Audit Report

SOC2 Type 2

Brief Description
Independent Auditor´s Report on Controls relevant to
Security, Integrity, Availability, and Confidentiality in a
Service Organization

April 22nd
Final Report

Confidentiality Level

All information contained in this document must be kept strictly confidential, it is prohibited to copy and reproduce this document or part
of it without the proper authorization of SIRYS S.R.L. The aforementioned obligations will remain in force even after their expiration or
termination of use of this document.
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

Buenos Aires - April 26th, 2022

Botmaker

Attn. Hernán Liendo

I am pleased to present the final version of the “Independent Service Auditor´s

Report on Controls of a Service Organization that are relevant to Security, Integrity,
Availability, and Confidentiality”

Sincerely,

Lic. Diego H. Fojo

SIRYS S.R.L.

CONFIDENTIAL 2 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

Índice
Purpose 4

Scope 4

Audit Criteria 4

Executive Summary 5

SECCIÓN II – Trust Service Principles of Security, Availability, and

confidentiality, applicable criteria and related controls 9

CONFIDENTIAL 3 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

1. Purpose
To analyze the existence of security, integrity, availability and confidentiality controls applied to
the service offered through the "Botmaker Platform" in a SaaS mode, and the internal services of
"Administration, operational support and maintenance of the service infrastructure".

2. Scope
The audit scope is limited to the service offered through the "Botmaker Platform" in a SaaS mode
and the internal services of "Administration, operational support and maintenance of the
service infrastructure".

An evaluation of the controls relevant to the security, availability and processing integrity;
confidentiality and privacy of the information managed/associated with the service provided by
the organization was performed.

The evaluated services components are classified in the following five categories:

● Infrastructure: Facilities, IT, and other hardware (i.e.: facilities, computers, equipment,
mobile devices, and telecommunications networks).
● Software: software application and IT system software that support application programs
(operating systems, middleware, and utilities).
● People: personnel involved in the governance, operation and use of a system
(developers, operators, users, vendors and managers).
● Processes: Automated and manual procedures
● Data: information used and supported by a system (transaction data streams, files,
databases, tables and results).

3. Audit Criteria
The audit and the corresponding report will consider the "Trust Services Principles (TSP) Section
100 of AICPA (American Institute of Certified Public Accountants)" as a guide of audit criteria.

Audit Team
✓ Lic. Sebastián A. Victtorioso

✓ Lic. Diego H. Fojo

CONFIDENTIAL 4 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

1. Executive Summary

As a result of the review of the design and the evidence of compliance with security controls
obtained, the conclusion is that the organization complies satisfactorily with them,
demonstrating a strong commitment to continuous improvement.

Additionally, the results reveal that the organization has a continuous management of the
Information Security Management System (ISMS) certified under the ISO/IEC 27001:2013
standard, which has been certified during the current year, indicating a strong commitment
to Information Security, including in its design additional controls to those required in this
report.

The organization has its own information security risk management methodology, which is
fed back through the management of security incidents and contributes to the continuous
improvement of security controls as previously mentioned.

Next, section I describes the general conclusions according to what was assessed during the
controls design audit and their evidence review and, in section II, it is detailed how each of
the controls included in this report and their evidence of compliance has been verified.

CONFIDENTIAL 5 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

5. SECTION I - General Conclusions

The controls relevant to the security, availability and integrity of processing, confidentiality
and privacy of the information managed/associated with the service provided by the
organization to its client were evaluated

Below are the conclusions obtained on the components of the evaluated service:

❖ Infrastructure
In relation to the building infrastructure, the organization has physical locations that allow
the execution of services. However, most staff operate remotely from their homes. This
means that building contingencies in the offices do not affect services.
The physical infrastructure associated with the provision of the service is provided by Google
Cloud and in compliance with the highest standards: ISO27001, SOC2, etc.

There is high availability of services and redundancy of zones.

The following network security instruments are also available:
▪ High service availability
▪ Zone Redundancy
▪ Physical and equipment security of Google Cloud
▪ Firewall devices, VPN
▪ Secure authentication using IAM
▪ Storage and backup of data in the cloud.
▪ Designated Notebooks for each employee.
▪ VPN tunneling infrastructure for access to critical infrastructure

❖ Software
The organization has installed the necessary software programs for the daily operation of the
service.
Support software programs, such as repository and versioning of source code, ticket system,
are contracted in the SaaS mode to first class vendors.

❖ People
La organización cuenta con una estructura jerárquica, para la gestión de los servicios, el
escalamiento de los riesgos y la toma de decisión.
The organization has a hierarchical structure for service management, risk escalation and
decision making.
The competence of the persons assigned to each function is validated. The staff has periodic
training aligned to the professional needs and the services operated.

CONFIDENTIAL 6 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

The number of professionals assigned to the services respond to the needs of the
organization, the client's requirements and the contractual guidelines.

❖ Procedures
The Organization has policies and guidelines regarding information security, considering
among others:

● Framework Policy
● Particular security policies
● Logical Access Management or Access Profiles
● Change Management
● Security Incident Management
● Organization Chart and Job Profiles
● Risk Management
● Human Capital Management
● Training and awareness
● Supplier Management
● Documented Information Management
● Environment Management:
o Environments creation and deletion
o Change Management
o Maintenance
o Monitoring Management
o Capacity Management
o Infrastructure Support
o Safekeeping Management
o Vulnerability Management
o Service Continuity Management

The guidelines are communicated to both internal and external parties and users.
The organization is ISO/IEC 27001 certified, which guarantees correct information security
management, and is audited annually by an independent certification body. Additionally, as
required by the ISO/IEC 27001 standard, an internal audit of the ISMS and information
security controls is performed, by a specialized auditor, with the corresponding credentials.

❖ Data
The organization has operational processes for safeguarding and recovering the services
critical data. The information is protected by network segmentation and logical access
control.
Access to customer environments is done via secure connections (VPN tunnel).
All access to information is validated and approved according to each profile.

CONFIDENTIAL 7 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

The organization does not operate with customer information, but is responsible to protect
and preserve it throughout its life cycle.
There are tools for the validation and monitoring of integrity and availability, confidentiality is
safeguarded at all times through strict systems for access control (Google IAM Service) and
data encryption (SSL tunnels, database encryption and server encryption).

CONFIDENTIAL 8 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

6. SECTION II - Trust Service Principles of Security, Availability, and

confidentiality, applicable criteria and related controls.
The objective of this report is to provide information to the interested parties on the
BOTMAKER security controls, in order to mitigate the relevant risks for the clients
organizations. The methodology used to assess the design of BOTMAKER's controls was
limited to the "Trust Service Principles of Security, Availability, and Confidentiality”, and
related criteria and controls specified by BOTMAKER's executive management.

CONFIDENTIAL 9 / 42
 Common criteria to all principles of security, availability, processing integrity and confidentiality
Common criteria related to organization
CC1.0
and management
CC1.1 The structure of the organization has been
established with reporting lines, authorities
and responsibilities for the design,
development, implementation, operation,
monitoring and maintenance of the system,
which allows it to meet its commitments and
security, availability, integrity and
confidentiality requirements.
CONFIDENTIAL
Organization controls Tests performed Tests results
Ctrl-1) The organization's staff signs a Ctrl-1) Verified the existence of No exceptions
confidentiality agreement and Code of Conduct. Confidentiality Agreements and found.
In the same way, confidentiality agreements are Code of Conduct
signed with critical suppliers.
The following documentation
Ctrl-2) The reporting line is clearly defined, and is and associated records were
communicated to all staff. There is an verified:
organizational chart and a document describing - Confidentiality and
the position profiles: the main functions and Intellectual Property
responsibilities, as well as the knowledge and Employees V2.0
skills required for each position. The - DG-01 Code of Conduct
organization's management is notified of each V1.0 dated 11/08/2021
incident or relevant security risk identified.
Ctrl-2) Verified the following
documentation and associated
records:
- Organization chart of
BOTMAKER V1.0 dated
08/27/2021.
The chart establishes the role of
"Information Security Analyst",
in charge of security design and
administration.
The activities related to the
monitoring, maintenance and
control of the infrastructure are
10 / 42
 carried out by the “Infrastructure
Team”, defined in the
organizational chart.

Both of them are part of the

Infrastructure Management,
responsible for the Information
Security management, and in
direct report to the
Organization's top management.

CC1.2 Responsibility and accountability for No exceptions

designing, developing, implementing, Ctrl-1) The definition of the Job found.
Ctrl-1) Roles and responsibilities are defined and
operating, monitoring, maintaining, and Profile and the internal
communicated to employees.
approving the entity’s system controls are communication processes were
assigned to individuals within the entity with validated. The following
authority to ensure policies and other system documentation and associated
Ctrl-2) An Information Security Analyst and an
requirements are effectively promulgated. records were verified:
Infrastructure Team have been allocated,
- PS-05 Human Capital
reporting to the Infrastructure Management, and
Management Process –
in charge of monitoring technological services
V1.3 Item 5.7 “Internal
and their risks.
Communication”
- Roles and
Ctrl-3) There is a risk management methodology
Responsibilities V1.0
from which the controls to be implemented are
– Job Profiles.
obtained.

Ctrl-4) There is a technological change

Ctrl-2) The following
management procedure, which defines the
documentation and associated
methodology for the analysis, approval and
records were verified:
implementation of changes in critical platforms.
- BOTMAKER
Organization chart V1.0
Ctrl-5) Information security awareness sessions
dated 08/27/2021.
are held for employees where the organization
Establishes the role of
information security policies are communicated.
the "Information
Security Analyst",

CONFIDENTIAL 11 / 42
 responsible for
information security
design and
administration.

The activities related to the

infrastructure monitoring,
maintenance and control are
carried out by the “Infrastructure
Team”, defined in the
organization chart.

Both of them are part of the

Infrastructure Management,
responsible for the Information
Security management, and in
direct report to the
Organization's top management.

Ctrl-3) The Information Security

Analyst monitors the risks and
updates the matrix
- RG-01 Risk Dashboard

The procedure complies with

the methodology described in
the procedure
- “PS-01 Risk
Management V1.0

Sample of high level risks

assessed:
- Database Information Theft (ID
ER-01)
- Data unavailability due to
database corruption (ID ER-14)

CONFIDENTIAL 12 / 42
 Verified mitigation and continuity
strategies established for them.

Ctrl-4) Verified a documented

Change Management procedure
- PS-10 Client
Environment
Management V1.2 Item
5.2 Change
Management,
applied by the infrastructure
team.
Checked the change log in
- "RG-07 Registry of
Follow-up and Control
of
Vulnerabilities_Incidents
_Changes"

Ctrl-5) Verified the new

collaborators awareness training
regarding information security
and the communication of the
organization security policies.
Sample:
- PPT "Awareness
Workshop"
- A_15 Training
Attendance Record
12/14/2021 – Training
“information security
awareness workshop#

CONFIDENTIAL 13 / 42
 CC1.3 Personnel responsible for designing,
developing, implementing, operating,
monitoring, and maintaining the system
affecting security, availability, integrity, and
confidentiality, have the qualifications and
resources to fulfill their responsibilities.
Ctrl-1) The organization has a work team Ctrl-1) Verified the process of
specialized in the selection and management of personnel selection and
human resources. evaluation:
- PS-05 Human Capital
Ctrl-2) The persons doing work that affects the Management Process –
infrastructure and security service and support V1.3
are qualified according to their job position. Their
skills are evaluated by project leaders Ctrl-2) The project leaders
continuously. monitor and evaluate the skills
of their staff before and during
Ctrl-3) The Job Descriptions are documented, the employment, according to item
personnel required roles and responsibilities are 5.8 pf Procedure PS-05
established. "Personnel Evaluation"

Ctrl-3) The definition of the Job

Profile was validated. The
following documentation and
associated records were
verified:
- Roles and
Responsibilities V1.0 –
Job Profiles.
Sample: "Security Analyst"
profile.

CC1.4 The organization has established standards Ctrl-1) Verified Confidentiality No exceptions
Ctrl-1) The organization's personnel signs a
of conduct for employees, has implemented Agreements and Code of found.
confidentiality agreement and an acceptable use
applicant background check procedures, Conduct
of assets and systems policy.
and conducts compliance procedures to The following documentation
meet its security, availability, integrity, and and associated records were
confidentiality commitments and verified:
Ctrl-2) The organization has internal personnel
requirements. - Confidentiality and
selection procedures.
Intellectual Property
Employees V2.0
Ctrl-3) There is a document containing the rules
- DG-01 Code of Conduct
of coexistence and the Information Security
V1.0 dated 11/08/2021.

CONFIDENTIAL 14 / 42
 policy, which is known and signed by all
employees. Ctrl-2) Verified process of
personnel selection and
Ctrl-4) There are practices of disciplinary evaluation:
sanctions for breaches or violations of current - PS-05 Human Capital
information security policies. Management Process –
V1.3

Ctrl-3)Verified document DG-01

Code of Conduct V1.0 dated
11/08/2021.

Ctrl-4) Verified disciplinary

process
- PS-05 Human Capital
Management Process –
Section 5.5 Disciplinary
Process

CONFIDENTIAL 15 / 42
 CC2.0 Common criteria related to organization
and management
CC2.1 Information about the system design and
operation and its limits has been prepared
and communicated to authorized internal
and external users so that they can
understand their role in the system and the
results of the system's operation.
CC2.2 The security, availability, integrity and
confidentiality commitments of the
organization are communicated to external
users, as appropriate; such commitments
CONFIDENTIAL
Organization controls Tests performed Tests results
Ctrl-1) Internal Infrastructure Management: the Ctrl-1) Verified the environment No exceptions
organization has an Environment Management management process found
process, which contains the rules and limits - PS-10 Environment
related to the deployment, changes, operation, Management.
monitoring, maintenance and support of the This procedure reflects all the
service infrastructure. main management of the
infrastructure operation.
Ctrl-2) The organization has a network diagram
that shows the design of the deployed Ctrl-2) Verified the design of the
technological architecture. "Network Diagram"
infrastructure
Ctrl-3) Users and accesses are managed and Ctrl-3) Verified record
granted by duly documented profiles - Job Profiles and Access
Profiles V1.0 dated
09/27/2021
Ctrl-4) Client accesses his environment and
manages his own users with the minimum Ctrl-4) Verified the automatic
security rules defined by the organization, creation of accounts for
accepting the terms and conditions of use. clients/users of the system.
Verified the privacy policy,
accepted by clients:
- Privacy Policy –
botmaker.com/en/privacy
Verified user authentication
through their “Google” or
“Facebook” account or user
creation associated with an
email through the Google
service.
Ctrl-1) Security commitments are communicated Ctrl-1) Verified the privacy policy No exceptions
to customers through specific contracts (large that the customer consent: found
customers) and the Privacy Policy. Privacy Policy –
botmaker.com/en/privacy
16 / 42
 and system requirements are communicated
to internal system users so that they can
fulfill their responsibilities.
Ctrl-2) Ctrl-3) Validated the
Ctrl-2) Employment agreements contain Confidentiality Agreements and
provisions and/or compliance terms with the Code of Conduct
established information governance and the
security policies and must be reviewed and Verified the following
agreed to by the organization´s staff. documentation and associated
records:
- Confidentiality and
Ctrl-3) There are confidentiality agreements and Intellectual Property
rules of coexistence, which include the Employees V2.0
Information Security Policy and are known and - DG-01 Code of Conduct
signed by all employees. V1.0 dated 11/08/2021

CC2.3 The entity communicates the responsibilities Ctrl-1) Formal definition of job profiles. Ctrl-1) Verified No exceptions
to internal and external users and any other - Position Profiles and found
role that affects the system operation Ctrl-2) Confidentiality agreements and codes of Access Profiles V1.0
conduct available. dated 09/27/2021

Ctrl-3) Privacy and use of the systems Ctrl-2) Verified the following
agreement documentation and associated
records:
- Confidentiality and
Intellectual Property
Employees V2.0
- DG-01 Code of Conduct
V1.0 dated 11/08/2021.

Ctrl-3) Validated Privacy Policy,

which the client accepts:
Privacy Policy –
botmaker.com/en/privacy

CC2.4 Ctrl-1) Verified the Environments Management Ctrl-1) Verified Environments No exceptions
The internal and external personnel Procedure wich covers the deployment, deletion, Management process found
responsible for designing, developing, maintenance, operation, monitoring, support and - PS-10 Environment
implementing, operating, monitoring and maintenance of environments and production Management
maintaining the controls that are relevant to systems.
security, availability, processing, integrity

CONFIDENTIAL 17 / 42
 and confidentiality of the system, have the
necessary information to carry out the
mentioned responsibilities.

CC2.5 The system internal and external users are Ctrl-1) Formal channels are defined to report Ctrl-1) Verified the security No exceptions
informed on how to report security, failures and security incidents. There is a incident management process: found
availability, integrity, and confidentiality documented procedure for Information Security - PS-11 Incident
breaches, incidents, concerns, and other Incident Management. Management – V1.0 –
complaints to the pertinent personnel. dated 06/12/2021
Ctrl-2) The availability of formal channels of
communication with the client for reporting Ctrl-2) Validated the
information security failures. communication channels
available to customers:
- Account manager
- Partners
- Email
Verified the communication of a
formal channel to report issues
related to the processing of
personal data:
- Privacy Policy –
botmaker.com/privacy

CC2.6 System users are informed in a timely Ctrl-1) Verified the change No exceptions
manner of changes to the system that affect management process: found
their internal and external responsibilities or - PS-10 Environment
the commitments and requirements of the Management – Section
Ctrl-1) Any change that may affect the operation
entity related to security, availability, integrity 5.2 Change
and security of the systems is communicated and
and confidentiality. Management
coordinated with the interested parties. There is
Verified the change log in
an Infrastructure Change Management
- "RG-07 Registry of
procedure
Follow-up and Control
of
Vulnerabilities_Incidents
_Changes"

CONFIDENTIAL 18 / 42
 CC3.0 Common Criteria related to Risk
Management, design and implementation Organization controls Tests performed Tests results
of controls

CC3.1 The entity (1) identifies potential threats that Ctrl-1) Periodically, the technology management, Ctrl-1) Verified the Risk No exceptions
could affect the system security, availability, with the support of the Security Analyst, performs Management process: found
integrity, and confidentiality commitments an analysis of the existing risks for different high- - PS-01 Risk
and requirements, (2) analyzes the impact risk scenarios. Management Procedure
significance of risks associated with the – V1.0 dated
identified threats, and (3) determines 07/21/2021
mitigation strategies for these risks Ctrl-2) In the event of an interruption of Reviewed the technological risk
(including controls and other mitigation operations, business continuity plans are defined management matrix (RG-01
strategies). as a mitigation strategy to respond to the Risk Board). Verified the follow
services continuity with customers up of the risk treatment status.
- Risk ID ER-03.
Ctrl-3) Risks are periodically reviewed and their Treatment ID Trello
treatment is monitored. 2mdwek06. Status:
closed

Ctrl-2) Verified the contingency

strategy and the execution of
continuity tests:
- Contingency
Strategy.xlsx
- Continuity test – 2021 –
12/16/2021.
- Test exercise on
scenario "Down Zones"
- 12/16/2021

Ctrl-3) Verified an annual risk

review definition. (Risk
Monitoring – PS01)

CC3.2 The entity designs, develops and Ctrl-1) Verified the existence of No exceptions
Ctrl-1) The organization has implemented an
implements controls, including policies and the ISMS certified in ISO/IEC found
ISMS – Information Security Management
procedures, to implement its risk mitigation 27001 standard.
System, based on and certified in
strategy.

CONFIDENTIAL 19 / 42
 ISO/IEC 27001:2013 - Information Security Ctrl-2) Verified documented
Management System. policies and procedures that
respond to a risk mitigation
Ctrl-2) Availability of information security strategy.
management policies and procedures. Declaration of Applicability
(DoA)
Ctrl-3) Availability of an Objectives and
Management Board V1.1, applied to monitoring Ctrl-3) Verified the definition and
operational controls, security and management monitoring of the controls
indicators. associated with the ISMS as a
risk mitigation strategy:
RG06-DASHBOARD OF
OBJECTIVES AND
MANAGEMENT v1.1

CC3.3 Ctrl-1) Verified document: No exceptions

The entity (1) identifies and assesses - DG-01 Context and found
changes (for example, environmental, Scope of the ISMS –
regulatory, and technological) that could V1.1 dated 01/13/2022 Nonetheless, the
Ctrl-1) Documentation available for the definition
significantly impact the internal control Salesforce client
and analysis of the context and scope of the
system of security, availability, processing Ctrl-2) Verified the SWOT matrix infrastructure is
ISMS
integrity, and confidentiality and reassesses and the annual management monitored by the
risks and mitigation based on them and (2) review: client itself (the
Ctrl-2) Annual reviews of the context and
reassesses the adequacy of the design and - DG-02 SWOT-CAME organization does
strategic objectives are carried out by the
deployment of control activities based on the Matrix – V1.0 – not have access).
Management, updating the SWOT Matrix.
operation and monitoring of those activities, 09/27/2021
and updates them as necessary. - PS-04 Management
Ctrl-3) A formal documented procedure for
Review – V1.0 –
Infrastructure Change Management is available
09/28/2021
Verified the management
Ctrl-4) Availability of a documented information
review, including the review of
management process, including document
context changes, SWOT and
change management (updates to policies,
Risk management.
processes, procedures, etc.).
- A-03 Minutes of
Management Review
dated 12/23/2021

CONFIDENTIAL 20 / 42
 Ctrl-4) Verified the information
management procedure
- PR-01 Documented
Information Management
Procedure – V1.0 –
09/28/2021

CONFIDENTIAL 21 / 42
 CC4.0 Common Criteria Related to Control
Monitoring
CC4.1 The controls design and operational
effectiveness are periodically evaluated
based on security and availability.
CONFIDENTIAL
Organization controls
Tests performed Tests results
Ctrl-1) In place operational monitoring tools and Ctrl-1) Verified the monitoring No exceptions
controls for availability and security management process: found
PS-10 Environment
Ctrl-2) Existence of Indicators associated with the Management – Section 5.4
availability of systems and security and Monitoring Management-
infrastructure support incidents. PS-10 Environment
Management – Section 5.6
Ctrl-3) ISMS annual review Infrastructure Support
Ctrl-4) ISMS Annual Audits Verified registration:
"RG-07 Registry of Follow-up
Ctrl-5) VRA/Pentest audits on the infrastructure and Control of
Vulnerabilities_Incidents_Chang
Ctrl-6) Vulnerabilities in systems monitoring and es"
Management. Uptime.xls checks
# 02/14/2022 result 99.973%
Ctrl-7) Nonconformity and continuous # 03/28/2022 result 99.979%
improvement management process.
Ctrl-2) Validated record:
RG06 - OBJECTIVES AND
MANAGEMENT BOARD_V1.1
Sample: Control “Failed
Changes” 03/01/2022, indicator
in “green”.
Ctrl-3) Verified the management
review, including updates and
changes to the ISMS
A-03 Minutes of Management
Review dated 12/23/2021
Ctrl-4) Verified the last internal
and external audit:
22 / 42
 Internal Audit Report -
Information Security
Management System issued on
12/23/2021.
Certification Audit Report -
Issued by IRAM - dated
01/14/2022

Ctrl-5) Verified the execution of

an annual pentest:
BOTMAKER_Executive
Report_RE_TEST_January_202
1.pdf
The RE_TEST of 2022 is
running

Ctrl-6) Verified record:

"RG-07 Registry of Follow-up
and Control of
Vulnerabilities_Incidents_Chang
es"

Ctrl-7) Verified the non-

conformity and improvement
management procedure:
S-02 Continuous Improvement
Process V1.0 – 09/13/2021
RG-02 Continuous Improvement
Tracking Record – updated to
date

CONFIDENTIAL 23 / 42
 CC5.0 Common Criteria related to Physical and
Logical Access Controls
CC5.1 A logical access security software, the
infrastructure, and the architectures have
been implemented to support: (1) the
identification and authentication of
authorized users; (2) restricting access by
authorized users to system components, or
portions thereof, authorized by
administration, including hardware, data,
software, mobile devices, output, and offline
elements; and (3) prevention and detection
of unauthorized access.
CONFIDENTIAL
Organization controls
Ctrl-1) Documented procedures for access
management available
Ctrl-2) The organization has a Password Policy.
Ctrl-3) All the authentication systems associated
with the infrastructure and systems allow the
creation of strong passwords and in compliance
with the defined password policies.
Ctrl-4) Authentication systems have password
blocking controls due to repetition of incorrect
entries and alerts the admin.
24 / 42
Tests performed Tests results
Ctrl-1) Verified access No exceptions
management procedure, it is found
suitable for the organization.
PS-07 Access Management –
V1.2 -04/07/2022
Ctrl-2) TVerified the password
policy, which is adequate for the
organization.
POL-02 Specific information
security policies – v1.2 –
Section 2.8 Password Policy
Ctrl-3) Verified “Google”
Authentication set up according
to infrastructure environments
and systems policies.
Verified use of Google IAM for
access to critical infrastructure.
Verified double authentication
factor for critical systems.
For user environments,
authentication is through the
personal Google account,
Facebook, or by creating a user
associated with an email
through the Google service.
Ctrl-4) Verified the generation of
alerts via email to admins in the
event of improper access
attempts to the systems.
 CC5.2 New system users, whether internal or
external, are registered and authorized prior
to receiving system credentials and being
granted access.
User's credentials are deleted when access
is no longer authorized.
CC5.3 Internal and external system users are
identified and authenticated when they
access system components (i.e.:,
infrastructure, software, and data).
CONFIDENTIAL
Ctrl-1) System access is authorized for new
users before they are granted access to the
organization's systems.
Ctrl-2) Role-based access is used to determine
the need to access the systems.
Ctrl-3) Users and permissions are deleted
according to the Access Management
documented procedure.
Ctrl-4) There are periodic checks to review
accesses granted and deletions.
Ctrl-1) All system components have secure
logical access authentication systems.
25 / 42
Ctrl-1) Verified the network user No exceptions
approval and granting workflow. found.
-Example: User registration
May/09/2022 registered in
Google Workspace.
Ctrl-2) Verified the accesses
according to the user profile with
the role of "Security Analyst",
compliant to what is defined in
the registry
Roles and Responsibilities –
Access Profiles v1.0 dated
09/27/2021
Ctrl-3) Verified user deletion
after deregistration according to
PS-07 Access Management –
Section 5.3 User Deregistration.
Ctrl-4) Verified execution of the
six-monthly access review.
RG06-Objectives and
Management Board v1.1
Privileged users - Date of last
revision 10/30/2021 – No
deviations
Standard users- Last revision
date: 10/30/2021 – No
deviations
Verified the scheduling of an
deregistered users review by
07/30/2022
Ctrl-1) Reviewed relevant No exceptions
service access systems: found.
Google Cloud
Databases
Github (access to source code)

CC5.4 Access to data, software, features, and
other IT resources is authorized and is
modified or removed based on roles,
responsibilities, or system design and
changes made.
CC5.5 Physical access to the facilities hosting the
system (for example, datacenters, backup
media storage, and other sensitive
locations, as well as sensitive system
components within those locations) is
restricted to authorized personnel.
CC5.6 Logical access security measures have
been implemented to protect against
unauthorized access, and threats to
availability, integrity, and confidentiality,
CONFIDENTIAL
Ctrl-1) Role-based access is applied to
determine the need to access systems.
Ctrl-2) Access to the network and systems is
revoked or modified as part of the access
management process.
Ctrl-3) the system allows the creation,
modification and deletion of users for Botmaker
platform users (clients).
Ctrl-1) The organization infrastructure is in
Google cloud. Therefore, everything related to
physical access is covered.
Ctrl-2) The applications and support systems for
internal management are rented as a cloud
service (SaaS).
Ctrl-1) Access to the infrastructure is done
through IAM - Identity and Access Management
of Google Cloud.
26 / 42
Botmaker Platform
Administration
Access with the rol client to the
Botmaker platform
To access, all permissions
required having a username and
password duly granted
according to their profile.
Ctrl-1 and Ctrl-2) Verified the No exceptions
availability of procedures for found.
granting access to data,
software and other resources,
as well as their modification and
elimination based on roles.
PS-07 Access Management
Ctrl-3) Verified the access as a
client to the Botmaker platform,
and the creation, modification
and deletion of users.
Ctrl-1) Verified that all the No exceptions
infrastructure directly or found.
indirectly associated with
customer service is deployed in
Google cloud.
Ctrl-2) Verified that all support
and internal management
services are deployed in the
Google cloud or are SaaS-type
services hired from top-tier
companies (Github, Trello,
among others).
Ctrl-1) Verified access No exceptions
management through IAM. found.
Ctrl-2) Verified periodic access
control with privileges:
 from sources outside the system
boundaries.
CC5.7 The transmission, change, and deletion of
information is restricted to authorized users
and processes, and is protected during
transmission, movement, or removal
enabling the entity to meet its commitments
and requirements of information security,
availability, integrity, and confidentiality.
Ctrl-2) Accesses with critical privileges are
controlled every 15 days and non-critical access
every 6 months
Ctrl-3) Accesses of users accessing the
infrastructure through a Firewall and the
corresponding authorization of origin and ports
are controlled.
Ctrl-1) Available policy for the exchange and
handling of customer information
Ctrl-2) The information that the client handles
through the platform is managed by him
throughout the life cycle, the organization only
intervenes in its safeguard (backup)
Ctrl-3) There is strict control over the granting
and execution of permissions for the
transmission, movement and deletion of data
from systems.
Ctrl-4) Every change, this being the deletion or
movement of a database, goes through a
defined Change Management process.
Critical: Last registration dated
03/01/2022.
Not critical. Last registration
dated 05/02/2022
Ctrl-3) Verified access log
documented in the log
- [Botmaker] Firewall Access.xls
against the firewall
Ctrl-1) Verified the policy No exceptions
- POL-02 Specific information found.
security policies – Section 2.4
Exchange and treatment of
customer information policies.
Ctrl-2) Verified the access
profiles for users and their
permissions to manage their
information through the
platform.
Ctrl-3) Verified the procedures
for granting role-based access
to data, as well as its
modification and deletion.
PS-07 Access Management –
V1.2 04/07/2022

Ctrl-4) Verified the change

management process:
PS-10 Environment
Management – Section 5.2
Change Management
Checked the log of changes in
"RG-07 Registry of Follow-up
and Control of
vulnerabilities_Incidents_Chang
es"

CONFIDENTIAL 27 / 42
 CC5.8 Controls have been implemented to prevent
or detect and act on the introduction of
unauthorized or malicious software.
Ctrl-1) Software acquisition policy available.
Ctrl-2) Proper use of information systems policy
available
Ctrl-3) At the infrastructure level, all software
must be validated and according to the change
management process.
Ctrl-1) Verified the policy: No exceptions
POL-02 Specific information found.
security policies – Section 2.9
Software acquisition and
interconnection of systems
policies
Ctrl-2) Verified the policy:
POL-02 Specific information
security policies – Section 2.9
Software acquisition and
interconnection of systems
policies

Ctrl-3) Verified the change

management process:
PS-10 Environment
Management – Section 5.2
Change Management

CONFIDENTIAL 28 / 42
 CC6.0 Common Criteria related to Operating
Organization controls Tests performed Tests results
Systems
CC6.1 System component vulnerabilities to Ctrl-1) The organization has a vulnerability Ctrl-1) Verified the monitoring No exceptions
security, availability, integrity, confidentiality management process management process: found.
breaches, and incidents due to malicious PS-10 Environment
acts, natural disasters, or errors are Ctrl-2) Annual Vulnerability Scans and Management – Section 5.8
monitored and evaluated, and Penetration Test are performed. Vulnerability Management
countermeasures are implemented to
resolve new and known vulnerabilities. Ctrl-3) Systems are monitored and scanned for Ctrl-2) Verified the execution of
vulnerabilities. an annual pentest:.
BOTMAKER_Executive
Ctrl-4) Vulnerabilities are managed and Report_RE_TEST_January_202
prioritized according to their criticality. 1.pdf
The RE_TEST of 2022 is in
process

Ctrl-3 and Ctrl-4) Verified:

CC6.2
Security, availability, integrity, and
confidentiality incidents, including logical
and physical security breaches, failures,
concerns, and other complaints, are
identified, reported to appropriate
personnel, and acted upon in accordance
with established incident response
procedures.
Ctrl-1) Formal documented security incident
management procedure available.
Ctrl-2) Formal channels are defined to report
failures and security incidents.
Ctrl-3) Incidents are analyzed and managed
according to defined processes.
- “RG-07 Record of Follow-up
and Control of Vulnerabilities
_Incidents_Changes”
Verified the management of the
following vulnerabilities:
CVE-2013-7445 on all-cluster-
specs component – detection
02/09/2022
CVE-20219-19814 on firestore-
backup-py component –
detection 01/26/2022
Ctrl-1) Verified the security No exceptions
incident management process: found.
PS-11 Incident Management –
V1.0 – 12/06/2021
Ctrl-2) Verified the available
communication channels to the
client:
account manager

CONFIDENTIAL 29 / 42
 partners
Email
Verified the communication of a
formal channel to report issues
related to the processing of
personal data:
Privacy Policy –
botmaker.com/privacy

Ctr-3) Validated the document:

- “RG-07 Record of Follow-up
and Control of Vulnerabilities
_Incidents_Changes”
Verified the management of the
following incidents:
There were no incidents during
the analyzed period.

CONFIDENTIAL 30 / 42
 CC7.0 Common Criteria related to Change
Management
CC7.1 Security, availability, integrity, and
confidentiality requirements and
commitments are addressed throughout the
system development lifecycle, including the
design, acquisition, implementation,
configuration, testing, modification, and
maintenance of system components.
CC7.2 Infrastructure, data, software, and
procedures are updated as necessary to
maintain consistency with system
commitments and requirements for security,
availability, integrity, and confidentiality of
processing.
CC7.3 Change management processes are
initiated when deficiencies in the design or
operational effectiveness of controls are
identified during the system operation and
monitoring.
CONFIDENTIAL
Organization controls Tests performed Tests results
Ctrl-1) The personnel assigned to the service Ctrl-1) Verified the application of No exceptions
follow the guidelines of the organization and methodologies and good found.
those defined by the client regarding security, practices in software
integrity, availability and confidentiality, development by the
throughout the software development life cycle. organization.
Ctrl-2) Operation changes and maintenance are Ctrl-2) Verified the change and
managed through an environment management maintenance management
process. process:
PS-10 Environment
Management – Section 5.2
Change Management
PS-10 Environment
Management – Section 5.3
Maintenance
Ctrl-1) A component maintenance plan is Ctrl-1 and Ctrl-2) Verified the No exceptions
defined through metrics and alerts, in order to configuration of metrics in the found.
keep them updated. Google Cloud actions are systems different components
configured to automatically update components and the alerts notifications.
based on the change criticality.
Ctrl-3) Verified the documented
Ctrl-2) Google Cloud alerts regarding the update information management
status of the components are monitored and the procedure
Change Management process is applied. PR-01 Documented Information
Management Procedure – V1.0
Ctrl-3) Procedures are updated on changes. An – 09/28/2021.
annual review of all procedures is carried out. Verified that no document has a
version with a
publication/modification date
greater than 12 months.
Ctrl-1) The Change Management process is Ctrl-1) Verified the change No exceptions
executed when there is a need for a modification management process, which found.
or resolution of a problem/incident. defines the guidelines for
requesting, evaluating and
executing changes.
31 / 42

CC7.4 Changes to system components are
authorized, designed, developed,
configured, documented, tested, approved,
and implemented in accordance with
security, availability, processing integrity,
and confidentiality commitments and
requirements.
CONFIDENTIAL
PS-10 Environment
Management – Section 5.2
Change Management.
Ctrl-1) Changes are classified according to their Ctrl-1) Verified the following No exceptions
criticality, from which planning, approval and steps established in the found.
registration requirements are defined. definition and execution of the
changes according to their
criticality, categorizing them
into:
Standard: routine changes
without risk for the operation.
For example, applying non-
critical patches
Critical: due to their complexity
or possible impact, they require
detailed planning, analysis and
formal approval. For example,
migration of a database.
Emergencies: based on the
need for immediate execution.
For example, to resolve an
incident
32 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

A1.1 Processing capacity and usage are Ctrl-1) The capacity of critical components is Ctrl-1) The alerts of: No exceptions found.
monitored, maintained, and evaluated in monitored through metrics and alarms. Capacity of the “queues”
order to administer capacity demand and – Register “Infrastructure
enable the implementation of additional Ctrl-2) The infrastructure is self-scaling as part queue alert”
capacity to help meet availability of the solutions provided by the cloud service CPU and Memory
commitments and requirements. provider. monitoring graphs-
Sample: CPU near limit
on m-infra proxy from
05/08/2022

Ctrl-2) Verified that all

services run on Google
Cloud with a service that
allows infrastructure auto
scaling. In the case of
receiving saturation CPU
alerts, its capacity is
extended.
A1.2 Environmental protections, software, data Ctrl-1) Backup management process (Backups) Ctrl-1) Verified the No exceptions found.
backup processes, and recovery available. backup management
infrastructure are designed, developed, process
implemented, operated, monitored, and Ctrl-2) Contingency Management process PS-10 Environment
maintained to meet availability commitments available. Management – Section
and requirements. 5.7 Backup Management
Ctrl-3) Infrastructure environmental conditions
are ensured by the cloud infrastructure provider. Ctrl-2) Verified the
backup management
process:
PS-10 Environment
Management – Section
5.9 Service Continuity

CONFIDENTIAL 33 / 42
 Ctrl-3) Verified supplier
compliance with SOC 2:
https://cloud.google.com/
security/compliance/soc-2

A1.3 Procedures that support system recovery in Ctrl-1) Documented backup strategies and Ctrl-1) Verified backup No exceptions found.
accordance with recovery plans are tested execution of periodic tests strategy and restore tests:
periodically in order to help meet availability Record of Follow-up and
commitments and requirements. Ctrl-2) Documented service contingency Control of
management strategies and execution of Vulnerabilities_Incidents_
periodic tests. Changes – V1 – “Policy
and Execution of
Backups”

Ctrl-2) Verified
contingency strategy and
the execution of continuity
tests:
Contingency Strategy.xlsx
Continuity test – 2021 –
12/16/2021.
Test exercise on scenario
"Zones Down" -
12/16/2021

CONFIDENTIAL 34 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

Procedures are in place to prevent, detect, Ctrl-1) The platform has data integrity controls. Ctrl-1) Verified input data No exceptions found.
PI1.1 and correct processing errors to meet validation controls and in
processing integrity commitments and Ctrl-2) An incident management procedure to the exchange of
requirements. handle any processing and/or data integrity information through APIs
errors is established.
Ctrl-2) Verified the
security incident
management process:
- PS-11 Incident
Management –
V1.0 –
12/06/2021

System inputs are fully, accurately, and Ctrl-1) There is an integrity control over the data Ctrl-1) Verified the No exceptions found.
PI1.2 timely measured and recorded in accordance inputs to the platform customizable input data
with commitments and processing integrity validation controls from
requirements. Ctrl-2) Relevant entries and activities are the platform configuration
recorded in the platform transaction log - Configuration of
input: “User
name”, valid input
data type “Name”.

Ctrl-2) Verified the

following entries in the
change history log
(sample):
- Date
- Author
- Action

CONFIDENTIAL 35 / 42
 Data is processed in a complete, accurate
PI1.3 and timely manner as authorized, in
accordance with processing integrity
commitments and requirements.
Data is fully and accurately stored and
PI1.4 maintained for its specified lifetime in
accordance with processing integrity
commitments and requirements.
CONFIDENTIAL
Ctrl-1) Incomplete data or with some integrity Ctrl-1) Verified by sample No exceptions found.
validation error are not processed. the following inputs, their
validation before
processing, and the error
message to the user:
- Entry
configuration
“Username”, valid
input data type
“Name”.
Ctrl-1) The data is stored and maintained in full Ctrl1) Verified the No exceptions found.
in accordance with the specifications defined in following statement in the
the contractual Terms and Conditions. Privacy Policy
https://botmaker.com/en/p
Ctrl-2) The established backup strategy rivacy/:
responds to the backup requirements.
Term:
“Botmaker may retain
Information for as long as
necessary to fulfill the
purposes for which it was
collected or as necessary
to provide the Services,
including after the
cancellation or deletion of
any account, or after the
termination of the
services provision, if
retention of such
information is reasonably
necessary to comply with
legal obligations, meet
regulatory requirements,
resolve disputes between
users, prevent fraud or
any other use.”
36 / 42
 Ctrl-2) Verified the
backup rules defined for
the following databases:
- Firestore
- BigQuery
/Type of backup: Full
/Frequency: Daily
/History: not limited

System output is complete, accurate,
PI1.5 distributed and retained in accordance with
processing integrity commitments and
requirements.
Ctrl-1) An integrity check on the data outputs of Ctrl-1) Verified the output No exceptions found.
the platform is performed. data validation controls:
-In the event of an invalid
Ctrl-2) Relevant outputs and activities are name entry in the “name
recorded in the platform transaction log type” field, an error output
message is returned.

Ctrl-2) Verified (sample)

the following outputs in
the platform conversation
event log:
- Sending
notifications not
delivered by the
Whatsapp
channel.

The data modification is authorized, using Ctrl-1) Platform users can only modify the Ctrl-1) Verified the No exceptions found.
PI1.6 approved procedures in accordance with the information associated with their profile. operations that can be
commitments and requirements of executed by a platform
processing integrity Ctrl-2) Any information modification outside the user according to the
logic of the platform operation, is done through assigned profile.
an analysis and authorization process (Change
Management) Ctrl-2) Verified the
change management
process, which defines
the guidelines for
requesting, evaluating
and executing changes.

CONFIDENTIAL 37 / 42
 - PS-10
Environment
Management –
Section 5.2
Change
Management

CONFIDENTIAL 38 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

C1.1 Confidential information is protected during Ctrl-1) Production data is not used in any Ctrl-1) The development No exceptions found.
the system design, development, testing, previous environment. team was interviewed and
implementation and change processes in it was verified that the
accordance with confidentiality commitments Ctrl-2) Every change in production is done productive data was not
and requirements. through a controlled process (Change used for debugging or
Management) testing

Ctrl-2) Verified the

change management
process, which defines
the guidelines for
requesting, evaluating
and executing changes.
PS-10 Environment
Management – Section
5.2 Change Management
C1.2 Confidential information within system Ctrl-1) Users must authenticate their access to Ctrl-1) Verified user No exceptions found.
boundaries is protected from unauthorized customer environment through a username and authentication via their
access, use, and disclosure during input, password. “Google” or “Facebook”
processing, retention, output, and disposition account or creation of a
in accordance with confidentiality Ctrl-2) User access to the platform environment user associated with an
commitments and requirements. as support or assistance have an approval and email through the Google
monitoring flow. service.

Ctrl-3) There are cryptographic controls for the Ctrl-2) Verified a semi-
transmission, processing and protection of automatic access request
sensitive information. to the platform by the
support operators to the
user when required.
The permit is granted for
a maximum period of 24
hours and is canceled
when the assistance is
completed. The activities

CONFIDENTIAL 39 / 42
 carried out are recorded.
The mentioned steps are
managed through the
https://iaccess.botmaker.
app module

Ctrl-3) Verified the

following controls:
SSL channel across the
platform

C1.3 Access to confidential information from Ctrl-1) The infrastructure accesses of Ctrl-1) Verified (sample) No exceptions found.
outside system boundaries and disclosure of priviledged users are restricted to authorized access permission
confidential information is restricted to personnel according to job profile. defined according to the
authorized parties in accordance with "Roles and
confidentiality commitments and Ctrl-2) There are cryptographic controls in the Responsibilities - Access
requirements. infrastructure for information access and Profile" record:
protection.
# “GoogleCloud Client
Environment”
Management Type: by
Owner
Owner: Engineering
Director and Head of
Infrastructure
Access: Owner only

#Github
Management Type: by
profile
Owner: Head of
Infrastructure
Access: technology
profiles.

Ctrl-2) Verified the

following controls:

CONFIDENTIAL 40 / 42
 VPN for access to
platform infrastructure
management
AES256 encryption on
servers.

C1.4 The entity has confidentiality commitments Ctrl-1) There are confidentiality agreements with Ctrl-1) Verified the No exceptions found.
consistent with its confidentiality employees consistent with the commitment following documentation
requirements to suppliers and other third made with the client and associated records:
parties whose products and services are part Confidentiality and
of the system and have access to confidential Ctrl-2) There are confidentiality commitments Intellectual Property
information. with suppliers that are consistent with the Employees V2.0
commitment made with the client. DG-01 Code of Conduct
V1.0 dated 11/08/2021.

Ctrl-2) Verified the

confidentiality agreement
of the main supplier
associated with the
service:
https://cloud.google.com/
privacy
Verified signed
agreements with
suppliers, as applicable.
A-14 Confidentiality
agreement with suppliers.

C1.5 Compliance with confidentiality commitments Ctrl-1) The interested parties requirements Ctrl-1) Verified analysis of No exceptions found.
and requirements by suppliers and other third related to confidentiality and legal and interested parties
parties whose products and services are part contractual compliance, are reviewed at least requirements:.
of the system is periodically and as once a year. DG-03_Stakeholder
necessary evaluated and, if applicable, Requirements
corrective action are taken. Ctrl-2) An evaluation of the suppliers security is Last review 09/27/2021
conducted once a year

CONFIDENTIAL 41 / 42
 Ctrl-2) RG-01 Supplier
Evaluation Record V1.0
10/18/2021.
Supplier Analysis:
Google Cloud:
11/02/2021
Facebook: 11/19/2021

C1.6 Changes to confidentiality commitments and
requirements are communicated to internal
and external users, suppliers and other third
parties whose products and services are
included in the system.
Ctrl-1) Changes in internal confidentiality Ctrl-1) Verified: if a No exceptions found.
agreements with impact are communicated to change is made, the
employees and a new contract is signed. confidentiality agreement
is evaluated within the
Ctrl-2) Changes in agreements with clients Human Capital
(external users) are communicated through the Management process to
privacy policy published on the website. analyze the need of a re-
signing by the employees.
At the moment there have
been no changes that
required a new validation
of the personnel.

Ctrl-2) Verified the

publication of the policy
https://botmaker.com/priv
acy/

CONFIDENTIAL 42 / 42