1.1. Architecture and Data Segregation. The Covered Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific unique identifiers and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
1.2. Control of Processing. Vintra has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by Vintra and its subprocessors, such as customer support and analytics providers. In particular, Vintra and its affiliates have entered into written agreements with their subprocessors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by Vintra and its sub-processors are subject to regular audits.
1.3. Third-Party Functionality. The Covered Services may be fronted by third party providers, other than AWS, that provide resilience, analytics, security or latency improvements (like load balancers, content delivery networks and DDoS mitigation services) which may hold caches of Customer Data or logs describing usage of the Covered Services. Additionally, a portion of customer support for the Covered Services is provided using third-party technology, which may contemplate data, including screenshots of customers’ instances of the Covered
Services, being hosted on the third-party’s architecture.
1.4. Audits and Certifications. The following security and privacy-related audits and certifications are applicable to the Covered Services:
1.5. Security Controls The Covered Services include a variety of security controls. These controls include:
1.6. Security Policies and Procedures The Covered Services are operated in accordance with the following policies and procedures to enhance security:
1.7. Intrusion Detection Vintra, or an authorized independent third party will monitor the Covered Services for unauthorized intrusions using network-based intrusion detection mechanisms. Vintra may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Covered Services function properly.
1.8. Security Logs All Vintra systems used in the provision of the Covered Services log information to a centralized syslog server (for network systems) or AWS’ CloudTrail system (for agentless AWS services) in order to enable security reviews and analysis.
1.9. Incident Management Vintra maintains incident management policies and procedures. Vintra notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Vintra or its agents of which Vintra becomes aware to the extent permitted by law.
1.10. User Authentication Access to the Covered Services, directly or via the Vintra API, requires a valid user ID and password combination, or an API key/secret, both of which are encrypted via TLS while in transmission. Every user ID is associated with exactly one customer. For API access, each request requires authentication and authorization and is tied to a specific customer and user session. Once authenticated, all requests are required to have a valid session ID unique to the customer ID.
1.11. Physical Security Production data centers used to provide the Covered Services have access control systems. These systems permit only authorized personnel to have access to secured areas. The facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, have implemented physical access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
1.12. Reliability and Backup All networking components, load balancers, web servers, and application servers are architected for global resilience. Customer Data submitted to the Vintra Web UI is stored on geographically disparate cloud data systems for higher availability. All Customer Data submitted to the Vintra Web UI is backed up daily. All Customer Data submitted to the Vintra Data Collection services is stored on highly durability and redundant network storage service supplied by AWS.
1.13. Disaster Recovery Production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. Vintra has disaster recovery procedures in place which provide for backup of critical data and services. A system of recovery processes exists to bring business-critical systems for Covered Services back online within a brief period of time.
1.14. Viruses Vintra uses commercially reasonable efforts to ensure that each Covered Service is free of viruses. Customer acknowledges that not all viruses can be detected by virus scanning programs, and, therefore, Vintra does not represent or warrant the Covered Service(s) will be virus free.
1.15. Analytics Vintra may track and analyze the usage of the Covered Services for the purposes of security and helping Vintra improve both the Covered Services and the user experience in using the Covered Services. Vintra may share anonymous usage data with Vintra’s service providers for the purpose of helping Vintra in such tracking, analysis and improvements. Additionally, Vintra may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.