What data are we keeping secure?
Assuming we integrate with your Zendesk platform, we'll have access to all customer data points in the CRM.
While we have access, we will never use or process your customers data for anything other than intended and agreed upon. We take free text from conversations, reviews and surveys to output insights to your view on the platform.
Under GDPR, we are legally a data processor and you the data controller. We are completely GDPR compliant (see our data protection policy here).
What certification and penetration testing have you done?
We're very cautious with our customer's data. We've undertaken excessive security testing to ensure protection.
• Penetration testing:
• Cyber Essentials Plus (Read about the certification here)
What about your internal information governance security?
Please read the below documents to understand our ISG.
• Here's our incident response policy.
• Data classification policy.
What additional security do you have in regards to employees?
• Here's our process to manage data access for new joiners and leavers.
We make sure our team is aware of the company-wide Information Security Policy: our contracts of employment contain clear Information Security Responsibilities that must be followed by all employees.
How do you encrypt your data?
When data is at rest on our AWS servers we have full-disk encryption. We use 256-bit Advanced Encryption Standard (AES-256) which is compliant with standards outlined in FIPS 140.
When data is in transit, we apply encryption using TLS v1.2+.
We tightly control our encryption keys using AWS Key Management Service (AWS KMS). AWS KMS keys are protected by hardware security modules that are validated by the FIPS 140-2 Cryptographic Module Validation Program
Who has access to our data?
We control access to all data with a clear authentication and authorisation policy. Not every employee has equal access and customers are only able to see their own data.
Access to our servers must go through our VPN which only a restricted number of people have admin access to.
When our dashboard interactions with the APIs we use, we ensure secure access under the OAuth standard.
How do we detect intrusion and prevent logging & monitoring?
We have not yet implemented this security feature. It's pending and we expect to have it in place in 2021.
What's your Business Continuity & Disaster Recovery plan?
We regularly backup all data and have diversified our data centres.
Do you have an IT equipment usage policy in place?
Yes, we do. You can find it here.
How do you make sure your software development is safe and secure?
We have separate environments to build and produce our software. Our customer data is not used during development and testing and is separated from risk.
Please find our system development policy documentation here.
If you have any further questions, we're always available to help out. Please reach out on firstname.lastname@example.org