Security & Compliance Overview

General Compliance Program Protocols

Iterable has established a Security program demonstrating its commitment to compliance with all laws, regulations, and ethical standards as they apply to the conduct of its business and its role as a Growth Marketing Platform. Employment is conditioned on pre-hire screening and background checks, and adherence to Iterable’s security standards. Iterable provides its employees with the tools they need to meet the requirements set forth in the laws and standards established by Iterable As the regulatory landscape continues to change, all employees are expected to comply with the letter, as well as the spirit of all laws, regulations, and Iterable policies affecting business operations. Iterable’s security program includes:

Access Control

In order for Iterable to secure sensitive data (e.g., PII) assets, it employs a number of authentication and authorization controls that are designed to protect against unauthorized access.

Data Asset Management

Iterable’s data assets, which are comprised of customer PII, as well as corporate data, are governed by Iterable’s security policies and procedures. All Iterable personnel handling the data assets are required to comply with Iterable’s policies and procedures, which have been drafted to comport with several regulations, including the General Data Protection Regulation (“GDPR”). Information Assets – Each layer of the Iterable application and storage stack require that requests coming from other components are always authenticated and authorized. Service-to-service authentication is based on a security protocol, which is derived from x509 certificates that are issued by well-known certificate authority. Access by production application administrative engineers to production environments is similarly controlled. A centralized identity management platform is used to define and control personnel access to production services, using an extension of the above-mentioned security protocol that authenticates personnel certificates through the use of persistent unique x509 certificates; issuance of those certificates is in turn guarded by multi-factor authentication. All connections to production environments pass through Virtual Private Network (“VPN”) proxies; these proxies provide AES 256-bit encryption as well as centralized auditing of connections to production environments.

Media Disposal

When a storage device (physical or virtual) has reached the end of its useful life, Iterable procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Iterable uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices.

Monitoring and Auditing

Iterable’s compliance monitoring and auditing program analyzes the policies and procedural guidance used by departments through interviews, ride-alongs, and observations and reviews the awareness of and adherence to the above-mentioned policies and procedures. Through its monitoring and auditing efforts, Iterable ensures that Iterable representatives are adequately trained and equipped to carry out Iterable’s external and internal goals, while adhering to all required laws, regulations, and guidance documents.

Iterable’s security monitoring program analyzes information gathered from internal network traffic and employee actions on systems. Internet traffic is inspected for suspicious behavior on the internal and production networks to detect the presence of traffic that might be malicious software or botnets. The analysis is performed using a combination of open source and commercial tools. A commercial correlation system is used in support of this analysis.

Network Security

Iterable utilizes multiple layers of defense (defense-in-depth) to help protect the virtual network from external attacks. Only authorized services and protocols that meet Iterable’s security requirements are permitted to traverse the corporate and production networks. Iterable’s network security strategy is comprised of the following components:

Physical and Environmental Security

Iterable utilizes Amazon Web Services for its Infrastructure hosting needs. As a result, the physical security is maintained and enforced by Amazon. Amazon data center physical access is strictly controlled both at the perimeter and at building ingress / egress points by security guards and video surveillance, intrusion detection, and other logical means. Data center staff are required to use two-factor authentication a minimum of two times to access the data center floor. Only privileged employees and contractors with legitimate business needs have access to the data center.

Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels.

Vulnerability Management

Iterable’s Information Security team bears the responsibility of managing vulnerabilities in a timely manner. The Iterable Information Security team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews, and external audits. The Information Security team is responsible for tracking and following up on detected vulnerabilities.

Trust and Assurance

Iterable’s Trust and Assurance Program encompasses transparency, due diligence, and accuracy in alignment with SOC 2 and GDPR governance.