Security Assessment

Vendor Details

Vendor Name	Holibob Limited
Vendor Address	C/O Johnston Carmichael, 7-11 Melville Street, Edinburgh, Scotland, EH3 7PE.
Vendor contact person name	Alejandro Gomez Losada Rosso
Vendor contact phone/mobile	+34652024269
Vendor contact email	alejandro@holibob.tech
Name of Supplier's SIRO/CISO	Graeme Bryce

Background Information

This template analysis is designed to provide the metrics of measuring the Third Parties security posture.

The template also present a gap analysis of the current status of Security covering all required administrative and technical controls.

The Executive Summary The template assement can support the organisation to establish and implement processes to reduce risks in supply chain by:

-Reviewing and improving supplier risk management processes and frameworks.

-Reviewing and improving operational information security controls.

-Assessing a supplier's baseline security posture.

-Reviewing and improving response in depth controls

This template has been created by Awesta Sepahbod (CISM) and some rights reserved.

You are welcome to reproduce, circulate, use and create derivative works from this provided that:

(a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the author, (c) any derivative works that are shared with third parties are subject the same copyright terms as this.

Supplier Information

Company Profile

Please provide an overview of your Company History, Size, Team Location, Management Structure and Annual Investment for Continuous innovation.

About Holibob:

Founded in 2019
HQ: London, remote teams based primarily in Europe
55 people
Leadership Team:
Investors (main): The Howsam Group, Guinnes Ventures (GGI)
Annual Investment for Continuous Innovation: £ 5,000,000

Accreditation & Compliance

Category	Subcategory	Company Holds (Yes/No)	Date of Accreditation	Comment	Scope
Compliance & Accreditation	Cyber Essentials +
	ISO9001
	ISO 27001:2013			We are seeking to gain certification in Q1
	PCI DSS
	CREST
	CHECK
	TIGER SCHEME
	CIS
	HIPPA
	SOX
Others

Data Sovereignty

Category	Question	Answer (Yes/No/Progressing)	Comment
Data Sovereignty	Does the data being held in the system reside in the UK?	No - Data is persisted in Ireland within the EU	Based in AWS data centres.
Data Sovereignty	Do data protection clauses exist within the service contract?	Yes

Security Management Process

Category	Subcategory	Subcategory	In Use (Yes/No)	Description	Response
Security Management Process	Security Governance		Yes	Please describe your organisation's security governance framework	Trust Holibob - High-level Information Security Policy-latest (2).pdf
	Information Security		Yes	Please describe your organization's information security strategy	Refer “Trust Holibob - High-level Information on Secuirity Policy-latest”
	Risk Management		Yes	Please describe your risk management process	The Holibob Board and Leadership maintain a Risk Register which is reviewed on a weekly basis by Leadership and a monthly basis by the Board to ensure all Risks to the business are tracked and managed.
	Incident Response		Yes	Please describe your security incident response process	Incident and Release severity level-v3.pdf Crisis and Incident Management Policy-v2.pdf
	Penetration Testing		Yes	Please outline your approach to penetration testing nd provide the date of the last external penetration test	YES We conduct penetration tests against production and isolated environments. The principal tool used is AppCheck Tests are executed AT LEAST monthly with some tests running daily. The tests against the isolated environments are granted full authenticated access in order to discover and mitigate attacks that may be executed through compromised keys.
	Vulnerability Management		Yes	Please describe your organisations approach to vulnerability management	All of our code is executed within the AWS lambda environment using the latest versions of the execution environments. As such, we rely upon AWS to have applied the most recent patches for known vulnerabilities. We do not use EC2 or containerisation in any form.
	Patch Management		Yes	Please describe your organisation's approach to patch management	We rely on the services of AWS to ensure production and pre-production environments are fully patched. We have separate policies to ensure that the workstations (Apple Mac and MacBook) of all developers are operating on the most recent patch issues by Apple.
	Business Continuity and Disaster Recovery		Yes	Please describe the organisations/solutions business continuity and disaster recovery plan	Refer - Incident Response Section Above.
	Backup and Recovery		Yes	Please describe the organisations/solutions backup and recovery plan	Refer - Incident Response Section Above.
	Secure Password Policy		Yes	Please describe your approach to securing credentials and the password policies in use	Password Management - Policy-v3.pdf
	Data Protection	Data at Rest	Yes	Please describe controls utilsed to protect data at rest	2024 DATA PROTECTION WHITE PAPER-v2.pdf
		Data in transit	Yes	Please describe controls utilsed to protect data in transit	Refer “2024 Data Protection White-paper”
		Protective Marking	Yes	Please indicate any protective marking implementations
		Retention Policies	Yes	Please describe your organisations/solutions data retention policies	Refer “2024 Data Protection White-paper”
	Physical Security		No	Please describe the organisations/solutions physical security controls (e.g. ISO 27001 Data Center)	We do not operate any on-premises data servers. All code is executed and all data is persisted within the AWS managed data-centers.
	Change Management		Yes	Please describe your organisation's/solutions change management process	Change Management Process-v2.pdf
	Asset Management		Yes	Please describe your organization's asset management process	Portable Media Use - Policy-v3.pdf

Technical Controls

Category	Subcategory	Example Controls	In Use (Yes/No)	Please describe controls
Technical Controls	Network Segmentation	e.g vSphere NSX, Varmour, VLANs with ACLS	Yes	All production services are isolated within a virtual private network that has no ingress from the public internet other than via the API, which is services through AWS API Gateway and subject to strong signature-based identity and authentication on every request. Engineers requiring access to services running within the network are required to connect through a VPC which uses Mutual Transport Layer Security (MTLS) certificate-based authentication.
	Application Security	Data input validation, access control lists, authentication mechanisms	Yes	HMAC controls authentication to the API, and a unique signature is required on every request. Cognito controls authentication to administration UX and can be configured to use federated enterprise IDP, including those from Microsoft Entra (previously AzureAD) and/or Google. Access Control operates at the record level, enforcing a tenancy hierarchy. User and HMAC Keys are defined against SecurityPrincipals within this hierarchy and, subject to configuration, can access only the data of the Principal or the data of the Principal and its descendants. Permissions are used to further limit what actions any given Principal or User can perform on the records they are granted access to. Validations are implemented by the GraphQL API Interface and further supported through the user of strong types in code (TypeScript) and by specific ZOD validation to ensure object validation.
	Identity and Access Management	Active Directory Domain Services, Application Authentication (e.g. .net identity framework)	Yes	Our primary IDP in Microsoft Entra (Previously AzureAD)
	Perimeter Firewall	Stateful packet inspection firewall	No	N/A - there is no ingress to the Private Network other than via the authenticated Graph
	IPS/IDS	Intrusion detection e.g. Security Onion	Requires clarification
	Web Application Firewall	Layer 4 to layer 7 web application firewall to protect against known attacks	Yes	We implement AWS WAF in from on the administration and Consumer facing web applications and in front of the API Gateway.
	Wireless Networks	802.1x security services, guest isolation, WPA2 Enterprise Security	Yes	Access to our corporate network requires a user to use MTLS secured Virtual Private Connection
	Antimalware solution		No	N/A
	Messaging Security	AntiSPAM, Antivirus, Target Threat Protection (TTP)	Yes	We use Office365 for corporate email protected by Microsoft defender and advanced business protection. We use AWS Simple Email Services and Braze for campaign and transactional emails. Domains are protected with DMARC, DKIM and SPF
	Data Loss Prevention	Data loss prevention solutions (i.e. RMS, Office 365 DLP)	Requires clarification	Requires clarification in the context of AWS
	Internet Access	Web filtering and content inspection, proxy services	Requires clarification	Requires clarification in the context of AWS
	Secure Configuration	Hardened configurations (e.g. CIS Controls)	Requires clarification	Requires clarification in the context of AWS
	Security Monitoring	Proactive security monitoring (e.g. SIEM solution)	Requires clarification	Requires clarification in the context of AWS
	Host Based Firewalls	Host based firewalls e.g. Windows Firewall	Requires clarification	Requires clarification in the context of AWS

Cyber Awareness, Training and Education		Security awareness programme, CBT, phishing training	Yes	We have strong policies and training in place for all staff with additional controls for engineers that have access to production infrastructure or data.