OrgChart Security
We take security seriously. This section provides details on our information security policies and procedures.

  • Application Security - OrgChart Now has a robust security overlay to ensure proper access control within the OrgChart Now application.
  • Business Continuity (BC) and Disaster Recovery (DR) Overview - Business continuity and disaster recovery planning help us to avoid service interruptions.
  • Change Management Process - Process that is used for managing implementation of change to infrastructure including hardware, software, services or related documentation.
  • Corporate Compliance Policy and Procedure - We are committed to adherence to all pertinent federal, state and local laws, regulations and policies and to provide an mechanism for preventing and reporting any breach of those laws or regulations.
  • Cybersecurity Program Policy - Our cybersecurity procedures explain the rules for how employees, consultants and partners access online applications and internet resources, send data over networks, and otherwise practice responsible security
  • Development Methodology - Our software development methodology incorporates security as one of the guiding principles
  • Incident Response Plan - The incident response plan defines how the organization reacts to information security incidents.
  • Internal Audits - Ongoing internal audits provide a mechanism of controls to ensure that policies and procedures are followed as specified.
  • Logging and Monitoring Policy - Logs must be monitored to proactively detect service issues, anomalies and security threats
  • Management Review - Our management team is tasked with periodically reviewing all security policies and procedures to ensure the information security program remains viable.
  • Network Diagram - Our hosting partners use industry "best practice" methods to make sure our network and servers are secure.
  • Patch Management Process - Timely patching of our systems is critical to maintaining the operational availability, confidentiality and integrity of information assets.
  • Privacy Policy - OrgChart Now Privacy Policy
  • Risk Management Overview - Identifying and mitigating risks is key to ongoing information security.
  • Security Overview - Details on OrgChart Now Security.
  • Social Media Policy - Our social media policy helps to ensure that sensitive information is not shared via social media.
  • Workplace Security Policy - Our workplace security procedures explain the rules for how employees and consultants keep information assets in our offices secure.
  • Identity & Access Management - Access Control & Identity Management Policies

CAIQ (Common Assessment Initiative Questionnaire)

Cloud Security Alliance (CSA) has development a frame called ‘Consensus Assessments Initiative Questionnaire’ (CAIQ). CAIQ offers an industry-accepted way to document what security controls exist in a SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to consumer/auditors Cloud Controls Matrix (CCM). CAIQ enables customers to gauge the security posture of a cloud service provider and to determine if providers cloud services are suitably secure. Below you will find all policies in relation to the CSA CAIQ control domains.

Click here for details on our CAIQ initiative


The FedRAMP Program Management Office (PMO) mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment. We working on FedRAMP accreditation with several of our large US government customers. Please check back for updates as to when we will be accredited.

Click here for details on our FedRAMP initiative

Q: Where is my data stored?
A: We have certified hosting providers in the United States, United Kingdom, the Netherlands, Australia and South Africa. Contact us at moc.erawtfoskroweciffo|wontrahcgro#moc.erawtfoskroweciffo|wontrahcgro if you have questions or concerns about where your data is hosted.

Q: Do you perform penetration testing?
A: Penetration tests are performed on an bi-annual basis. Please contact us at moc.erawtfoskroweciffo|wontrahcgro#moc.erawtfoskroweciffo|wontrahcgro for more details on penetration testing.

Q: Do you perform vulnerability scanning?
A: Vulnerability tests are performed on a bi-annual basis. Please contact us at moc.erawtfoskroweciffo|wontrahcgro#moc.erawtfoskroweciffo|wontrahcgro for more details on vulnerability scanning.

Q: What other security testing do you do?
A: Static code analysis is performed on a bi-annual basis. Static code analysis proactively looks for security flaws in application source code (such as those defined by OWASP -

Q: Is security scanning and testing done in house or by a third party?
A: We use a third party. We have partnered with ADP ( to perform the following security testing (pen testing, vulnerability scanning and static code analysis).

Q: Do you monitor your systems to detect system failures and potential information security threats?
A: Yes. We use RackSpace Monitoring ( to ensure we find problems before you do. We monitor system parameters including Available Disk Space, CPU Usage, Memory and Network Response Time. We also monitor for potential security threats including excessive login attempts, denial of service attacks and unauthenticated page requests.

Q: How are passwords managed?
A: Learn more by clicking Password Management.

Q: Do you have controls in place for all your information security policies and procedures?
A: Yes. See Information Security Controls for more information.