Organizational Narrative

The following describes the management structure of Shuffl, to establish both the legal jurisdiction and corporate cultural norms that serve as the foundation for our compliance program.

Entity Type

Shuffl is headquartered in Seattle, WA, United States. Business operations started in 2020.

Integrity and Ethics

Management is dutiful and accountable for executing high standards of ethics and integrity with conduct to how we partner with our team members and business relationships.

Risk to Objectives

Shuffl manages risk through professional management strategies and tactics that include:

  • Diligence in business operations and performing of SWOT, where relevant

  • Scrutiny and rigor in staffing practices

  • Transparency and accountability in communication

Fraud Risk to Objectives

Fraud is a non-negotiable to our business operations. Shuffl manages fraud risk by:

  • Conducting regular financial audits

  • Adhering to regulatory and financial control principles

  • Investigating suspicious transactions

  • Rigor in staffing practices

Organizational Structure and Management Objectives

  • Division functions are led by respective Managing or Operating Partner responsible for either business or technical domains.

  • Ownership in strategy, development, and maintenance is the responsibility of each Managing or Operating Partner.

Board of Directors

  • When applicable, a Board of Directors to oversee the Managing Partners/CEO will be appointed

Standard Controls Satisfied

TSC CC1.2, CC1.3, CC1.4, CC1.5, CC3.1, CC3.2, CC3.3


Control Environment Narrative

The following describes the logical, policy, and procedural controls that serve to monitor Shuffl's application and data security.

Logical Controls

Shuffl employs several logical controls to protect Customer Personal Data and ensure secure and highly available operations of its services.

  • Data encryption in-transit and at rest, using AES-256.

  • Standardized multi-factor authentication (MFA) and single-sign-on (SSO) for access to primary and cloud infrastructure.

    • Google SSO

    • AWS SSO

  • Activity and anomaly monitoring on production systems via AWS CloudWatch

  • Dutiful operations of Information Security Management Program

Policy Controls

Shuffl employs the following policy controls to protect Customer Personal Data. These policies include, but are not limited to:

Procedural Controls

Shuffl has the following scheduled procedures to manage and update the effectiveness of ongoing security controls and a series of event-driven procedures to respond to security-related events.

Scheduled Security and Audit Procedures

  • Review Systems Access [Quarterly]

  • Review Cyber Risk Assessment [Quarterly]

  • Review Security Logs [Quarterly]

  • Review Data Categorization and Classification [Quarterly]

  • Backup Testing [Quarterly]

  • Disaster Recovery Testing [Semi-Annual]

  • Review Employee Devices [Annual]

  • Data Deletion Requests [Quarterly]

  • Security Training [Annual]

  • Review Security Monitoring and Alerting Configuration [Quarterly]

Event-Driven Security and Audit Procedures

  • Employee or Consultant Onboarding

  • Employee or Consultant Offboarding

  • Security or Data Incident Investigation

Remediations

Shuffl uses the outcomes of the above controls and procedures to identify gaps in the existing control environment. Once identified, these gaps are then remediated by improving existing controls and procedures, and creating new controls and procedures as needed.

Communications

Shuffl communicates relevant information in a reasonable and timely fashion with internal and external parties on an as-needed basis and according to statutory requirements. For specific policies, please refer to the Terms.

Internal

Shuffl communicates control outcomes, anomalies, and remediations internally using the following channels:

  • Slack

  • Email via GMail

  • Trello

External

Shuffl communicates relevant control-related information to external parties as needed according to legal, contractual and regulatory/statutory obligations.

Standard Controls Satisfied

TSC CC2.1, CC2.2, CC2.3, CC4.1, CC4.2, CC5.1, CC5.2, CC5.3


Did this answer your question?