- Vintra is committed to achieving and maintaining the trust
of our
customers. Integral to this mission is providing a robust security and privacy program that carefully
considers
data protection matters across our suite of services, including data submitted by customers to our
services
(“Customer Data”).
- This documentation describes the architecture of, the security- and
privacy-related
audits and certifications received for, and the administrative, technical, and physical controls
applicable to,
the services provided by Vintra.
1.1. Architecture and Data Segregation. The Covered Services are operated in a multitenant
architecture that is designed to segregate and restrict Customer Data access based on business
needs. The
architecture provides an effective logical data separation for different customers via
customer-specific
unique identifiers and allows the use of customer and user role based access privileges. Additional
data
segregation is ensured by providing separate environments for different functions, especially for
testing
and production.
1.2. Control of Processing. Vintra has implemented procedures designed to ensure that
Customer Data
is processed only as instructed by the customer, throughout the entire chain of processing
activities by
Vintra and its subprocessors, such as customer support and analytics providers. In particular,
Vintra and
its affiliates have entered into written agreements with their subprocessors containing privacy,
data
protection and data security obligations that provide a level of protection appropriate to their
processing
activities. Compliance with such obligations as well as the technical and organizational data
security
measures implemented by Vintra and its sub-processors are subject to regular audits.
1.3. Third-Party Functionality. The Covered Services may be fronted by third party providers,
other
than AWS, that provide resilience, analytics, security or latency improvements (like load balancers,
content
delivery networks and DDoS mitigation services) which may hold caches of Customer Data or logs
describing
usage of the Covered Services. Additionally, a portion of customer support for the Covered Services
is
provided using third-party technology, which may contemplate data, including screenshots of
customers’
instances of the Covered
Services, being hosted on the third-party’s architecture.
1.4. Audits and Certifications. The following security and privacy-related audits and
certifications
are applicable to the Covered Services:
● EU-U.S. and Swiss-U.S. Privacy Shield certification (expected in Q2 2018): Customer Data
submitted to
the Covered Services is within the scope of an annual certification to the EU-U.S. Privacy
Shield
Framework and the Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of
Commerce. The certification will be available at https://www.privacyshield.gov by searching
under
“Vintra” in Q2 2018
● Service Organization Control (SOC) reports: Vintra’s information security control environment
applicable to the Covered Services undergoes an independent evaluation in the form of a SOC 2,
Type II
report. Additionally, the Covered Services undergo security assessments by internal personnel
and third
parties, which include infrastructure vulnerability assessments and/or application security
assessments,
on at least an annual basis.
● ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3
● Vintra uses infrastructure provided by a third party, Amazon Web Services, Inc. (“AWS”), to
host
Customer Data submitted to the Covered Services. Information about security and privacy-related
audits
and certifications received by AWS, including those listed in Section 4.4 and information on ISO
27001
certification and Service Organization Control (SOC) reports, is available from the
AWS Security Website and the
AWS Compliance Website.
1.5. Security Controls The Covered Services include a variety of security controls. These
controls
include:
● Unique user identifiers (user IDs) to help ensure that activities can be attributed to the
responsible
individual;
● Password length controls;
● Password complexity requirements for Web and mobile access to the Covered Services;
● Two-Factor Authentication for access by Covered Services to its third-party hosting services;
and
● Web and mobile access to the Covered Services via authorization and authentication frameworks.
1.6. Security Policies and Procedures The Covered Services are operated in accordance with
the
following policies and procedures to enhance security:
● User passwords are stored using a salted hash format and are not transmitted unencrypted;
● User access log entries will be maintained, containing date, time, URL executed or entity ID
operated
on, operation performed (viewed, edited, etc.), and source IP address. Note that source IP
address might
not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used
by a
customer or its ISP;
● Logs are stored securely to prevent tampering;
● Passwords are not logged;
● No defined passwords are set by Vintra;
● Authentication tokens are encrypted and not transmitted unencrypted.
1.7. Intrusion Detection Vintra, or an authorized independent third party will monitor the
Covered
Services for unauthorized intrusions using network-based intrusion detection mechanisms. Vintra may
analyze
data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating
system
version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types,
etc.) for
security purposes, including to detect compromised browsers, to prevent fraudulent authentications,
and to
ensure that the Covered Services function properly.
1.8. Security Logs All Vintra systems used in the provision of the Covered Services log
information
to a centralized syslog server (for network systems) or AWS’ CloudTrail system (for agentless AWS
services)
in order to enable security reviews and analysis.
1.9. Incident Management Vintra maintains incident management policies and procedures. Vintra
notifies impacted customers without undue delay of any unauthorized disclosure of their respective
Customer
Data by Vintra or its agents of which Vintra becomes aware to the extent permitted by law.
1.10. User Authentication Access to the Covered Services, directly or via the Vintra API,
requires a
valid user ID and password combination, or an API key/secret, both of which are encrypted via TLS
while in
transmission. Every user ID is associated with exactly one customer. For API access, each request
requires
authentication and authorization and is tied to a specific customer and user session. Once
authenticated,
all requests are required to have a valid session ID unique to the customer ID.
1.11. Physical Security Production data centers used to provide the Covered Services have
access
control systems. These systems permit only authorized personnel to have access to secured areas. The
facilities are designed to withstand adverse weather and other reasonably predictable natural
conditions,
are secured by around-the-clock guards, have implemented physical access screening and
escort-controlled
access, and are also supported by on-site back-up generators in the event of a power failure.
1.12. Reliability and Backup All networking components, load balancers, web servers, and
application
servers are architected for global resilience. Customer Data submitted to the Vintra Web UI is
stored on
geographically disparate cloud data systems for higher availability. All Customer Data submitted to
the
Vintra Web UI is backed up daily. All Customer Data submitted to the Vintra Data Collection services
is
stored on highly durability and redundant network storage service supplied by AWS.
1.13. Disaster Recovery Production data centers are designed to mitigate the risk of single
points of
failure and provide a resilient environment to support service continuity and performance. Vintra
has
disaster recovery procedures in place which provide for backup of critical data and services. A
system of
recovery processes exists to bring business-critical systems for Covered Services back online within
a brief
period of time.
1.14. Viruses Vintra uses commercially reasonable efforts to ensure that each Covered Service
is free
of viruses. Customer acknowledges that not all viruses can be detected by virus scanning programs,
and,
therefore, Vintra does not represent or warrant the Covered Service(s) will be virus free.
1.15. Analytics Vintra may track and analyze the usage of the Covered Services for the
purposes of
security and helping Vintra improve both the Covered Services and the user experience in using the
Covered
Services. Vintra may share anonymous usage data with Vintra’s service providers for the purpose of
helping
Vintra in such tracking, analysis and improvements. Additionally, Vintra may share such anonymous
usage data
on an aggregate basis in the normal course of operating our business; for example, we may share
information
publicly to show trends about the general use of our services.