Watch a 5 Minute Demo

What is your company email address?
What is your country/permanent residence?
Privacy Policy - By signing up, I agree with Iterable's Privacy Policy. I understand that I am signing up to Iterable Marketing emails and I can unsubscribe at any time.
Form footer image
Loading...
What is your first name?
What is your last name?
What is your company email address?
What is your company's name?
What is your country/permanent residence?
In which state do you live?
Privacy Policy - By signing up, I agree with Iterable's Privacy Policy. I understand that I am signing up to Iterable Marketing emails and I can unsubscribe at any time.

Schedule a demo to learn more.

What is your country/permanent residence?
Privacy Policy - By signing up, I agree with Iterable's Privacy Policy. I understand that I am signing up to Iterable Marketing emails and I can unsubscribe at any time.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Form footer image
Thank you !

Thanks for contacting us, we’ll be in touch shortly.

Security and Compliance Overview

 

General Compliance Program Protocols

Iterable has established a Security program demonstrating its commitment to compliance with all laws, regulations, and ethical standards as they apply to the conduct of its business and its role as a Growth Marketing Platform. Employment is conditioned on pre-hire screening and background checks, and adherence to Iterable’s security standards. Iterable provides its employees with the tools they need to meet the requirements set forth in the laws and standards established by Iterable. Iterable’s Security program includes:

  • Compliance with all applicable policies and procedures. Iterable policies cover a wide array of Privacy, Security, and General Compliance topics, while procedural guidance documents are unique to individual groups within Iterable. Policies are formalized and documented through a policy implementation process and are reviewed / updated based on regulatory and operational changes. Information Security Policies (ISPs) are annually reviewed, revised, approved by senior management, and audited in our third-party audits.  Employees and other relevant parties must acknowledge understanding of, and agreement to abide by, all policies and standards, including all ISPs.
  • SOC 2 Type II certification– Iterable customers can expect independent verification of our security, privacy, and compliance controls. As part of our assurance program, we conduct an annual, independent third-party audit. The independent auditor examines our governance program, virtual infrastructure, and operations to certify compliance with audit standards and common criteria as described in SSAE-18 SOC 2.
  • ISO 27001 certification – Iterable is committed to Security as a top priority by implementing an Information Security Management System (ISMS). Customers can gain assurance of the effectiveness of a secure ISMS through the achievement of the ISO 27001 certification. The certification was validated by an independent third party in order to demonstrate that Iterable has taken the necessary steps to implement processes and procedures to protect and secure the confidentiality, integrity, and availability of our customer’s sensitive data.
  • HIPAA – Consumers place their trust in the healthcare industry and expect their providers of healthcare and coverage to be good stewards of their health information, including addressing standards set forth by HIPAA to protect the privacy and security of protected health information. Trust is one of our core values at Iterable. We partner with customers to provide consumers in the moment access to their information while providing them the personalized content they want. Their protected health information is safe with us. For more information regarding Iterable’s HIPAA compliance and how to sign a Business Associate Agreement (BAA), please reach out to a member of the Iterable team.
  • Data Privacy – Iterable customers own their data, not Iterable. The data that Iterable customers upload to Iterable is theirs; as a part of Iterable’s privacy commitments, we do not scan customer data for advertisements nor sell or share with third parties. Additionally, when customers terminate their relationship with Iterable, we will commit to deleting the data from our systems. Finally, our customers can easily administer their data using our Application Programming Interface (“API”) to ease data portability without imposing additional fees. Iterable’s commitment to data privacy includes the following:
    • Compliance with GDPR, CCPA/CPRA and all other US privacy laws.  Iterable enables compliance for GDPR, CCPA/CPRA, and all other US privacy laws by allowing customers to manage data access requests via multiple APIs, as well as our investments in our security infrastructure. These investments include ensuring that appropriate contractual terms are in place, subject access request options are available, and supporting international data transfers by executing European Union Model Clauses, also known as the Standard Contractual Clauses.  
    • EU-US Data Privacy Framework (DPF) – Iterable is self-certified to the EU – US Data Privacy Framework (DPF), which means that European entities can transfer personal data to Iterable in the United States, without having to put in place additional data protection safeguards.  
    • Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) – For data privacy, Iterable has also received both the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certifications. The CBPR and PRP certifications enable cross-border privacy assurance for our customers across 8 Iterable supported countries: Australia, Canada, Japan, Republic of Korea, Mexico, Philippines, Singapore, United States. These certifications affirm that Iterable complies with the privacy principles outlined in the APEC Privacy Framework, aligning Iterable with global privacy standards.  
  • Mandatory Security and Privacy training.  Iterable conducts Security Awareness, HIPAA, Privacy, and GDPR training for all Iterable staff upon hire.  Covered topics include, but are not limited to:
    • Password Protection, Malware, Phishing, Social Media/Engineering, Tailgating, Internet Use, Ransomware, Information Protection
    • Privacy law and responsibilities
    • Information Security Policies
    • Security concerns and incident reporting information

Iterable conducts training at least annually for all staff thereafter. Authorized Security personnel formally document, track, and acknowledge completion of the training for all staff. Security reviews and revises as necessary program content at least annually to ensure the program is effective in addressing changing security threats and privacy law and in meeting the needs of the organization.

Access Control

In order for Iterable to secure sensitive data (e.g., PII) assets, it employs a number of authentication and authorization controls that are designed to protect against unauthorized access.

  • Authentication – Iterable requires the use of a unique user ID for each employee. Accounts are used to identify each person’s activity on Iterable’s network and systems, including access to customer (PII) data. This unique account is used for every system at Iterable. Upon hire, an employee is assigned a user ID and is granted a limited, default set of privileges. At the termination of an employee’s employment, the user ID and the account’s access to Iterable network resources are disabled. Where passwords are used for authentication (e.g., signing into a system), systems enforce Iterable’s password policies which closely follow NIST 800-64 best practices, including strong, complex passwords over frequent changes, restrictions to password reuse, timeout and lockout settings, and sufficient password complexity. System access, including third-party application and corporate network sign-on, is handled using Okta SSO, which requires two-factor authentication (2FA).  Iterable further restricts 2FA access to Okta SSO to either username/password and YubiKey or username/password and biometric authentication.  Privileged access to production systems and PII requires additional unique ID/password, MFA, VPN, and SSH authentication, as applicable to the sensitivity of the application.
  • Authorization– Access rights and levels are based on employee job function and roles, using the concepts of “least-privileges” and “need-to-know” to match access privileges to defined responsibilities. Iterable employees are granted only a limited set of default permissions to access company resources, such as their mailbox and intranet. Employees are granted access to certain additional resources based on their specific job duties. Data or system owner managers, or other executives as described by Iterable’s security policy, must approve requests for additional resources, and only after following the access request procedure. Iterable logs administrative access to all production systems and data. Iterable’s Information Security team then reviews these logs on an as-needed basis.  Iterable conducts quarterly user access reviews (UAR) for critical systems. 

Business Continuity/Disaster Recovery

Iterable has a Business Continuity/Disaster Recovery (BC/DR) Policy in place to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations. Within the BC/DR Policy, the Business Continuity (BC) plan includes critical business processes, potential risks and impacts, response and recovery plan, roles and responsibilities, and testing of the plan. The Disaster Recovery (DR) plan ensures effective processes are in place to recover business-critical systems during adverse situations within the defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) of critical systems.

Both the BC/DR plans are based on the Business Impact Assessment (BIA).  The BIA identifies systems required for business operations and defines risk levels, owners, RTO, and RPO.  Systems identified as critical (catastrophic) by the BIA, have documented DR plans.

BC/DR testing includes relevant scenarios and recovery procedures based on the threat of likelihood documented test exercise steps and results. The BC/DR Policy, BIA, and BC/DR plans are annually tested, reviewed, updated, and audited in our internal and  third-party audits.

Media Disposal

Iterable leverages the services of our cloud provider, Amazon Web Services (AWS), for media disposal.  When a storage device (physical or virtual) has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices.

Monitoring and Auditing

Iterable’s compliance monitoring and auditing program analyzes the policies and procedural guidance used by departments through interviews and observations and reviews the awareness of and adherence to our policies and procedures. Through its monitoring and auditing efforts, Iterable ensures that Iterable staff are adequately trained and equipped to carry out Iterable’s external and internal goals, while adhering to all required laws, regulations, and guidance documents.

Iterable’s security monitoring program analyzes information gathered from internal network traffic and employee actions on systems. Internet traffic is inspected for suspicious behavior on the internal and production networks to detect the presence of traffic that might be malicious software or botnets. The analysis is performed using a combination of open source and commercial tools. A commercial correlation system is used in support of this analysis.

Iterable logs and reviews the following: 

  • Application events (Administrative access and changes to production systems and data; Access to and local download of customer data; Logon attempts/failures into the corporate network; etc.)
  • Infrastructure logs
  • Datastore audit logs

Iterable encrypts logs in transit and are encrypted at rest. All infrastructure logs as well as HIPAA application event logs are stored in a separate AWS account.  Other application event logs are stored within the same AWS account. All audit logs are sent to our SIEM as a read-only environment for all of Security and Infrastructure, with logs stored there for 6 months.

Network Security

Iterable utilizes multiple layers of defense (defense-in-depth) to help protect the virtual network from external attacks. Only authorized services and protocols that meet Iterable’s security requirements are permitted to traverse the corporate and production networks. Iterable’s network security strategy is comprised of the following components:

  • Customer PII is always encrypted at rest (AES256) and in transit (TLS 1.2) across public networks.
  • Network segregation using industry-standard firewall and access control technologies.
  • Management of network firewall and access control rules that utilize change management and peer review.
  • Restricted access to networked devices to unauthorized personnel.
  • Routing of all external traffic through custom front-end proxies to help detect and stop malicious traffic.
  • Iterable provides services that make use of Hypertext Transfer Protocol Secure (HTTPS) for more secure browser connections. Services such as app.iterable.com support HTTPS by default for customers who are signed into their account.

Vulnerability Management

Iterable follows a formal internal Vulnerability Management Policy that outlines the procedures necessary for implementing a comprehensive, integrated program to detect and remediate vulnerabilities in operating systems, applications, mobile devices, and cloud resources to maintain maximum levels of security. The policy outlines steps for vulnerability reporting, documentation, severity classification, and assignment for remediation. 

The Iterable Information Security team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews, and external audits and is responsible for tracking and following up on detected vulnerabilities. Iterable conducts continuous internal vulnerability scanning on the servers by the IDS.  Antivirus clients are installed on all workstations to prevent and continuously scan for malware infections. Client versioning and signatures are updated automatically as they become available.  Third party audits include an annual SOC 2 Type II + HIPAA audit, ISO 27001 audit, and Penetration testing conducted at least on an annual basis.

Physical and Environmental Security

Iterable utilizes AWS for its Infrastructure hosting needs. As a result, the physical security is maintained and enforced by Amazon. Amazon data center’s physical access is strictly controlled both at the perimeter and at building ingress / egress points by security guards and video surveillance, intrusion detection, and other logical means. Data center staff are required to use two-factor authentication a minimum of two times to access the data center floor. Only privileged employees and contractors with legitimate business needs have access to the data center.

Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels.

AICPA SOC badge Schellman ISO 27001

Talk to your CSM

Please provide your company email
Privacy Policy - By signing up, I agree with Iterable's Privacy Policy. I understand that I am signing up to Iterable Marketing emails and I can unsubscribe at any time.

Welcome Back!

Loading...

Thank you!

Thank you for contacting us, we'll be in touch shortly.