As of April 2018
Evergage is the real-time personalization platform that enables marketers to systematically understand and interact with each person across channels (web, email, mobile app, call-center, in-person) – one at a time, “in the moment” and at scale – to deliver a maximally relevant, individualized experience. Evergage works with a global client base and can support most environments and situations. Helping to protect the integrity, confidentiality and availability of our customers’ data is vital to Evergage. This document outlines the security and privacy features Evergage has put in place to protect customer data.
Evergage Security Features:
- SSL for client-server communication
- SAML 2.0 based single sign-on
- Firewalls with least privilege rules
- Production access requires public key authentication through a bastion host
- Intrusion detection and prevention systems
- Non-operable stores, such as backups are always encrypted at rest
- Change management process including source control, automated builds, automated testing, peer code reviews and security review
- Least privilege user roles with regular reviews of access levels
- Audit logging on all sensitive actions
- Deployment management software to ensure patch levels and roll out security updates
- Quarterly penetration testing
- Vulnerability scans upon security-sensitive changes
- Evergage maintains a data retention policy and works with our clients to agree upon appropriate retention timeframes during and post contract
Frequently Asked Questions
Where are Evergage services hosted?
Evergage is hosted at Amazon Web Services (AWS) which provide enterprise-level security, scalability and availability. Evergage benefits from the AWS network, ops and monitoring which satisfy stringent physical and network intrusion requirements. AWS is SOC 2 Type 2 Certified and PCI Compliant.
What were the results of the most recent hosting facility audit?
The AWS SOC 1 and SOC 2 audit was completed within the last 18 months and AWS received a favorable unbiased opinion from its independent auditors. A copy of the SOC 1 and SOC 2 reports are available from AWS upon request and with an executed NDA in place with Amazon. The AWS SOC 3 report is publicly available and summarizes the AWS SOC 2 report, and is found here: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf. Evergage has reviewed the SOC 2 audit in detail and is satisfied that AWS infrastructure meets or exceeds all critical SOC 2 audit protocols.
In addition, AWS has been accredited under the following standards: ISO 27017:2015 and ISO 27018:2014, ISO 9001, ISO 27001, PCI Level 1 and Sarbanes-Oxley (SOX).
What physical security controls are in place to protect the environment processing and storing customer data?
Physical access to AWS facilities is strictly controlled. All visitors and contractors are required to present identification. They are signed in and continually escorted by authorized staff. Amazon only grants data center access to employees while they have a legitimate business need for that access. When an employee no longer needs these privileges, his or her access is immediately revoked. All physical and electronic access to data centers by Amazon employees is logged and audited.
For additional information see https://aws.amazon.com/security.
How is the network architecture arranged?
External clients make HTTP requests over SSL connections that terminate at the load balancer. These requests are routed to application servers which have only private IP addresses and cannot be directly accessed from the Internet. From there, the application servers connect to data stores and other internal services; this takes place over a private network with no direct access to the Internet. All access to production hosts occurs through a bastion host requiring public key authentication.
What network security devices are used to protect critical systems?
Firewalls restrict external and internal access. The rules only allow ports and protocols that are required for each system to communicate with other systems as designed. Firewalls prevent IP, MAC and ARP spoofing on the network and between virtual hosts. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface to which it is not addressed. Port scanning is prohibited. If a port scan is detected, access is blocked while AWS investigates.
What change control and security code review procedures are in place?
Evergage performs peer security code reviews and penetration testing at least quarterly and at the time of security-sensitive changes. All code is considered for security reviews by the security operations team and analyzed for risk. Once the code passes reviews and automated tests, it is eligible to be released. Releases are scheduled based on the urgency and scope of the changes.
What is the patch management process?
For network and hardware, AWS is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for resolution.
For virtual machines, new servers are deployed with the latest updates and security fixes. Existing servers perform a rolling upgrade. If the patch is critical, the timeframe is accelerated.
Where is customer data stored?
Customer data is stored in the online datastore and in encrypted backup copies of the datastore for disaster recovery purposes only. Sensitive customer data is never retained on any laptops, mobile devices or removable media.
Is the production environment and data physically and logically separated from development and test environments?
The production environment is completely separate from development and test environments. Customer data is not in use in the development or test environments.
How is customer data protected when hardware is decommissioned?
AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data.
How are distinct customers' data kept separate?
All customer data in the datastore lives in separate files for each customer. The customers are logically separated inside the application. Access can be further restricted inside the application by assigning user roles. Virtualized guests in AWS are strongly separated from each other by the hypervisor, the AWS firewall and special hardware support within the CPU for virtualization.
Is single sign-on (SSO) available?
The Evergage web app supports single sign-on using the SAML 2.0 protocol. A policy setting is available to disable password authentication, requiring single sign-on for all user authentication apart from the SAML administrator.
How are Evergage staff user accounts managed?
Evergage employees are granted least privilege access to systems storing customer data. Access levels that include access to the customer application data must be approved by the CTO. Each employee’s access level is reviewed and updated appropriately whenever their role changes. When an employee is terminated, his or her access to Evergage systems and customer data is terminated immediately.
What user roles are available for customer user accounts?
Customer users of Evergage can be given one of six levels of access from Viewer through Administrator. Viewers can view everything that is not in the Settings section of the UI, but cannot make any updates. Campaign Authors can make changes that do not affect published campaigns. Campaign Editors can do all those things as well as publish campaigns. Editors can do all those things as well as modify or delete segments including those used in campaigns, modify user attributes, and modify items. Editors with export can do all those things as well as export segments and the events in datasets. Finally, administrators have full rights in the Evergage platform, including the ability to create and update datasets, manage users, and add, edit or delete API tokens.
What activities produce an audit trail and how?
All logins to the application by a customer’s users and Evergage employees are recorded. All changes to application data by Evergage staff and customer users are logged to an audit record which tracks the user, the time and what was changed.
How does Everage provide redundancy?
Every tier of the application has redundancy built in with no single point of failure. The datastore is sharded and replicated. Application servers fail over automatically. There are multiple redundant instances of all other required services. Static resources are hosted on a CDN with over 40 global points of presence. There is a primary and a backup DNS provider.
How do we respond to DDOS attacks?
For CDN requests, our CDN provider provides significant protection. The edge nodes absorb much of the attack. If attacks target layer 3 or 4, most traffic is filtered out and only HTTP or HTTPS are passed through. Reflection and amplification attacks which use UDP services like SSDP or NTP are dropped at the edge. TCP level attacks are mitigated at the cache layer, which has the necessary scale and client context to deal with SYN flood and its variants. Finally, custom rules can be used to filter out layer 7 requests based on header, payload, Geo-IP, or the combination of attributes that identify attack traffic.
For requests that are not cacheable, AWS provides protection from Layer 3 and 4 DDoS attacks, similar to the CDN protections mentioned earlier. In addition, AWS uses various techniques like priority-based traffic shaping which are automatically engaged when a well-defined DDoS attack signature is detected.
What is our Business Continuity Plan?
The core Evergage infrastructure is hosted off-site with redundant systems. All services that Evergage relies on to run the business are hosted in the cloud and are remotely accessible should the corporate office become inaccessible or have no power or network. All employees are issued laptops as their primary work computers and are required to bring them home each day. Knowledge is shared to ensure that issues can be addressed even if the primary point of contact becomes unavailable.
What kind of background checks are performed on employees?
Background checks are mandatory for all employees. As new employees are hired background checks are performed at the National, State and County level through, but not limited to, the Social Security Administration, Office of Foreign Assets Control (OFAC), System for Award Management (SAM), FDA Debarment Database, Office of Inspector General, National Sex Offender Registry and C.O.P.S. National Criminal Index.
What are your incident response procedures?
When an incident occurs, Evergage staff follow these steps:
- Escalate to incident response team.
- Mitigate impact by ensuring back systems or safe fallbacks have engaged.
- Reestablish services in order of importance and business impact.
- Ensure retention of criticals logs and performance data.
- Complete response plan and execution.
Throughout the process, appropriate information is communicated to clients at regular intervals, consistent with the level of impact of the incident.
How are security incidents handled?
All security issues are escalated to both the Operations team and to our Chief Technology Officer (CTO). If Evergage becomes aware of unauthorized access to customer information we will immediately notify affected customers. Upon request, we will promptly provide the affected customers all information that we have available to us regarding any such event.
Are our privacy protections certified by a third party?
Evergage is certified under the EU-U.S. Privacy Shield Frameworks and has put in place the policies and technical measures required. Evergage’s certification can be verified on the Privacy Shield website (https://www.privacyshield.gov/list).
What sorts of data do we collect?
No personally identifiable data is automatically collected. We work with clients to define data collection specifications and only collect that which has been agreed upon. There are built-in security measures in the platform to avoid the collection of highly sensitive data such as payment card information. In addition, our policies prohibit collecting personal health information (PHI). IP addresses can be anonymized for visitors within the European Union.
Who owns the data? Is it ever shared?
Data is collected and stored separately for each customer. It is not shared with third parties except in circumstances agreed upon with the customer. Internal policies are in place to ensure that no data is shared without customer authorization.
How do we assure our customers and their end users that we are handling their data appropriately?
How is end-user consent managed?
We support both opt-in and opt-out policies for tracking user behavior for the purposes of personalization on a customer site. Evergage can adhere to an existing opt-in or opt-out solution or provide its own. We can provide support for the deletion of data captured about a user, known as “the right to be forgotten.” Support can be provided for individuals who request information captured about them. This information can be provided in human-readable and machine-readable formats.
What are your security-related policies and procedures?
Security policies are reviewed annually and include:
- Operational Security Policy
- Employee Security Policy
- Security Incident Response
- Customer Notification Policy
- Disaster Recovery Plans
- Enterprise Risk Management Policy
- Executive Oversight Policy