’ data is among the most sensitive assets that require the highest level of protection.
Shiji manages access to assets on a need-to-know / least privilege basis. Access to any resource is granted only after required approvals and removed promptly upon termination of employment. Accounts are periodically reviewed.
Shiji applies effective cryptography based on current recommendations, technical requirements and conducted risk assessments.
Shiji premises are protected with physical security measures to prevent unauthorized physical access. Shiji cooperates only with reputable cloud infrastructure vendors, providing the required level of physical security.
Shiji implemented security operations to protect the services and data processed within the services. The operations are managed by the Security Team and the Security and Network Operations Center Team working on a 24/7 basis. The team implemented among others, a vulnerability management process, ensuring that vulnerabilities are addressed according to their classification.
Shiji implemented network security solutions, to ensure the security and monitoring of networks. All information transmitted via public networks is encrypted.
Security is an integral part of the development and systems acquisition. Services are subject of continuous web application and infrastructure threat assessment, source code reviews, and penetration testing.
Shiji applied security controls related to suppliers depending on the scope of the cooperation, sensitivity of the exchanged data and risks being a result of the cooperation.
Shiji implemented a security incident management process, supported by multiple technical solutions. The Security and Network Operations Center Team monitors the performance and security levels on a 24/7 basis. Detected security incidents are resolved timely.
Shiji created and implemented business continuity plans to ensure the required availability of the service. The services are designed and implemented to address high availability requirements. Business continuity scenarios are tested at least once a year.
Shiji identified applicable legislations and contractual requirements, to ensure the services and Shiji are compliant with them. Information security area is periodically reviewed, to ensure that it is implemented and operates in accordance with internal security regulations.
The Shiji Information Security Policy is a subject of continuous improvement, according to the requirements of ISO/IEC 27001 and all stakeholders' recommendations.
To secure a copy of our ISO certificate, we graciously request that you make a formal request via email to itsecurity@shijigroup.com, specifying the product of your interest. This service is available for both our esteemed existing clients and prospective partners, and upon receiving your request, we will promptly provide you with the necessary information.
Shiji Group welcomes feedback from security researchers and systems’ users to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines the steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
This policy applies to any digital assets owned, operated, or maintained by Shiji Group.
Assets or other equipment not owned by Shiji Group. Vulnerabilities discovered or suspected in out- of-scope systems should be reported to the appropriate vendor or applicable authority.
This policy does not authorize you to:
When working with us, according to this policy, you can expect us to:
In participating in our vulnerability disclosure program in good faith, we ask that you:
Report security issues to itsecurity@shijigroup.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. Please include the following details:
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.