General Compliance Programme Protocols
Iterable has established a Security programme demonstrating its commitment to compliance with all laws, regulations and ethical standards as they apply to the conduct of its business and its role as a Growth Marketing Platform. Employment is conditional upon pre-hire screening and background checks and adherence to Iterable’s security standards. Iterable provides its employees with the tools they need to meet the requirements set forth in the laws and standards established by Iterable. As the regulatory landscape continues to change, all employees are expected to comply with the letter, as well as the spirit, of all laws, regulations and Iterable policies affecting business operations. Iterable’s security programme includes:
Compliance with all applicable Corporate and departmental policies and procedures.
Corporate policies cover a wide array of Privacy, Security and General Compliance topics, while departmental policies and procedural guidance documents are unique to individual groups within Iterable.
Policies are formalised and documented through a policy implementation process and are reviewed / updated based on regulatory and operational changes.
- Employees and other relevant parties must acknowledge understanding of, and agreement to abide by, all policies and standards.
Attendance at all mandatory training is provided for by Iterable.
Trainings are either assigned based on job function or position, as defined by an employee’s immediate supervisor, or are rolled out Iterable-wide by the security and compliance team.
Mandatory trainings include annual online and live training sessions, working remotely and safe handling of Personal Identifiable Information (“PII”), underscoring the importance of privacy and data and Information Security.
- PII means any information relating to an identified or identifiable natural person or legal entity.
In order for Iterable to secure sensitive data (e.g. PII) assets, it employs a number of authentication and authorisation controls that are designed to protect against unauthorised access.
Authentication – Iterable requires the use of a unique user ID for each employee.
Accounts are used to identify each person’s activity on Iterable’s network and systems, including access to customer (PII) data.
This unique account is used for every system at Iterable.
When hired, an employee is assigned a user ID by Iterable’s Information Security team and is granted a default set of privileges, described below.
- At the termination of an employee’s employment, the user ID and the account’s access to Iterable network resources is disabled.
Where passwords are used for authentication (e.g. signing into a system), systems enforce Iterable’s password policies, including password expiry, restrictions on password reuse and sufficient password complexity.
Where applicable, Iterable employs and enforces the use of two-factor authentication, which includes access to production environments and resources.
Third-party and non-essential application sign-on is handled by using Okta’s Single Sign-On system, which also uses two-factor authentication.
Authorisation – Access rights and levels are based on employee job function and roles, using the concepts of “least-privileges” and “need-to-know” to match access privileges to defined responsibilities.
Iterable employees are granted only a limited set of default permissions to access company resources, such as their mailbox and intranet.
Employees are granted access to certain additional resources based on their specific job duties.
Data or system owner managers, or other executives as described by Iterable’s security policy, must approve requests for additional resources, and only after following the access request procedure.
Iterable logs administrative access to all production systems and data.
- Iterable’s Information Security team then reviews these logs on an as-needed basis.
Data Asset Management
Iterable’s data assets, which comprise customer PII, as well as corporate data, are governed by Iterable’s security policies and procedures. All Iterable personnel handling the data assets are required to comply with Iterable’s policies and procedures, which have been drafted to comply with several regulations, including the General Data Protection Regulation (“GDPR”). Information Assets – Each layer of the Iterable application and storage stack requires that requests coming from other components are always authenticated and authorised. Service-to-service authentication is based on a security protocol, which is derived from x509 certificates that are issued by a well-known certificate authority. Access by production application administrative engineers to production environments is similarly controlled. A centralised identity management platform is used to define and control personnel access to production services, using an extension of the above-mentioned security protocol that authenticates personnel certificates through the use of persistent unique x509 certificates; issuance of those certificates is in turn guarded by multi-factor authentication. All connections to production environments pass through Virtual Private Network (“VPN”) proxies; these proxies provide AES 256-bit encryption as well as centralised auditing of connections to production environments.
When a storage device (physical or virtual) has reached the end of its useful life, Iterable procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorised individuals. Iterable uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices.
Monitoring and Auditing
Iterable’s compliance monitoring and auditing programme analyses the policies and procedural guidance used by departments through interviews, ride-alongs and observations and reviews awareness of and adherence to the above-mentioned policies and procedures. Through its monitoring and auditing efforts, Iterable ensures that its representatives are adequately trained and equipped to carry out Iterable’s external and internal goals, while adhering to all required laws, regulations and guidance documents.
Iterable’s security monitoring programme analyses information gathered from internal network traffic and employee actions on systems. Internet traffic is inspected for suspicious behaviour on the internal and production networks to detect the presence of traffic that might be malicious software or botnets. The analysis is performed using a combination of open source and commercial tools. A commercial correlation system is used in support of this analysis.
Iterable utilises multiple layers of defence (defence-in-depth) to help protect the virtual network from external attacks. Only authorised services and protocols that meet Iterable’s security requirements are permitted to traverse the corporate and production networks. Iterable’s network security strategy comprises the following components:
- Network segregation using industry-standard firewall and access control technologies.
- Management of network firewall and access control rules that utilise change management and peer review.
- Restricted access to networked devices to unauthorised personnel.
- Routing of all external traffic through custom front-end proxies to help detect and stop malicious traffic.
- Iterable provides services that make use of Hypertext Transfer Protocol Secure (HTTPS) for more secure browser connections.
Services such as app.iterable.com support HTTPS by default for customers who are signed into their account.
Information sent via HTTPS is encrypted from the time it leaves Iterable until it reaches the visitor’s computer.
Physical and Environmental Security
Iterable utilises Amazon Web Services for its Infrastructure hosting needs. As a result, the physical security is maintained and enforced by Amazon. Amazon data centre physical access is strictly controlled both at the perimeter and at building ingress/egress points by security guards and video surveillance, intrusion detection and other logical means. Data centre staff are required to use two-factor authentication a minimum of two times to access the data centre floor. Only privileged employees and contractors with legitimate business needs have access to the data centre.
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilises smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action or gaseous sprinkler systems. The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centres are conditioned to maintain atmospheric conditions at optimal levels.
Iterable’s Information Security team bears the responsibility of managing vulnerabilities in a timely manner. The Iterable Information Security team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews and external audits. The Information Security team is responsible for tracking and following up on detected vulnerabilities.
Trust and Assurance
Iterable’s Trust and Assurance Programme encompasses transparency, due diligence and accuracy in alignment with SOC 2 and GDPR governance.
Regulatory Compliance – Iterable approaches its commitments on data processing globally.
Many of our customers have a global presence; as such, we offer a Data Processing Addendum to ensure compliance with regulations such as the General Data Protection Regulation (“GDPR”).
If your organisation is subject to GDPR, our compliance team can help you opt into the Data Processing Addendum.
Data Privacy – Iterable customers own their data, not Iterable.
The data that Iterable customers upload to Iterable is theirs; as a part of Iterable’s privacy commitments, we do not scan customer data for advertisements or sell or share with third parties.
Additionally, when customers terminate their relationship with Iterable, we will commit to deleting the data from our systems.
- Finally, our customers can easily administer their data using our Application Programming Interface (“API”) to ease data portability without imposing additional fees.
SSAE-16 SOC 2 – Iterable customers can expect independent verification of our security, privacy and compliance controls.
As part of our assurance programme, we conduct an independent third-party audit regularly.
- The independent auditor examines our governance programme, virtual infrastructure and operations to certify compliance with audit standards and common criteria as described in SSAE-16 SOC 2.
HIPAA – Consumers place their trust in the healthcare industry and expect their providers of healthcare and coverage to be good stewards of their health information, including addressing standards set forth by HIPAA to protect the privacy and security of protected health information.
Trust is one of our core values at Iterable.
We partner with customers to provide consumers with in-the-moment access to their information while providing them with the personalised content they want.
Their protected health information is safe with us.
- For more information regarding Iterable’s HIPAA compliance and how to sign a Business Associate Agreement (BAA), please contact a member of the Iterable team.