Audit Report

SOC2 Type 2

Brief Description
Independent Auditor´s Report on Controls relevant to
Security, Integrity, Availability, and Confidentiality in a
Service Organization

April 22nd
Final Report

Confidentiality Level

All information contained in this document must be kept strictly confidential, it is prohibited to copy and reproduce this document or part
of it without the proper authorization of SIRYS S.R.L. The aforementioned obligations will remain in force even after their expiration or
termination of use of this document.
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

Buenos Aires - April 26th, 2022

Botmaker

Attn. Hernán Liendo

I am pleased to present the final version of the “Independent Service Auditor´s

Report on Controls of a Service Organization that are relevant to Security, Integrity,
Availability, and Confidentiality”

Sincerely,

Lic. Diego H. Fojo

SIRYS S.R.L.

CONFIDENTIAL 2 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

Índice
Purpose 4

Scope 4

Audit Criteria 4

Executive Summary 5

SECCIÓN II – Trust Service Principles of Security, Availability, and

confidentiality, applicable criteria and related controls 9

CONFIDENTIAL 3 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

1. Purpose
To analyze the existence of security, integrity, availability and confidentiality controls applied to
the service offered through the "Botmaker Platform" in a SaaS mode, and the internal services of
"Administration, operational support and maintenance of the service infrastructure".

2. Scope
The audit scope is limited to the service offered through the "Botmaker Platform" in a SaaS mode
and the internal services of "Administration, operational support and maintenance of the
service infrastructure".

An evaluation of the controls relevant to the security, availability and processing integrity;
confidentiality and privacy of the information managed/associated with the service provided by
the organization was performed.

The evaluated services components are classified in the following five categories:

● Infrastructure: Facilities, IT, and other hardware (i.e.: facilities, computers, equipment,
mobile devices, and telecommunications networks).
● Software: software application and IT system software that support application programs
(operating systems, middleware, and utilities).
● People: personnel involved in the governance, operation and use of a system
(developers, operators, users, vendors and managers).
● Processes: Automated and manual procedures
● Data: information used and supported by a system (transaction data streams, files,
databases, tables and results).

3. Audit Criteria
The audit and the corresponding report will consider the "Trust Services Principles (TSP) Section
100 of AICPA (American Institute of Certified Public Accountants)" as a guide of audit criteria.

Audit Team
✓ Lic. Sebastián A. Victtorioso

✓ Lic. Diego H. Fojo

CONFIDENTIAL 4 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

1. Executive Summary

As a result of the review of the design and the evidence of compliance with security controls
obtained, the conclusion is that the organization complies satisfactorily with them,
demonstrating a strong commitment to continuous improvement.

Additionally, the results reveal that the organization has a continuous management of the
Information Security Management System (ISMS) certified under the ISO/IEC 27001:2013
standard, which has been certified during the current year, indicating a strong commitment
to Information Security, including in its design additional controls to those required in this
report.

The organization has its own information security risk management methodology, which is
fed back through the management of security incidents and contributes to the continuous
improvement of security controls as previously mentioned.

Next, section I describes the general conclusions according to what was assessed during the
controls design audit and their evidence review and, in section II, it is detailed how each of
the controls included in this report and their evidence of compliance has been verified.

CONFIDENTIAL 5 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

5. SECTION I - General Conclusions

The controls relevant to the security, availability and integrity of processing, confidentiality
and privacy of the information managed/associated with the service provided by the
organization to its client were evaluated

Below are the conclusions obtained on the components of the evaluated service:

❖ Infrastructure
In relation to the building infrastructure, the organization has physical locations that allow
the execution of services. However, most staff operate remotely from their homes. This
means that building contingencies in the offices do not affect services.
The physical infrastructure associated with the provision of the service is provided by Google
Cloud and in compliance with the highest standards: ISO27001, SOC2, etc.

There is high availability of services and redundancy of zones.

The following network security instruments are also available:
▪ High service availability
▪ Zone Redundancy
▪ Physical and equipment security of Google Cloud
▪ Firewall devices, VPN
▪ Secure authentication using IAM
▪ Storage and backup of data in the cloud.
▪ Designated Notebooks for each employee.
▪ VPN tunneling infrastructure for access to critical infrastructure

❖ Software
The organization has installed the necessary software programs for the daily operation of the
service.
Support software programs, such as repository and versioning of source code, ticket system,
are contracted in the SaaS mode to first class vendors.

❖ People
La organización cuenta con una estructura jerárquica, para la gestión de los servicios, el
escalamiento de los riesgos y la toma de decisión.
The organization has a hierarchical structure for service management, risk escalation and
decision making.
The competence of the persons assigned to each function is validated. The staff has periodic
training aligned to the professional needs and the services operated.

CONFIDENTIAL 6 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

The number of professionals assigned to the services respond to the needs of the
organization, the client's requirements and the contractual guidelines.

❖ Procedures
The Organization has policies and guidelines regarding information security, considering
among others:

● Framework Policy
● Particular security policies
● Logical Access Management or Access Profiles
● Change Management
● Security Incident Management
● Organization Chart and Job Profiles
● Risk Management
● Human Capital Management
● Training and awareness
● Supplier Management
● Documented Information Management
● Environment Management:
o Environments creation and deletion
o Change Management
o Maintenance
o Monitoring Management
o Capacity Management
o Infrastructure Support
o Safekeeping Management
o Vulnerability Management
o Service Continuity Management

The guidelines are communicated to both internal and external parties and users.
The organization is ISO/IEC 27001 certified, which guarantees correct information security
management, and is audited annually by an independent certification body. Additionally, as
required by the ISO/IEC 27001 standard, an internal audit of the ISMS and information
security controls is performed, by a specialized auditor, with the corresponding credentials.

❖ Data
The organization has operational processes for safeguarding and recovering the services
critical data. The information is protected by network segmentation and logical access
control.
Access to customer environments is done via secure connections (VPN tunnel).
All access to information is validated and approved according to each profile.

CONFIDENTIAL 7 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

The organization does not operate with customer information, but is responsible to protect
and preserve it throughout its life cycle.
There are tools for the validation and monitoring of integrity and availability, confidentiality is
safeguarded at all times through strict systems for access control (Google IAM Service) and
data encryption (SSL tunnels, database encryption and server encryption).

CONFIDENTIAL 8 / 42
 Audit Report
SOC 2 Type 2
SIRYS S.R.L

6. SECTION II - Trust Service Principles of Security, Availability, and

confidentiality, applicable criteria and related controls.
The objective of this report is to provide information to the interested parties on the
BOTMAKER security controls, in order to mitigate the relevant risks for the clients
organizations. The methodology used to assess the design of BOTMAKER's controls was
limited to the "Trust Service Principles of Security, Availability, and Confidentiality”, and
related criteria and controls specified by BOTMAKER's executive management.

CONFIDENTIAL 9 / 42
 Common criteria to all principles of security, availability, processing integrity and confidentiality

Common criteria related to organization

CC1.0 Organization controls Tests performed Tests results
and management

CC1.1 The structure of the organization has been Ctrl-1) The organization's staff signs a Ctrl-1) Verified the existence of No exceptions
established with reporting lines, authorities confidentiality agreement and Code of Conduct. Confidentiality Agreements and found.
and responsibilities for the design, In the same way, confidentiality agreements are Code of Conduct
development, implementation, operation, signed with critical suppliers.
monitoring and maintenance of the system, The following documentation
which allows it to meet its commitments and Ctrl-2) The reporting line is clearly defined, and is and associated records were
security, availability, integrity and communicated to all staff. There is an verified:
confidentiality requirements. organizational chart and a document describing - Confidentiality and
the position profiles: the main functions and Intellectual Property
responsibilities, as well as the knowledge and Employees V2.0
skills required for each position. The - DG-01 Code of Conduct
organization's management is notified of each V1.0 dated 11/08/2021
incident or relevant security risk identified.
Ctrl-2) Verified the following
documentation and associated
records:
- Organization chart of
BOTMAKER V1.0 dated
08/27/2021.
The chart establishes the role of
"Information Security Analyst",
in charge of security design and
administration.

The activities related to the

monitoring, maintenance and
control of the infrastructure are

CONFIDENTIAL 10 / 42
 carried out by the “Infrastructure
Team”, defined in the
organizational chart.

Both of them are part of the

Infrastructure Management,
responsible for the Information
Security management, and in
direct report to the
Organization's top management.

CC1.2 Responsibility and accountability for No exceptions

designing, developing, implementing, Ctrl-1) The definition of the Job found.
Ctrl-1) Roles and responsibilities are defined and
operating, monitoring, maintaining, and Profile and the internal
communicated to employees.
approving the entity’s system controls are communication processes were
assigned to individuals within the entity with validated. The following
authority to ensure policies and other system documentation and associated
Ctrl-2) An Information Security Analyst and an
requirements are effectively promulgated. records were verified:
Infrastructure Team have been allocated,
- PS-05 Human Capital
reporting to the Infrastructure Management, and
Management Process –
in charge of monitoring technological services
V1.3 Item 5.7 “Internal
and their risks.
Communication”
- Roles and
Ctrl-3) There is a risk management methodology
Responsibilities V1.0
from which the controls to be implemented are
– Job Profiles.
obtained.

Ctrl-4) There is a technological change

Ctrl-2) The following
management procedure, which defines the
documentation and associated
methodology for the analysis, approval and
records were verified:
implementation of changes in critical platforms.
- BOTMAKER
Organization chart V1.0
Ctrl-5) Information security awareness sessions
dated 08/27/2021.
are held for employees where the organization
Establishes the role of
information security policies are communicated.
the "Information
Security Analyst",

CONFIDENTIAL 11 / 42
 responsible for
information security
design and
administration.

The activities related to the

infrastructure monitoring,
maintenance and control are
carried out by the “Infrastructure
Team”, defined in the
organization chart.

Both of them are part of the

Infrastructure Management,
responsible for the Information
Security management, and in
direct report to the
Organization's top management.

Ctrl-3) The Information Security

Analyst monitors the risks and
updates the matrix
- RG-01 Risk Dashboard

The procedure complies with

the methodology described in
the procedure
- “PS-01 Risk
Management V1.0

Sample of high level risks

assessed:
- Database Information Theft (ID
ER-01)
- Data unavailability due to
database corruption (ID ER-14)

CONFIDENTIAL 12 / 42
 Verified mitigation and continuity
strategies established for them.

Ctrl-4) Verified a documented

Change Management procedure
- PS-10 Client
Environment
Management V1.2 Item
5.2 Change
Management,
applied by the infrastructure
team.
Checked the change log in
- "RG-07 Registry of
Follow-up and Control
of
Vulnerabilities_Incidents
_Changes"

Ctrl-5) Verified the new

collaborators awareness training
regarding information security
and the communication of the
organization security policies.
Sample:
- PPT "Awareness
Workshop"
- A_15 Training
Attendance Record
12/14/2021 – Training
“information security
awareness workshop#

CONFIDENTIAL 13 / 42
 CC1.3 Personnel responsible for designing, Ctrl-1) The organization has a work team Ctrl-1) Verified the process of
developing, implementing, operating, specialized in the selection and management of personnel selection and
monitoring, and maintaining the system human resources. evaluation:
affecting security, availability, integrity, and - PS-05 Human Capital
confidentiality, have the qualifications and Ctrl-2) The persons doing work that affects the Management Process –
resources to fulfill their responsibilities. infrastructure and security service and support V1.3
are qualified according to their job position. Their
skills are evaluated by project leaders Ctrl-2) The project leaders
continuously. monitor and evaluate the skills
of their staff before and during
Ctrl-3) The Job Descriptions are documented, the employment, according to item
personnel required roles and responsibilities are 5.8 pf Procedure PS-05
established. "Personnel Evaluation"

Ctrl-3) The definition of the Job

Profile was validated. The
following documentation and
associated records were
verified:
- Roles and
Responsibilities V1.0 –
Job Profiles.
Sample: "Security Analyst"
profile.

CC1.4 The organization has established standards Ctrl-1) Verified Confidentiality No exceptions
Ctrl-1) The organization's personnel signs a
of conduct for employees, has implemented Agreements and Code of found.
confidentiality agreement and an acceptable use
applicant background check procedures, Conduct
of assets and systems policy.
and conducts compliance procedures to The following documentation
meet its security, availability, integrity, and and associated records were
confidentiality commitments and verified:
Ctrl-2) The organization has internal personnel
requirements. - Confidentiality and
selection procedures.
Intellectual Property
Employees V2.0
Ctrl-3) There is a document containing the rules
- DG-01 Code of Conduct
of coexistence and the Information Security
V1.0 dated 11/08/2021.

CONFIDENTIAL 14 / 42
 policy, which is known and signed by all
employees. Ctrl-2) Verified process of
personnel selection and
Ctrl-4) There are practices of disciplinary evaluation:
sanctions for breaches or violations of current - PS-05 Human Capital
information security policies. Management Process –
V1.3

Ctrl-3)Verified document DG-01

Code of Conduct V1.0 dated
11/08/2021.

Ctrl-4) Verified disciplinary

process
- PS-05 Human Capital
Management Process –
Section 5.5 Disciplinary
Process

CONFIDENTIAL 15 / 42
 CC2.0 Common criteria related to organization
Organization controls Tests performed Tests results
and management

CC2.1 Information about the system design and Ctrl-1) Internal Infrastructure Management: the Ctrl-1) Verified the environment No exceptions
operation and its limits has been prepared organization has an Environment Management management process found
and communicated to authorized internal process, which contains the rules and limits - PS-10 Environment
and external users so that they can related to the deployment, changes, operation, Management.
understand their role in the system and the monitoring, maintenance and support of the This procedure reflects all the
results of the system's operation. service infrastructure. main management of the
infrastructure operation.
Ctrl-2) The organization has a network diagram
that shows the design of the deployed Ctrl-2) Verified the design of the
technological architecture. "Network Diagram"
infrastructure

Ctrl-3) Users and accesses are managed and Ctrl-3) Verified record
granted by duly documented profiles - Job Profiles and Access
Profiles V1.0 dated
09/27/2021
Ctrl-4) Client accesses his environment and
manages his own users with the minimum Ctrl-4) Verified the automatic
security rules defined by the organization, creation of accounts for
accepting the terms and conditions of use. clients/users of the system.
Verified the privacy policy,
accepted by clients:
- Privacy Policy –
botmaker.com/en/privacy
Verified user authentication
through their “Google” or
“Facebook” account or user
creation associated with an
email through the Google
service.

CC2.2 The security, availability, integrity and Ctrl-1) Security commitments are communicated Ctrl-1) Verified the privacy policy No exceptions
confidentiality commitments of the to customers through specific contracts (large that the customer consent: found
organization are communicated to external customers) and the Privacy Policy. Privacy Policy –
users, as appropriate; such commitments botmaker.com/en/privacy

CONFIDENTIAL 16 / 42
 and system requirements are communicated Ctrl-2) Ctrl-3) Validated the
to internal system users so that they can Ctrl-2) Employment agreements contain Confidentiality Agreements and
fulfill their responsibilities. provisions and/or compliance terms with the Code of Conduct
established information governance and the
security policies and must be reviewed and Verified the following
agreed to by the organization´s staff. documentation and associated
records:
- Confidentiality and
Ctrl-3) There are confidentiality agreements and Intellectual Property
rules of coexistence, which include the Employees V2.0
Information Security Policy and are known and - DG-01 Code of Conduct
signed by all employees. V1.0 dated 11/08/2021

CC2.3 The entity communicates the responsibilities Ctrl-1) Formal definition of job profiles. Ctrl-1) Verified No exceptions
to internal and external users and any other - Position Profiles and found
role that affects the system operation Ctrl-2) Confidentiality agreements and codes of Access Profiles V1.0
conduct available. dated 09/27/2021

Ctrl-3) Privacy and use of the systems Ctrl-2) Verified the following
agreement documentation and associated
records:
- Confidentiality and
Intellectual Property
Employees V2.0
- DG-01 Code of Conduct
V1.0 dated 11/08/2021.

Ctrl-3) Validated Privacy Policy,

which the client accepts:
Privacy Policy –
botmaker.com/en/privacy

CC2.4 Ctrl-1) Verified the Environments Management Ctrl-1) Verified Environments No exceptions
The internal and external personnel Procedure wich covers the deployment, deletion, Management process found
responsible for designing, developing, maintenance, operation, monitoring, support and - PS-10 Environment
implementing, operating, monitoring and maintenance of environments and production Management
maintaining the controls that are relevant to systems.
security, availability, processing, integrity

CONFIDENTIAL 17 / 42
 and confidentiality of the system, have the
necessary information to carry out the
mentioned responsibilities.

CC2.5 The system internal and external users are Ctrl-1) Formal channels are defined to report Ctrl-1) Verified the security No exceptions
informed on how to report security, failures and security incidents. There is a incident management process: found
availability, integrity, and confidentiality documented procedure for Information Security - PS-11 Incident
breaches, incidents, concerns, and other Incident Management. Management – V1.0 –
complaints to the pertinent personnel. dated 06/12/2021
Ctrl-2) The availability of formal channels of
communication with the client for reporting Ctrl-2) Validated the
information security failures. communication channels
available to customers:
- Account manager
- Partners
- Email
Verified the communication of a
formal channel to report issues
related to the processing of
personal data:
- Privacy Policy –
botmaker.com/privacy

CC2.6 System users are informed in a timely Ctrl-1) Verified the change No exceptions
manner of changes to the system that affect management process: found
their internal and external responsibilities or - PS-10 Environment
the commitments and requirements of the Management – Section
Ctrl-1) Any change that may affect the operation
entity related to security, availability, integrity 5.2 Change
and security of the systems is communicated and
and confidentiality. Management
coordinated with the interested parties. There is
Verified the change log in
an Infrastructure Change Management
- "RG-07 Registry of
procedure
Follow-up and Control
of
Vulnerabilities_Incidents
_Changes"

CONFIDENTIAL 18 / 42
 CC3.0 Common Criteria related to Risk
Management, design and implementation Organization controls Tests performed Tests results
of controls

CC3.1 The entity (1) identifies potential threats that Ctrl-1) Periodically, the technology management, Ctrl-1) Verified the Risk No exceptions
could affect the system security, availability, with the support of the Security Analyst, performs Management process: found
integrity, and confidentiality commitments an analysis of the existing risks for different high- - PS-01 Risk
and requirements, (2) analyzes the impact risk scenarios. Management Procedure
significance of risks associated with the – V1.0 dated
identified threats, and (3) determines 07/21/2021
mitigation strategies for these risks Ctrl-2) In the event of an interruption of Reviewed the technological risk
(including controls and other mitigation operations, business continuity plans are defined management matrix (RG-01
strategies). as a mitigation strategy to respond to the Risk Board). Verified the follow
services continuity with customers up of the risk treatment status.
- Risk ID ER-03.
Ctrl-3) Risks are periodically reviewed and their Treatment ID Trello
treatment is monitored. 2mdwek06. Status:
closed

Ctrl-2) Verified the contingency

strategy and the execution of
continuity tests:
- Contingency
Strategy.xlsx
- Continuity test – 2021 –
12/16/2021.
- Test exercise on
scenario "Down Zones"
- 12/16/2021

Ctrl-3) Verified an annual risk

review definition. (Risk
Monitoring – PS01)

CC3.2 The entity designs, develops and Ctrl-1) Verified the existence of No exceptions
Ctrl-1) The organization has implemented an
implements controls, including policies and the ISMS certified in ISO/IEC found
ISMS – Information Security Management
procedures, to implement its risk mitigation 27001 standard.
System, based on and certified in
strategy.

CONFIDENTIAL 19 / 42
 ISO/IEC 27001:2013 - Information Security Ctrl-2) Verified documented
Management System. policies and procedures that
respond to a risk mitigation
Ctrl-2) Availability of information security strategy.
management policies and procedures. Declaration of Applicability
(DoA)
Ctrl-3) Availability of an Objectives and
Management Board V1.1, applied to monitoring Ctrl-3) Verified the definition and
operational controls, security and management monitoring of the controls
indicators. associated with the ISMS as a
risk mitigation strategy:
RG06-DASHBOARD OF
OBJECTIVES AND
MANAGEMENT v1.1

CC3.3 Ctrl-1) Verified document: No exceptions

The entity (1) identifies and assesses - DG-01 Context and found
changes (for example, environmental, Scope of the ISMS –
regulatory, and technological) that could V1.1 dated 01/13/2022 Nonetheless, the
Ctrl-1) Documentation available for the definition
significantly impact the internal control Salesforce client
and analysis of the context and scope of the
system of security, availability, processing Ctrl-2) Verified the SWOT matrix infrastructure is
ISMS
integrity, and confidentiality and reassesses and the annual management monitored by the
risks and mitigation based on them and (2) review: client itself (the
Ctrl-2) Annual reviews of the context and
reassesses the adequacy of the design and - DG-02 SWOT-CAME organization does
strategic objectives are carried out by the
deployment of control activities based on the Matrix – V1.0 – not have access).
Management, updating the SWOT Matrix.
operation and monitoring of those activities, 09/27/2021
and updates them as necessary. - PS-04 Management
Ctrl-3) A formal documented procedure for
Review – V1.0 –
Infrastructure Change Management is available
09/28/2021
Verified the management
Ctrl-4) Availability of a documented information
review, including the review of
management process, including document
context changes, SWOT and
change management (updates to policies,
Risk management.
processes, procedures, etc.).
- A-03 Minutes of
Management Review
dated 12/23/2021

CONFIDENTIAL 20 / 42
 Ctrl-4) Verified the information
management procedure
- PR-01 Documented
Information Management
Procedure – V1.0 –
09/28/2021

CONFIDENTIAL 21 / 42
 CC4.0 Common Criteria Related to Control Organization controls
Tests performed Tests results
Monitoring

CC4.1 The controls design and operational Ctrl-1) In place operational monitoring tools and Ctrl-1) Verified the monitoring No exceptions
effectiveness are periodically evaluated controls for availability and security management process: found
based on security and availability. PS-10 Environment
Ctrl-2) Existence of Indicators associated with the Management – Section 5.4
availability of systems and security and Monitoring Management-
infrastructure support incidents. PS-10 Environment
Management – Section 5.6
Ctrl-3) ISMS annual review Infrastructure Support

Ctrl-4) ISMS Annual Audits Verified registration:

"RG-07 Registry of Follow-up
Ctrl-5) VRA/Pentest audits on the infrastructure and Control of
Vulnerabilities_Incidents_Chang
Ctrl-6) Vulnerabilities in systems monitoring and es"
Management. Uptime.xls checks
# 02/14/2022 result 99.973%
Ctrl-7) Nonconformity and continuous # 03/28/2022 result 99.979%
improvement management process.
Ctrl-2) Validated record:
RG06 - OBJECTIVES AND
MANAGEMENT BOARD_V1.1
Sample: Control “Failed
Changes” 03/01/2022, indicator
in “green”.

Ctrl-3) Verified the management

review, including updates and
changes to the ISMS
A-03 Minutes of Management
Review dated 12/23/2021

Ctrl-4) Verified the last internal

and external audit:

CONFIDENTIAL 22 / 42
 Internal Audit Report -
Information Security
Management System issued on
12/23/2021.
Certification Audit Report -
Issued by IRAM - dated
01/14/2022

Ctrl-5) Verified the execution of

an annual pentest:
BOTMAKER_Executive
Report_RE_TEST_January_202
1.pdf
The RE_TEST of 2022 is
running

Ctrl-6) Verified record:

"RG-07 Registry of Follow-up
and Control of
Vulnerabilities_Incidents_Chang
es"

Ctrl-7) Verified the non-

conformity and improvement
management procedure:
S-02 Continuous Improvement
Process V1.0 – 09/13/2021
RG-02 Continuous Improvement
Tracking Record – updated to
date

CONFIDENTIAL 23 / 42
 CC5.0 Common Criteria related to Physical and
Organization controls Tests performed Tests results
Logical Access Controls
CC5.1 A logical access security software, the Ctrl-1) Documented procedures for access Ctrl-1) Verified access No exceptions
infrastructure, and the architectures have management available management procedure, it is found
been implemented to support: (1) the suitable for the organization.
identification and authentication of Ctrl-2) The organization has a Password Policy. PS-07 Access Management –
authorized users; (2) restricting access by V1.2 -04/07/2022
authorized users to system components, or Ctrl-3) All the authentication systems associated
portions thereof, authorized by with the infrastructure and systems allow the Ctrl-2) TVerified the password
administration, including hardware, data, creation of strong passwords and in compliance policy, which is adequate for the
software, mobile devices, output, and offline with the defined password policies. organization.
elements; and (3) prevention and detection POL-02 Specific information
of unauthorized access. Ctrl-4) Authentication systems have password security policies – v1.2 –
blocking controls due to repetition of incorrect Section 2.8 Password Policy
entries and alerts the admin.
Ctrl-3) Verified “Google”
Authentication set up according
to infrastructure environments
and systems policies.

Verified use of Google IAM for

access to critical infrastructure.

Verified double authentication

factor for critical systems.

For user environments,

authentication is through the
personal Google account,
Facebook, or by creating a user
associated with an email
through the Google service.

Ctrl-4) Verified the generation of

alerts via email to admins in the
event of improper access
attempts to the systems.

CONFIDENTIAL 24 / 42
 CC5.2 New system users, whether internal or Ctrl-1) System access is authorized for new Ctrl-1) Verified the network user No exceptions
external, are registered and authorized prior users before they are granted access to the approval and granting workflow. found.
to receiving system credentials and being organization's systems. -Example: User registration
granted access. May/09/2022 registered in
User's credentials are deleted when access Google Workspace.
is no longer authorized. Ctrl-2) Role-based access is used to determine
the need to access the systems. Ctrl-2) Verified the accesses
according to the user profile with
Ctrl-3) Users and permissions are deleted the role of "Security Analyst",
according to the Access Management compliant to what is defined in
documented procedure. the registry
Roles and Responsibilities –
Ctrl-4) There are periodic checks to review Access Profiles v1.0 dated
accesses granted and deletions. 09/27/2021

Ctrl-3) Verified user deletion

after deregistration according to
PS-07 Access Management –
Section 5.3 User Deregistration.

Ctrl-4) Verified execution of the

six-monthly access review.
RG06-Objectives and
Management Board v1.1
Privileged users - Date of last
revision 10/30/2021 – No
deviations
Standard users- Last revision
date: 10/30/2021 – No
deviations
Verified the scheduling of an
deregistered users review by
07/30/2022
CC5.3 Internal and external system users are Ctrl-1) All system components have secure Ctrl-1) Reviewed relevant No exceptions
identified and authenticated when they logical access authentication systems. service access systems: found.
access system components (i.e.:, Google Cloud
infrastructure, software, and data). Databases
Github (access to source code)

CONFIDENTIAL 25 / 42
 Botmaker Platform
Administration
Access with the rol client to the
Botmaker platform
To access, all permissions
required having a username and
password duly granted
according to their profile.
CC5.4 Access to data, software, features, and Ctrl-1) Role-based access is applied to Ctrl-1 and Ctrl-2) Verified the No exceptions
other IT resources is authorized and is determine the need to access systems. availability of procedures for found.
modified or removed based on roles, granting access to data,
responsibilities, or system design and Ctrl-2) Access to the network and systems is software and other resources,
changes made. revoked or modified as part of the access as well as their modification and
management process. elimination based on roles.
PS-07 Access Management
Ctrl-3) the system allows the creation,
modification and deletion of users for Botmaker Ctrl-3) Verified the access as a
platform users (clients). client to the Botmaker platform,
and the creation, modification
and deletion of users.
CC5.5 Physical access to the facilities hosting the Ctrl-1) The organization infrastructure is in Ctrl-1) Verified that all the No exceptions
system (for example, datacenters, backup Google cloud. Therefore, everything related to infrastructure directly or found.
media storage, and other sensitive physical access is covered. indirectly associated with
locations, as well as sensitive system customer service is deployed in
components within those locations) is Ctrl-2) The applications and support systems for Google cloud.
restricted to authorized personnel. internal management are rented as a cloud
service (SaaS). Ctrl-2) Verified that all support
and internal management
services are deployed in the
Google cloud or are SaaS-type
services hired from top-tier
companies (Github, Trello,
among others).
CC5.6 Logical access security measures have Ctrl-1) Access to the infrastructure is done Ctrl-1) Verified access No exceptions
been implemented to protect against through IAM - Identity and Access Management management through IAM. found.
unauthorized access, and threats to of Google Cloud.
availability, integrity, and confidentiality, Ctrl-2) Verified periodic access
control with privileges:

CONFIDENTIAL 26 / 42
 from sources outside the system Ctrl-2) Accesses with critical privileges are Critical: Last registration dated
boundaries. controlled every 15 days and non-critical access 03/01/2022.
every 6 months Not critical. Last registration
dated 05/02/2022
Ctrl-3) Accesses of users accessing the
infrastructure through a Firewall and the Ctrl-3) Verified access log
corresponding authorization of origin and ports documented in the log
are controlled. - [Botmaker] Firewall Access.xls
against the firewall
CC5.7 The transmission, change, and deletion of Ctrl-1) Available policy for the exchange and Ctrl-1) Verified the policy No exceptions
information is restricted to authorized users handling of customer information - POL-02 Specific information found.
and processes, and is protected during security policies – Section 2.4
transmission, movement, or removal Ctrl-2) The information that the client handles Exchange and treatment of
enabling the entity to meet its commitments through the platform is managed by him customer information policies.
and requirements of information security, throughout the life cycle, the organization only
availability, integrity, and confidentiality. intervenes in its safeguard (backup) Ctrl-2) Verified the access
profiles for users and their
Ctrl-3) There is strict control over the granting permissions to manage their
and execution of permissions for the information through the
transmission, movement and deletion of data platform.
from systems.
Ctrl-3) Verified the procedures
Ctrl-4) Every change, this being the deletion or for granting role-based access
movement of a database, goes through a to data, as well as its
defined Change Management process. modification and deletion.
PS-07 Access Management –
V1.2 04/07/2022

Ctrl-4) Verified the change

management process:
PS-10 Environment
Management – Section 5.2
Change Management
Checked the log of changes in
"RG-07 Registry of Follow-up
and Control of
vulnerabilities_Incidents_Chang
es"

CONFIDENTIAL 27 / 42
 CC5.8 Controls have been implemented to prevent Ctrl-1) Software acquisition policy available. Ctrl-1) Verified the policy: No exceptions
or detect and act on the introduction of POL-02 Specific information found.
unauthorized or malicious software. Ctrl-2) Proper use of information systems policy security policies – Section 2.9
available Software acquisition and
interconnection of systems
Ctrl-3) At the infrastructure level, all software policies
must be validated and according to the change
management process. Ctrl-2) Verified the policy:
POL-02 Specific information
security policies – Section 2.9
Software acquisition and
interconnection of systems
policies

Ctrl-3) Verified the change

management process:
PS-10 Environment
Management – Section 5.2
Change Management

CONFIDENTIAL 28 / 42
 CC6.0 Common Criteria related to Operating
Organization controls Tests performed Tests results
Systems
CC6.1 System component vulnerabilities to Ctrl-1) The organization has a vulnerability Ctrl-1) Verified the monitoring No exceptions
security, availability, integrity, confidentiality management process management process: found.
breaches, and incidents due to malicious PS-10 Environment
acts, natural disasters, or errors are Ctrl-2) Annual Vulnerability Scans and Management – Section 5.8
monitored and evaluated, and Penetration Test are performed. Vulnerability Management
countermeasures are implemented to
resolve new and known vulnerabilities. Ctrl-3) Systems are monitored and scanned for Ctrl-2) Verified the execution of
vulnerabilities. an annual pentest:.
BOTMAKER_Executive
Ctrl-4) Vulnerabilities are managed and Report_RE_TEST_January_202
prioritized according to their criticality. 1.pdf
The RE_TEST of 2022 is in
process

Ctrl-3 and Ctrl-4) Verified:

- “RG-07 Record of Follow-up
and Control of Vulnerabilities
_Incidents_Changes”
Verified the management of the
following vulnerabilities:
CVE-2013-7445 on all-cluster-
specs component – detection
02/09/2022
CVE-20219-19814 on firestore-
backup-py component –
detection 01/26/2022
CC6.2 Ctrl-1) Formal documented security incident Ctrl-1) Verified the security No exceptions
Security, availability, integrity, and management procedure available. incident management process: found.
confidentiality incidents, including logical PS-11 Incident Management –
and physical security breaches, failures, Ctrl-2) Formal channels are defined to report V1.0 – 12/06/2021
concerns, and other complaints, are failures and security incidents.
identified, reported to appropriate Ctrl-2) Verified the available
personnel, and acted upon in accordance Ctrl-3) Incidents are analyzed and managed communication channels to the
with established incident response according to defined processes. client:
procedures. account manager

CONFIDENTIAL 29 / 42
 partners
Email
Verified the communication of a
formal channel to report issues
related to the processing of
personal data:
Privacy Policy –
botmaker.com/privacy

Ctr-3) Validated the document:

- “RG-07 Record of Follow-up
and Control of Vulnerabilities
_Incidents_Changes”
Verified the management of the
following incidents:
There were no incidents during
the analyzed period.

CONFIDENTIAL 30 / 42
 CC7.0 Common Criteria related to Change
Organization controls Tests performed Tests results
Management
CC7.1 Security, availability, integrity, and Ctrl-1) The personnel assigned to the service Ctrl-1) Verified the application of No exceptions
confidentiality requirements and follow the guidelines of the organization and methodologies and good found.
commitments are addressed throughout the those defined by the client regarding security, practices in software
system development lifecycle, including the integrity, availability and confidentiality, development by the
design, acquisition, implementation, throughout the software development life cycle. organization.
configuration, testing, modification, and
maintenance of system components. Ctrl-2) Operation changes and maintenance are Ctrl-2) Verified the change and
managed through an environment management maintenance management
process. process:
PS-10 Environment
Management – Section 5.2
Change Management
PS-10 Environment
Management – Section 5.3
Maintenance
CC7.2 Infrastructure, data, software, and Ctrl-1) A component maintenance plan is Ctrl-1 and Ctrl-2) Verified the No exceptions
procedures are updated as necessary to defined through metrics and alerts, in order to configuration of metrics in the found.
maintain consistency with system keep them updated. Google Cloud actions are systems different components
commitments and requirements for security, configured to automatically update components and the alerts notifications.
availability, integrity, and confidentiality of based on the change criticality.
processing. Ctrl-3) Verified the documented
Ctrl-2) Google Cloud alerts regarding the update information management
status of the components are monitored and the procedure
Change Management process is applied. PR-01 Documented Information
Management Procedure – V1.0
Ctrl-3) Procedures are updated on changes. An – 09/28/2021.
annual review of all procedures is carried out. Verified that no document has a
version with a
publication/modification date
greater than 12 months.
CC7.3 Change management processes are Ctrl-1) The Change Management process is Ctrl-1) Verified the change No exceptions
initiated when deficiencies in the design or executed when there is a need for a modification management process, which found.
operational effectiveness of controls are or resolution of a problem/incident. defines the guidelines for
identified during the system operation and requesting, evaluating and
monitoring. executing changes.

CONFIDENTIAL 31 / 42
 PS-10 Environment
Management – Section 5.2
Change Management.

CC7.4 Changes to system components are Ctrl-1) Changes are classified according to their Ctrl-1) Verified the following No exceptions
authorized, designed, developed, criticality, from which planning, approval and steps established in the found.
configured, documented, tested, approved, registration requirements are defined. definition and execution of the
and implemented in accordance with changes according to their
security, availability, processing integrity, criticality, categorizing them
and confidentiality commitments and into:
requirements. Standard: routine changes
without risk for the operation.
For example, applying non-
critical patches

Critical: due to their complexity

or possible impact, they require
detailed planning, analysis and
formal approval. For example,
migration of a database.

Emergencies: based on the

need for immediate execution.
For example, to resolve an
incident

CONFIDENTIAL 32 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

A1.1 Processing capacity and usage are Ctrl-1) The capacity of critical components is Ctrl-1) The alerts of: No exceptions found.
monitored, maintained, and evaluated in monitored through metrics and alarms. Capacity of the “queues”
order to administer capacity demand and – Register “Infrastructure
enable the implementation of additional Ctrl-2) The infrastructure is self-scaling as part queue alert”
capacity to help meet availability of the solutions provided by the cloud service CPU and Memory
commitments and requirements. provider. monitoring graphs-
Sample: CPU near limit
on m-infra proxy from
05/08/2022

Ctrl-2) Verified that all

services run on Google
Cloud with a service that
allows infrastructure auto
scaling. In the case of
receiving saturation CPU
alerts, its capacity is
extended.
A1.2 Environmental protections, software, data Ctrl-1) Backup management process (Backups) Ctrl-1) Verified the No exceptions found.
backup processes, and recovery available. backup management
infrastructure are designed, developed, process
implemented, operated, monitored, and Ctrl-2) Contingency Management process PS-10 Environment
maintained to meet availability commitments available. Management – Section
and requirements. 5.7 Backup Management
Ctrl-3) Infrastructure environmental conditions
are ensured by the cloud infrastructure provider. Ctrl-2) Verified the
backup management
process:
PS-10 Environment
Management – Section
5.9 Service Continuity

CONFIDENTIAL 33 / 42
 Ctrl-3) Verified supplier
compliance with SOC 2:
https://cloud.google.com/
security/compliance/soc-2

A1.3 Procedures that support system recovery in Ctrl-1) Documented backup strategies and Ctrl-1) Verified backup No exceptions found.
accordance with recovery plans are tested execution of periodic tests strategy and restore tests:
periodically in order to help meet availability Record of Follow-up and
commitments and requirements. Ctrl-2) Documented service contingency Control of
management strategies and execution of Vulnerabilities_Incidents_
periodic tests. Changes – V1 – “Policy
and Execution of
Backups”

Ctrl-2) Verified
contingency strategy and
the execution of continuity
tests:
Contingency Strategy.xlsx
Continuity test – 2021 –
12/16/2021.
Test exercise on scenario
"Zones Down" -
12/16/2021

CONFIDENTIAL 34 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

Procedures are in place to prevent, detect, Ctrl-1) The platform has data integrity controls. Ctrl-1) Verified input data No exceptions found.
PI1.1 and correct processing errors to meet validation controls and in
processing integrity commitments and Ctrl-2) An incident management procedure to the exchange of
requirements. handle any processing and/or data integrity information through APIs
errors is established.
Ctrl-2) Verified the
security incident
management process:
- PS-11 Incident
Management –
V1.0 –
12/06/2021

System inputs are fully, accurately, and Ctrl-1) There is an integrity control over the data Ctrl-1) Verified the No exceptions found.
PI1.2 timely measured and recorded in accordance inputs to the platform customizable input data
with commitments and processing integrity validation controls from
requirements. Ctrl-2) Relevant entries and activities are the platform configuration
recorded in the platform transaction log - Configuration of
input: “User
name”, valid input
data type “Name”.

Ctrl-2) Verified the

following entries in the
change history log
(sample):
- Date
- Author
- Action

CONFIDENTIAL 35 / 42
 Data is processed in a complete, accurate Ctrl-1) Incomplete data or with some integrity Ctrl-1) Verified by sample No exceptions found.
PI1.3 and timely manner as authorized, in validation error are not processed. the following inputs, their
accordance with processing integrity validation before
commitments and requirements. processing, and the error
message to the user:
- Entry
configuration
“Username”, valid
input data type
“Name”.

Data is fully and accurately stored and Ctrl-1) The data is stored and maintained in full Ctrl1) Verified the No exceptions found.
PI1.4 maintained for its specified lifetime in in accordance with the specifications defined in following statement in the
accordance with processing integrity the contractual Terms and Conditions. Privacy Policy
commitments and requirements. https://botmaker.com/en/p
Ctrl-2) The established backup strategy rivacy/:
responds to the backup requirements.
Term:
“Botmaker may retain
Information for as long as
necessary to fulfill the
purposes for which it was
collected or as necessary
to provide the Services,
including after the
cancellation or deletion of
any account, or after the
termination of the
services provision, if
retention of such
information is reasonably
necessary to comply with
legal obligations, meet
regulatory requirements,
resolve disputes between
users, prevent fraud or
any other use.”

CONFIDENTIAL 36 / 42
 Ctrl-2) Verified the
backup rules defined for
the following databases:
- Firestore
- BigQuery
/Type of backup: Full
/Frequency: Daily
/History: not limited

System output is complete, accurate, Ctrl-1) An integrity check on the data outputs of Ctrl-1) Verified the output No exceptions found.
PI1.5 distributed and retained in accordance with the platform is performed. data validation controls:
processing integrity commitments and -In the event of an invalid
requirements. Ctrl-2) Relevant outputs and activities are name entry in the “name
recorded in the platform transaction log type” field, an error output
message is returned.

Ctrl-2) Verified (sample)

the following outputs in
the platform conversation
event log:
- Sending
notifications not
delivered by the
Whatsapp
channel.

The data modification is authorized, using Ctrl-1) Platform users can only modify the Ctrl-1) Verified the No exceptions found.
PI1.6 approved procedures in accordance with the information associated with their profile. operations that can be
commitments and requirements of executed by a platform
processing integrity Ctrl-2) Any information modification outside the user according to the
logic of the platform operation, is done through assigned profile.
an analysis and authorization process (Change
Management) Ctrl-2) Verified the
change management
process, which defines
the guidelines for
requesting, evaluating
and executing changes.

CONFIDENTIAL 37 / 42
 - PS-10
Environment
Management –
Section 5.2
Change
Management

CONFIDENTIAL 38 / 42
 Additional Criteria for Availability
Organization controls Tests performed Tests results

C1.1 Confidential information is protected during Ctrl-1) Production data is not used in any Ctrl-1) The development No exceptions found.
the system design, development, testing, previous environment. team was interviewed and
implementation and change processes in it was verified that the
accordance with confidentiality commitments Ctrl-2) Every change in production is done productive data was not
and requirements. through a controlled process (Change used for debugging or
Management) testing

Ctrl-2) Verified the

change management
process, which defines
the guidelines for
requesting, evaluating
and executing changes.
PS-10 Environment
Management – Section
5.2 Change Management
C1.2 Confidential information within system Ctrl-1) Users must authenticate their access to Ctrl-1) Verified user No exceptions found.
boundaries is protected from unauthorized customer environment through a username and authentication via their
access, use, and disclosure during input, password. “Google” or “Facebook”
processing, retention, output, and disposition account or creation of a
in accordance with confidentiality Ctrl-2) User access to the platform environment user associated with an
commitments and requirements. as support or assistance have an approval and email through the Google
monitoring flow. service.

Ctrl-3) There are cryptographic controls for the Ctrl-2) Verified a semi-
transmission, processing and protection of automatic access request
sensitive information. to the platform by the
support operators to the
user when required.
The permit is granted for
a maximum period of 24
hours and is canceled
when the assistance is
completed. The activities

CONFIDENTIAL 39 / 42
 carried out are recorded.
The mentioned steps are
managed through the
https://iaccess.botmaker.
app module

Ctrl-3) Verified the

following controls:
SSL channel across the
platform

C1.3 Access to confidential information from Ctrl-1) The infrastructure accesses of Ctrl-1) Verified (sample) No exceptions found.
outside system boundaries and disclosure of priviledged users are restricted to authorized access permission
confidential information is restricted to personnel according to job profile. defined according to the
authorized parties in accordance with "Roles and
confidentiality commitments and Ctrl-2) There are cryptographic controls in the Responsibilities - Access
requirements. infrastructure for information access and Profile" record:
protection.
# “GoogleCloud Client
Environment”
Management Type: by
Owner
Owner: Engineering
Director and Head of
Infrastructure
Access: Owner only

#Github
Management Type: by
profile
Owner: Head of
Infrastructure
Access: technology
profiles.

Ctrl-2) Verified the

following controls:

CONFIDENTIAL 40 / 42
 VPN for access to
platform infrastructure
management
AES256 encryption on
servers.

C1.4 The entity has confidentiality commitments Ctrl-1) There are confidentiality agreements with Ctrl-1) Verified the No exceptions found.
consistent with its confidentiality employees consistent with the commitment following documentation
requirements to suppliers and other third made with the client and associated records:
parties whose products and services are part Confidentiality and
of the system and have access to confidential Ctrl-2) There are confidentiality commitments Intellectual Property
information. with suppliers that are consistent with the Employees V2.0
commitment made with the client. DG-01 Code of Conduct
V1.0 dated 11/08/2021.

Ctrl-2) Verified the

confidentiality agreement
of the main supplier
associated with the
service:
https://cloud.google.com/
privacy
Verified signed
agreements with
suppliers, as applicable.
A-14 Confidentiality
agreement with suppliers.

C1.5 Compliance with confidentiality commitments Ctrl-1) The interested parties requirements Ctrl-1) Verified analysis of No exceptions found.
and requirements by suppliers and other third related to confidentiality and legal and interested parties
parties whose products and services are part contractual compliance, are reviewed at least requirements:.
of the system is periodically and as once a year. DG-03_Stakeholder
necessary evaluated and, if applicable, Requirements
corrective action are taken. Ctrl-2) An evaluation of the suppliers security is Last review 09/27/2021
conducted once a year

CONFIDENTIAL 41 / 42
 Ctrl-2) RG-01 Supplier
Evaluation Record V1.0
10/18/2021.
Supplier Analysis:
Google Cloud:
11/02/2021
Facebook: 11/19/2021

C1.6 Changes to confidentiality commitments and Ctrl-1) Changes in internal confidentiality Ctrl-1) Verified: if a No exceptions found.
requirements are communicated to internal agreements with impact are communicated to change is made, the
and external users, suppliers and other third employees and a new contract is signed. confidentiality agreement
parties whose products and services are is evaluated within the
included in the system. Ctrl-2) Changes in agreements with clients Human Capital
(external users) are communicated through the Management process to
privacy policy published on the website. analyze the need of a re-
signing by the employees.
At the moment there have
been no changes that
required a new validation
of the personnel.

Ctrl-2) Verified the

publication of the policy
https://botmaker.com/priv
acy/

CONFIDENTIAL 42 / 42