Organizational Narrative
The following describes the management structure of Shuffl, to establish both the legal jurisdiction and corporate cultural norms that serve as the foundation for our compliance program.
Entity Type
Shuffl is headquartered in Seattle, WA, United States. Business operations started in 2020.
Integrity and Ethics
Management is dutiful and accountable for executing high standards of ethics and integrity with conduct to how we partner with our team members and business relationships.
Risk to Objectives
Shuffl manages risk through professional management strategies and tactics that include:
Diligence in business operations and performing of SWOT, where relevant
Scrutiny and rigor in staffing practices
Transparency and accountability in communication
Fraud Risk to Objectives
Fraud is a non-negotiable to our business operations. Shuffl manages fraud risk by:
Conducting regular financial audits
Adhering to regulatory and financial control principles
Investigating suspicious transactions
Rigor in staffing practices
Organizational Structure and Management Objectives
Division functions are led by respective Managing or Operating Partner responsible for either business or technical domains.
Ownership in strategy, development, and maintenance is the responsibility of each Managing or Operating Partner.
Board of Directors
When applicable, a Board of Directors to oversee the Managing Partners/CEO will be appointed
Standard Controls Satisfied
TSC CC1.2, CC1.3, CC1.4, CC1.5, CC3.1, CC3.2, CC3.3
Control Environment Narrative
The following describes the logical, policy, and procedural controls that serve to monitor Shuffl's application and data security.
Logical Controls
Shuffl employs several logical controls to protect Customer Personal Data and ensure secure and highly available operations of its services.
Data encryption in-transit and at rest, using AES-256.
Standardized multi-factor authentication (MFA) and single-sign-on (SSO) for access to primary and cloud infrastructure.
Google SSO
AWS SSO
Activity and anomaly monitoring on production systems via AWS CloudWatch
Dutiful operations of Information Security Management Program
Policy Controls
Shuffl employs the following policy controls to protect Customer Personal Data. These policies include, but are not limited to:
Procedural Controls
Shuffl has the following scheduled procedures to manage and update the effectiveness of ongoing security controls and a series of event-driven procedures to respond to security-related events.
Scheduled Security and Audit Procedures
Review Systems Access [Quarterly]
Review Cyber Risk Assessment [Quarterly]
Review Security Logs [Quarterly]
Review Data Categorization and Classification [Quarterly]
Backup Testing [Quarterly]
Disaster Recovery Testing [Semi-Annual]
Review Employee Devices [Annual]
Data Deletion Requests [Quarterly]
Security Training [Annual]
Review Security Monitoring and Alerting Configuration [Quarterly]
Event-Driven Security and Audit Procedures
Employee or Consultant Onboarding
Employee or Consultant Offboarding
Security or Data Incident Investigation
Remediations
Shuffl uses the outcomes of the above controls and procedures to identify gaps in the existing control environment. Once identified, these gaps are then remediated by improving existing controls and procedures, and creating new controls and procedures as needed.
Communications
Shuffl communicates relevant information in a reasonable and timely fashion with internal and external parties on an as-needed basis and according to statutory requirements. For specific policies, please refer to the Terms.
Internal
Shuffl communicates control outcomes, anomalies, and remediations internally using the following channels:
Slack
Email via GMail
Trello
External
Shuffl communicates relevant control-related information to external parties as needed according to legal, contractual and regulatory/statutory obligations.
Standard Controls Satisfied
TSC CC2.1, CC2.2, CC2.3, CC4.1, CC4.2, CC5.1, CC5.2, CC5.3