Woolpert is an authorized reseller of several 3rd party products, such as Google Maps Platform (GMP). Because we are a reseller, we are occasionally asked by customers or prospects to complete cybersecurity assessments or similar security questionnaires for the products and services that we resell.
By default we do not complete or respond to those types of compliance requests because they almost never apply to the contractual or de facto relationship that we have with our resale customers.
But there are cases where we have a consulting relationship with customers. Meaning, we are providing professional expertise and services, up to and including, executable code and infrastructure configuration for customers.
Here are some cases where we DO and DO NOT enter into compliance conversations related to cybersecurity.
We do not engage with or commit to cybersecurity policies when...
When we are ONLY reselling 3rd party products and services to a customer
Woolpert has no part in the cybersecurity aspects of how a customer consumes or integrates with the 3rd party products we resell. In any case where a resale customer wants to engage in a cybersecurity conversation, we refer our customers directly to the vendor of the 3rd party product or service itself.
The contact is a resale-only agreement and NOT any assumption of liability for the product that we are reselling.
For example, rather than attempting to make statements about whether data is encrypted at rest in Google's Cloud Platform, we instead refer our customer to Google's own documentation on the topic.
Also, if a customer asks us whether we support their SAML directory provider to Google Workspace authentication and authorization, we defer to Google's documentation, and potentially that of their SAML system vendor, such as Auth0.
We may engage on topics of cybersecurity compliance when...
When Woolpert is providing professional advisory services
As a global consulting services company, Woolpert signs service agreements with many clients . These service agreements are typically governed by Woolpert's contract terms and conditions, but we may also adopt some or all of our client's service contract requirements.
For example, if a client has hired Woolpert to provide system architecture, we may be asked to describe the cybersecurity posture of the solution we are proposing.
But even then, we almost never host or operate those systems on behalf of our clients. Meaning, we design a system, and maybe implement the system, but we do it on a customer's own Cloud-native 'account'. For example: we might come up with Terraform scripts that set up a firewall and we may leave port 443 open. We would do this with the implicit or explicit (policy, acceptance) of our client, and deploy that into their cloud provider's infrastructure.
When Woolpert is building or configuring software or infrastructure for a client's use, we follow sensible default practices, but ultimately work with our clients on what works for them, including adherence to relevant policies.
When it comes to building bespoke software, we would expect to have a conversation around cybersecurity policies and processes with a client's cyber team. Indeed, we would welcome their involvement.
For example, we have performed co-design and code reviews with client cyber experts to ensure that our treatment of secrets like authorization keys are handled to their satisfaction.
And if a client required us contractually to keep geolocate data in a specific cloud region for compliance reasons, the Woolpert team would either agree to comply, or decline the contract.
When Woolpert is reselling our own (1st party) product
For example, Woolpert builds, operates, and sells our tile server, STREAM:RASTER, to paying customers as a subscription. In those cases, we most certainly would engage with any subscriber on topics of data, network, and software security policies and procedures.
So in summary: if Woolpert's Cloud Solutions team is asked complete a cyber policy compliance or assessment document or survey, and we are engaged solely in a reseller agreement, we will decline and refer to this support article.
In other cases, Woolpert may engage and has successfully done so in the past.