The security, integrity, and availability of Conversica’s systems and customer information are our highest priority. They are ensured via a strategic combination of industry best practices, deep industry experience, and partnership with best-in-class providers such as Amazon Web Services (AWS). This document will provide a high-level overview of this security posture.
Application security is managed by Conversica and includes the following controls:
- All code is tested and reviewed before moving into production.
- Regular security scans are performed on the Conversica application.
- All access to edit and merge code into production is tightly controlled by a select team of engineering leads.
Production resources are hosted by Amazon Web Services (AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, accreditations, and other third-party attestations. More information is available in the Risk and Compliance whitepaper available on their website: http://aws.amazon.com/security).
This includes the following controls:
- Perimeter and building ingress is controlled by security staff using video surveillance, intrusion detection systems, and other electronic means.
- Two-factor authentication is required for authorized personnel to access data center floors.
- Physical access is granted on temporary, as-needed basis and is immediately revoked when access is no longer needed.
- All physical access is logged and audited regularly.
- Additional content for fire detection and suppression, power, climate and temperature, data center management, and storage device decommissioning in the whitepaper.
Engineering access is managed by Conversica and includes the following controls:
- Physical access to engineering offices is controlled via keycard access.
- Servers hosted in our engineering offices are locked in a separate room that is visible and monitored by the IT staff. These servers host only development and testing environments.
- Access to code is controlled through GitHub (https://help.github.com/articles/github-security/) permissions. Control of GitHub permission systems are limited to select senior staff members. Engineering permissions are specific to user, and systems specific to their work.
- Two factor authentication is mandatory for all users.
- Developers are required to lock their workstations before leaving their desks.
Network access is managed by Conversica and includes the following controls:
- Access to Conversica production resources is tightly controlled via multiple levels of security in firewalls and virtual private networks.
- All connections to Conversica resources are completed via Secure Sockets Layer (SSL). Non-SSL connections required for legacy integrations are isolated on the network.
- All client data available through Conversica dashboards is sent via HTTPS.
Security monitoring is managed by AWS and includes the following controls:
- Active protection against Distributed Denial of Service (DDoS) attacks, Man-in-the-Middle (MITM) attacks, IP spoofing, port scanning, and packet sniffing.
- In addition to monitoring, AWS performs regular vulnerability scans on the host operating system, web application, and databases in the AWS environment using a variety of tools. Also, AWS Security teams subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and other relevant outlets for new patches. AWS customers also have the ability to report issues to AWS via the AWS Vulnerability Reporting website at: http://aws.amazon.com/security/vulnerability-reporting/
Security Regulatory Compliance
Security regulatory compliance is managed by AWS and includes the following controls:
The IT infrastructure that AWS provides is designed and managed in alignment with best security practices and a variety of IT security standards, including:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 27001
- FIPS 140-2
Business Regulatory Compliance
Business regulatory compliance is managed by Conversica and includes:
- When used as directed (specifically with inbound leads, that is, people who have already by definition opted in to being contacted), the Conversica service is in compliance with requirements of the U.S. CAN-SPAM Act and the Canada Anti-Spam Law (CASL), which establish requirements for commercial messages.
- Commercial messages are defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.”
- In contrast, when used as directed, Conversica-generated messages are primarily transactional, defined as “facilitating an already agreed-upon transaction or updating a customer about an ongoing transaction,” since they are being used to follow up with inbound leads, and are therefore in compliance with the regulations.
Administrative Access and Control
Access and authorization to production resources include the following controls:
- Maintained on a “least permissions” basis. Credentials provided to employees and systems are only authorized from specific locations, for specific actions, to specific data.
- All engineering and infrastructure employees have a background check performed prior to hire.
Security Policies include:
- Incident Management Process
- Logging, Auditing, Monitoring
- Physical Security
- Patching Process
- Authentication and Authorization
- Network Configuration (Remote Access)
- Network Configuration (Firewalls)
- Network Configuration (VPNs, VPCs)
- Encryption Standards
- System Configuration
- Application Security and Configuration
- Database Security and Configuration
Service Availability is managed by Conversica and includes the following controls:
Critical systems have multiple failover systems implemented.
- Asynchronous processing allows for distributed “hot” backups to seamlessly continue processing in the event of resource failure.
- Automated resource configuration systems can deploy new production resources in minutes.
- Regular snapshots are taken of production resources that can be used to deploy new resources, or roll-back changes on existing resources.
- Encrypted back-ups of production resources and data are stored in multiple cloud services and offline.
- All code changes are tracked separately for each production system. Any changes can be quickly rolled-back.