General Compliance Program Protocols
Iterable has established a Security program demonstrating its commitment to compliance with all laws, regulations, and ethical standards as they apply to the conduct of its business and its role as a Growth Marketing Platform. Employment is conditioned on pre-hire screening and background checks, and adherence to Iterable’s security standards. Iterable provides its employees with the tools they need to meet the requirements set forth in the laws and standards established by Iterable As the regulatory landscape continues to change, all employees are expected to comply with the letter, as well as the spirit of all laws, regulations, and Iterable policies affecting business operations. Iterable’s security program includes:
- Compliance with all applicable Corporate and departmental policies and procedures. Corporate policies cover a wide array of Privacy, Security, and General Compliance topics, while departmental policies and procedural guidance documents are unique to individual groups within Iterable. Policies are formalized and documented through a policy implementation process and are reviewed / updated based on regulatory and operational changes. Employees and other relevant parties must acknowledge understanding of, and agreement to abide by, all policies and standards.
- Attendance at all mandatory trainings are provided by Iterable. Trainings are either assigned based on job function or position, as defined by an employee’s immediate supervisor, or are rolled out Iterable-wide by the security and compliance team. Mandatory trainings include annual online and live training sessions, working remotely, and safe handling of Personal Identifiable Information (“PII”), underscoring the importance of privacy, and data and Information Security. PII means any information relating to an identified or identifiable natural person or legal entity.
In order for Iterable to secure sensitive data (e.g., PII) assets, it employs a number of authentication and authorization controls that are designed to protect against unauthorized access.
- Authentication – Iterable requires the use of a unique user ID for each employee. Accounts are used to identify each person’s activity on Iterable’s network and systems, including access to customer (PII) data. This unique account is used for every system at Iterable. Upon hire, an employee is assigned a user ID by Iterable’s Information Security team and is granted a default set of privileges, described below. At the termination of an employee’s employment, the user ID and the account’s access to Iterable network resources is disabled. Where passwords are used for authentication (e.g., signing into a system), systems enforce Iterable’s password policies, including password expiration, restrictions to password reuse, and sufficient password complexity. Where applicable, Iterable employs and enforces the use of two-factor authentication, which includes access to production environments and resources. Third-party and non- essential application sign-on is handled by using Okta’s Single Sign-On system, which also uses two-factor authentication.
- Authorization – Access rights and levels are based on employee job function and roles, using the concepts of “least-privileges” and “need-to-know” to match access privileges to defined responsibilities. Iterable employees are granted only a limited set of default permissions to access company resources, such as their mailbox and intranet. Employees are granted access to certain additional resources based on their specific job duties. Data or system owner managers, or other executives as described by Iterable’s security policy, must approve requests for additional resources, and only after following the access request procedure. Iterable logs administrative access to all production systems and data. Iterable’s Information Security team then reviews these logs on an as-needed basis.
Data Asset Management
Iterable’s data assets, which are comprised of customer PII, as well as corporate data, are governed by Iterable’s security policies and procedures. All Iterable personnel handling the data assets are required to comply with Iterable’s policies and procedures, which have been drafted to comport with several regulations, including the General Data Protection Regulation (“GDPR”). Information Assets – Each layer of the Iterable application and storage stack require that requests coming from other components are always authenticated and authorized. Service-to-service authentication is based on a security protocol, which is derived from x509 certificates that are issued by well-known certificate authority. Access by production application administrative engineers to production environments is similarly controlled. A centralized identity management platform is used to define and control personnel access to production services, using an extension of the above-mentioned security protocol that authenticates personnel certificates through the use of persistent unique x509 certificates; issuance of those certificates is in turn guarded by multi-factor authentication. All connections to production environments pass through Virtual Private Network (“VPN”) proxies; these proxies provide AES 256-bit encryption as well as centralized auditing of connections to production environments.
When a storage device (physical or virtual) has reached the end of its useful life, Iterable procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Iterable uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices.
Monitoring and Auditing
Iterable’s compliance monitoring and auditing program analyzes the policies and procedural guidance used by departments through interviews, ride-alongs, and observations and reviews the awareness of and adherence to the above-mentioned policies and procedures. Through its monitoring and auditing efforts, Iterable ensures that Iterable representatives are adequately trained and equipped to carry out Iterable’s external and internal goals, while adhering to all required laws, regulations, and guidance documents.
Iterable’s security monitoring program analyzes information gathered from internal network traffic and employee actions on systems. Internet traffic is inspected for suspicious behavior on the internal and production networks to detect the presence of traffic that might be malicious software or botnets. The analysis is performed using a combination of open source and commercial tools. A commercial correlation system is used in support of this analysis.
Iterable utilizes multiple layers of defense (defense-in-depth) to help protect the virtual network from external attacks. Only authorized services and protocols that meet Iterable’s security requirements are permitted to traverse the corporate and production networks. Iterable’s network security strategy is comprised of the following components:
- Network segregation using industry-standard firewall and access control technologies.
- Management of network firewall and access control rules that utilize change management and peer review.
- Restricted access to networked devices to unauthorized personnel.
- Routing of all external traffic through custom front-end proxies to help detect and stop malicious traffic.
- Iterable provides services that make use of Hypertext Transfer Protocol Secure (HTTPS) for more secure browser connections. Services such as app.iterable.com support HTTPS by default for customers who are signed into their account. Information sent via HTTPS is encrypted from the time it leaves Iterable until it reaches the visitor’s computer.
Physical and Environmental Security
Iterable utilizes Amazon Web Services for its Infrastructure hosting needs. As a result, the physical security is maintained and enforced by Amazon. Amazon data center physical access is strictly controlled both at the perimeter and at building ingress / egress points by security guards and video surveillance, intrusion detection, and other logical means. Data center staff are required to use two-factor authentication a minimum of two times to access the data center floor. Only privileged employees and contractors with legitimate business needs have access to the data center.
Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels.
Iterable’s Information Security team bears the responsibility of managing vulnerabilities in a timely manner. The Iterable Information Security team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews, and external audits. The Information Security team is responsible for tracking and following up on detected vulnerabilities.
Trust and Assurance
Iterable’s Trust and Assurance Program encompasses transparency, due diligence, and accuracy in alignment with SOC 2 and GDPR governance.
- Regulatory Compliance – Iterable approaches its commitments on data processing globally. Many of our customers have a global presence, as such, we offer a Data Processing Addendum to ensure compliance with regulations such as the General Data Protection Regulation (“GDPR”). If your organization is subject to GDPR, our compliance team can help you opt into the Data Processing Addendum.
- Data Privacy – Iterable customers own their data, not Iterable. The data that Iterable customers upload to Iterable is theirs; as a part of Iterable’s privacy commitments, we do not scan customer data for advertisements nor sell or share with third parties. Additionally, when customers terminate their relationship with Iterable, we will commit to deleting the data from our systems. Finally, our customers can easily administer their data using our Application Programming Interface (“API”) to ease data portability without imposing . additional fees.
- SSAE-16 SOC 2 – Iterable customers can expect independent verification of our security, privacy, and compliance controls. As part of our assurance program, we conduct an independent third-party audit regularly. The independent auditor examines our governance program, virtual infrastructure, and operations to certify compliance with audit standards and common criteria as described in SSAE-16 SOC 2.