From 9ca2a71ebf130b93a4996f3a7b3b72fd45dffb7e Mon Sep 17 00:00:00 2001 From: melindafekete Date: Wed, 4 Dec 2024 16:16:38 +0100 Subject: [PATCH 1/5] Add SOC2 docs --- .../compliance/compliance-overview.mdx | 7 +++- .../docs/using-unleash/compliance/fedramp.mdx | 12 +++---- .../docs/using-unleash/compliance/soc2.mdx | 32 +++++++++++++++++++ website/sidebars.ts | 5 +++ 4 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 website/docs/using-unleash/compliance/soc2.mdx diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 9e4f665812cc..3308938598df 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -9,4 +9,9 @@ description: 'Secure and compliant feature flags at scale with Unleash.' Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale. -For a detailed overview of how Unleash can help you with FedRAMP requirements, refer to our [FedRAMP compliance documentation](/using-unleash/compliance/fedramp). For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). +For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: +- [FedRAMP](/using-unleash/compliance/fedramp). +- [SOC 2](/using-unleash/compliance/soc2). + + +For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/fedramp.mdx b/website/docs/using-unleash/compliance/fedramp.mdx index d0c0417ba173..9f986aaf218b 100644 --- a/website/docs/using-unleash/compliance/fedramp.mdx +++ b/website/docs/using-unleash/compliance/fedramp.mdx @@ -13,7 +13,7 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## Access Control -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [AC-02 Account Management](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-2) | Unleash uses [role-based access control](/reference/rbac) (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using [SCIM](/reference/scim). You can control authorization at different levels with [single sign-on](/reference/sso) (SSO) and [personal access tokens](/reference/api-tokens-and-client-keys#personal-access-tokens). | | [AC-04 Information Flow Enforcement](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-4) | Unleash supports information flow control with architectural system components like [Unleash Proxy](/reference/unleash-proxy) or [Unleash Edge](/reference/unleash-edge), and configuration-level options like IP allow-lists. | @@ -21,27 +21,27 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## Audit and Accountability -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [AU-02 Event Logging](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-2) | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems. | | [AU-12 Audit Record Generation](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-12) | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems. | ## Security Assessment and Authorization -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [CA-8 Penetration Testing](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-8) | Unleash conducts annual penetration testing by external auditors; results are available upon [request](https://www.getunleash.io/plans/enterprise). | ## Configuration Management -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------| | [CM-02 Baseline Configuration](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-2) | Unleash provides [Export](/how-to/how-to-environment-import-export) functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the [Unleash Terraform provider](/reference/terraform). | | [CM-05 Access Restrictions for Change](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-5) | Unleash provides advanced [role-based access control](/reference/rbac) (RBAC) controls to implement logical access restrictions. [Change Requests](/reference/change-requests) help you define and track approval flows. | ## Identification and Authentication -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| | [IA-02 Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users) | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. | | [IA-02 (01) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. | @@ -50,7 +50,7 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## System and Communications Protection -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| | [SC-08 (01) Transmission Confidentiality and Integrity](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8) (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon [request](https://www.getunleash.io/plans/enterprise). | | [SC-17 Public Key Infrastructure Certificates](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17) | Unleash uses PKI certificates issued by AWS and Google. | \ No newline at end of file diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx new file mode 100644 index 000000000000..6c8ee2197609 --- /dev/null +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -0,0 +1,32 @@ +--- +title: SOC2 compliance for feature flags +description: 'SOC2-compliant feature flags at scale with Unleash.' +--- + +# SOC2 compliance + +## Overview + +To get SOC2 certified and maintain your compliance, you must ensure that any systems you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. + +This guide provides an overview of how Unleash features align with SOC2 controls, helping your organization meet its compliance requirements. + + +## How Unleash features map to SOC2 controls + +| SOC2 Control | SOC2 Control Description | Unleash Feature | +|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | Unleash provides a log of all [events](/reference/events), such as configuration changes and access. | +| CC 2.2, CC 5.3 Roles and responsibilities specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | Unleash provides [role-based access control](/reference/rbac). | +| CC 2.2 System changes communicated | The company communicates system changes to authorized internal users. | Admins in Unleash can configure [banners](/reference/banners) that can display message for all users in the Unleash Admin UI. | +| CC 3.2, CC 7.5, CC 9.1 Continuity and disaster recovery plans tested | The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually. | Unleash provides a business continuity disaster recovery (BCDR) policy available to customers in the Trust Center, and annual test results upon request. | +| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | Unleash provides Release Plan Templates to implement consistent release sequences aligned with the customer policy. Additionally, the [Change Request](/reference/change-requests) supports 4-eyes approval workflows for changes. | +| CC 3.4, CC 4.1, CC 7.2, CC 8.1 Penetration testing performed | The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. | Unleash provides annual penetration test results to customers in the Trust Center, performed by an external auditor. | +| CC 5.3, CC 7.1, CC 8.1 Change management procedures enforced | Change management procedures are enforced. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | +| CC 6.1, CC 8.1 Production deployment and application access restricted | The company restricts access to migrate changes to production to authorized personnel. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | +| CC 6.1 Unique account authentication enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | Unleash supports both username/password authentication, as well as [single sign-on](/reference/sso). In addition, the [SCIM integration](/reference/scim) facilitates user account provisioning. | +| CC 6.1 Password policy enforced | The company requires passwords for in-scope system components to be configured according to the company's policy. | Unleash has [password strength requirements](/using-unleash/deploy/securing-unleash#password-requirements) for all users using username/password authentication. | +| CC 6.1, CC 6.6 Remote access MFA enforced | The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | You can enable MFA through your identity provider, such as Okta or Microsoft Entra ID, after implementing [single sign-on](/reference/sso). | +| CC 6.1, CC 6.6 Remote access encrypted and enforced | The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | Unleash is secured by enforcing TLS 1.2. | +| CC 6.7 Data transmission encrypted | The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | Unleash is secured by enforcing TLS 1.2. | +| SD SOC 2 System Description | The company has completed a description of its systems for Section III of the audit report. | This documentation is available in the SOC 2 report in the Trust Center. The report is performed by an external auditor and renewed annually. | \ No newline at end of file diff --git a/website/sidebars.ts b/website/sidebars.ts index 2174cecd02c9..e374822ef088 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -555,6 +555,11 @@ const sidebars: SidebarsConfig = { label: 'FedRAMP', id: 'using-unleash/compliance/fedramp', }, + { + type: 'doc', + label: 'SOC 2 Type II', + id: 'using-unleash/compliance/soc2', + }, ], }, { From 00b7aaa4ec3b94025791e2d42c02a7cf274972a6 Mon Sep 17 00:00:00 2001 From: melindafekete Date: Wed, 4 Dec 2024 16:22:04 +0100 Subject: [PATCH 2/5] Fix SOC2 heading --- website/sidebars.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/sidebars.ts b/website/sidebars.ts index e374822ef088..8391ac6d8406 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -557,7 +557,7 @@ const sidebars: SidebarsConfig = { }, { type: 'doc', - label: 'SOC 2 Type II', + label: 'SOC2', id: 'using-unleash/compliance/soc2', }, ], From 9dea5a29b97b9f5e5508d57b9e4a3a0c18fe1b3c Mon Sep 17 00:00:00 2001 From: melindafekete Date: Wed, 4 Dec 2024 16:36:25 +0100 Subject: [PATCH 3/5] Format compliance list --- website/docs/using-unleash/compliance/compliance-overview.mdx | 4 ++-- website/docs/using-unleash/compliance/soc2.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 3308938598df..069b7054409a 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -10,8 +10,8 @@ description: 'Secure and compliant feature flags at scale with Unleash.' Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale. For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: -- [FedRAMP](/using-unleash/compliance/fedramp). -- [SOC 2](/using-unleash/compliance/soc2). +- [FedRAMP](/using-unleash/compliance/fedramp) +- [SOC 2](/using-unleash/compliance/soc2) For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx index 6c8ee2197609..02f2ff2592b7 100644 --- a/website/docs/using-unleash/compliance/soc2.mdx +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -7,7 +7,7 @@ description: 'SOC2-compliant feature flags at scale with Unleash.' ## Overview -To get SOC2 certified and maintain your compliance, you must ensure that any systems you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. +To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. This guide provides an overview of how Unleash features align with SOC2 controls, helping your organization meet its compliance requirements. From 0c2f575647be666ddb06de04a845adacc307c425 Mon Sep 17 00:00:00 2001 From: melindafekete Date: Thu, 5 Dec 2024 11:35:54 +0100 Subject: [PATCH 4/5] Apply review sugggestions --- .../using-unleash/compliance/compliance-overview.mdx | 2 +- website/docs/using-unleash/compliance/soc2.mdx | 10 +++++----- website/sidebars.ts | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 069b7054409a..483734f6cfc4 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -11,7 +11,7 @@ Unleash is designed to help organizations meet strict compliance requirements, s For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: - [FedRAMP](/using-unleash/compliance/fedramp) -- [SOC 2](/using-unleash/compliance/soc2) +- [SOC 2 Type II](/using-unleash/compliance/soc2) For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx index 02f2ff2592b7..ab945ca0390a 100644 --- a/website/docs/using-unleash/compliance/soc2.mdx +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -9,18 +9,18 @@ description: 'SOC2-compliant feature flags at scale with Unleash.' To get SOC2 certified and maintain your compliance, you must ensure that any system you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. -This guide provides an overview of how Unleash features align with SOC2 controls, helping your organization meet its compliance requirements. +This guide provides an overview of how Unleash features align with SOC2 Type II controls, helping your organization meet its compliance requirements. -## How Unleash features map to SOC2 controls +## How Unleash features map to SOC2 Type II controls -| SOC2 Control | SOC2 Control Description | Unleash Feature | +| SOC2 Type II Control | Control Description | Unleash Feature | |---------------------------------------------|---------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| -| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | Unleash provides a log of all [events](/reference/events), such as configuration changes and access. | +| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | [Events log](/reference/events) and [login history](/reference/login-history) provide access to all configuration change and access logs. | | CC 2.2, CC 5.3 Roles and responsibilities specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | Unleash provides [role-based access control](/reference/rbac). | | CC 2.2 System changes communicated | The company communicates system changes to authorized internal users. | Admins in Unleash can configure [banners](/reference/banners) that can display message for all users in the Unleash Admin UI. | | CC 3.2, CC 7.5, CC 9.1 Continuity and disaster recovery plans tested | The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually. | Unleash provides a business continuity disaster recovery (BCDR) policy available to customers in the Trust Center, and annual test results upon request. | -| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | Unleash provides Release Plan Templates to implement consistent release sequences aligned with the customer policy. Additionally, the [Change Request](/reference/change-requests) supports 4-eyes approval workflows for changes. | +| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | [Change Request](/reference/change-requests) supports 4-eyes approval workflows for changes. | | CC 3.4, CC 4.1, CC 7.2, CC 8.1 Penetration testing performed | The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. | Unleash provides annual penetration test results to customers in the Trust Center, performed by an external auditor. | | CC 5.3, CC 7.1, CC 8.1 Change management procedures enforced | Change management procedures are enforced. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | | CC 6.1, CC 8.1 Production deployment and application access restricted | The company restricts access to migrate changes to production to authorized personnel. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | diff --git a/website/sidebars.ts b/website/sidebars.ts index 8391ac6d8406..652f051e9f97 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -557,7 +557,7 @@ const sidebars: SidebarsConfig = { }, { type: 'doc', - label: 'SOC2', + label: 'SOC2 Type II', id: 'using-unleash/compliance/soc2', }, ], From 4f1072da3cbb8933f8c2106acadf90b470d0f206 Mon Sep 17 00:00:00 2001 From: melindafekete Date: Thu, 5 Dec 2024 12:37:37 +0100 Subject: [PATCH 5/5] Fix typos --- website/docs/using-unleash/compliance/soc2.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx index ab945ca0390a..4148af8de109 100644 --- a/website/docs/using-unleash/compliance/soc2.mdx +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -16,11 +16,11 @@ This guide provides an overview of how Unleash features align with SOC2 Type II | SOC2 Type II Control | Control Description | Unleash Feature | |---------------------------------------------|---------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| -| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | [Events log](/reference/events) and [login history](/reference/login-history) provide access to all configuration change and access logs. | +| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | [Event log](/reference/events) and [login history](/reference/login-history) provide access to all configuration change and access logs. | | CC 2.2, CC 5.3 Roles and responsibilities specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | Unleash provides [role-based access control](/reference/rbac). | | CC 2.2 System changes communicated | The company communicates system changes to authorized internal users. | Admins in Unleash can configure [banners](/reference/banners) that can display message for all users in the Unleash Admin UI. | | CC 3.2, CC 7.5, CC 9.1 Continuity and disaster recovery plans tested | The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually. | Unleash provides a business continuity disaster recovery (BCDR) policy available to customers in the Trust Center, and annual test results upon request. | -| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | [Change Request](/reference/change-requests) supports 4-eyes approval workflows for changes. | +| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | [Change Requests](/reference/change-requests) supports 4-eyes approval workflows for changes. | | CC 3.4, CC 4.1, CC 7.2, CC 8.1 Penetration testing performed | The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. | Unleash provides annual penetration test results to customers in the Trust Center, performed by an external auditor. | | CC 5.3, CC 7.1, CC 8.1 Change management procedures enforced | Change management procedures are enforced. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | | CC 6.1, CC 8.1 Production deployment and application access restricted | The company restricts access to migrate changes to production to authorized personnel. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. |