Security statement

Last updated: November 2017

Data confidentiality, protection and access

Data encryption

The Siteimprove Suite supports the latest recommended secure cipher suites and protocols to encrypt traffic in transit. Confidential Customer Data is encrypted at rest.

Data retention and backup

Siteimprove will store Customer data for the duration of the contractual agreement. In other words :

  • As long as the customer has a contractual agreement with Siteimprove, we process and retain the specific customers data.
  • As soon as the duration of the contractual agreement between Siteimprove and a specific customer has ended, we delete the specific customer data , thus the retention period for the specific customer ends.

 Siteimprove will retain some customer information after contract termination, due to legal and financial requirements.

When the contractual agreement with Siteimprove is terminated, the following will happen:

  • The tables in the database, containing the customer results, history and specific customizations to the Siteimprove Suite will be dropped
  • Crawled website data ( HTML ) and/or any linked documents (such as PDF files ) will be deleted
  • Elimination from backup scheme is initiated ; due to the backup frequency and the technical setup, Customer Data will be fully rolled out of the backup scheme 30 days after initiation 

Backup of Customer and non-customer data is being done a regular and frequent basis, depending on the data in scope. Backup material is encrypted and transferred to an offsite location, which is part of the Siteimprove infrastructure. 

EU customer data will be stored, processed and backed up in the EU components of the Siteimprove infrastructure.

For customers having their internet-facing website serviced by Siteimprove -  the customers internet-facing website is public domain, making it open to anybody with access to the internet. Customers should keep in mind that, if not otherwise technically enforced, the internet-facing website will be crawled with no authorization or notice by crawling bots from projects such as Archive.org, Archive.is or search engines, which will retain the data indefinitely, if not otherwise specified.  Siteimprove crawls customer internet-facing website data based on the contractual agreement, but it should be noted that this can be done by virtually anybody with access to the internet. More specific information on crawling can be found on Siteimprove Crawler FAQ section of the KnowledgeBase

Access to customer data

The operation of the Siteimprove services requires that some employees have access to the systems which store and process Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. Technical controls and audit policies are in place to ensure that any access to Customer Data is controlled and logged.

User management within the Siteimprove suite

The customer is responsible for user management within the Siteimprove services. Access roles and rights within the application are predefined and detailed in the User Roles Right section of the KnowledgeBase. There is a minimum password policy in place, but this must be configured by the customer with more information being found on the Password Policy FAQ section of the KnowledgeBase. There is also a possibility to create additional user roles.

User management in Siteimprove

Access to sensitive or critical information processing facilities is managed in accordance with the need to know and least privilege principles, ensuring that access is granted only to resources that require it to perform their duty. The assignment of access privileges must be based upon current job function responsibilities.

Data storage, Infrastructure and physical security

The environment that hosts the Siteimprove services maintains multiple certifications for its data centers, including ISO 27001 compliance and SOC reports. This environment is globally distributed as detailed below.

Denmark

Interxion
Interxion is a ISO 27001:2013(Information Security) and ISO 22301:2012(business continuity) certified data center provider. Further information about Interxion can be found on the Interxion official website and in the Privacy Policy.

Siteimprove Headquarter
The Siteimprove Headquarter is the main central Siteimprove office storing data in a designated server room. Further information about the Siteimprove Headquarter server room can be found in the Privacy Policy.

Germany

Amazon Web Services (AWS)
Siteimprove relies on the Amazon and its services offered from Frankfurt, Germany. AWS (Amazon Web Services) is a multi-certified data center provider, including certifications like ISO 27001:2013(Information Security) and SOC 1, 2 and 3. Further information about AWS can be found on the Privacy Policy and in the AWS official website.

Personnel practices and Security Awareness

Prior to employment, candidates will be assessed and checked on their background, considering the position they will hold and the applicable law and regulations. Siteimprove has offices in many locations around the world and has HR resources who are familiar with local requirements. Criminal checks of employees prior to starting are normally only done for US employees.

Employees will be made aware of Security threats and practices during onboarding as well as on an ongoing basis. Upon employment, the employee signs off on the IT policy and code of conduct acknowledging that they have read and understood the document which is the basic set of rules which all employees must comply with. All personnel are required to sign a Confidentiality Agreement as a condition of employment.

Any violation to Siteimprove policies, procedures or code of conduct may result in disciplinary actions.

Disaster recovery

Siteimprove maintains a Master Disaster Recovery Plan that is directly linked with individual Disaster Recovery plans for critical systems and is updated at least once every 12 months.

Network and host protection

To ensure the protection of information in networks there is 2nd generation firewall installed with Deep packet inspection (DPI) and Intrusion Prevention System (IPS).

Siteimprove uses industry standard endpoint protection which relies on signature and heuristic based detection. Servers are restricted to run only the services they are intended to.

Patch management

For user endpoints, Siteimprove has centrally managed patch management of OS, software, endpoint protection and automatic deployment capabilities for applications and services.

For servers, Siteimprove has the capability to rapidly patch vulnerabilities across all our computing devices, applications and systems. Patches are assessed before applied to production infrastructure equipment to minimize the risk of service disruption.

Security auditing and Vulnerability management

To continuously assure a reliable and secure product for its customers, Siteimprove has its application suite tested for security vulnerabilities, both internally and externally.

Internally, this is done through quality checks before each release as well as 'bug hunting' sessions, where Siteimprove developers will try out new features in order to discover if the application is not responding as it should. 

Externally, this is done by a 3rd party entity that specializes in penetration testing services. The process concludes with a vulnerability report which will serve as input for the development of the application. This process is repeated every 6-9 months to verify that previously discovered vulnerabilities have been fixed and to uncover new vulnerabilities. The detailed vulnerability report as well as the detailed plan for fixing the vulnerabilities will not be shared with external parties due to the confidentiality of its contents. Siteimprove can provide to customers, upon request and a signed NDA, a high-level summary proving the fact that the penetration test has been done by a 3rd party entity. 

 

Security incident response and Data breach notification

As part of the information security policy, Siteimprove maintains a Security Incident response plan that is based on guidelines from NIST ( 800-61 ).

Siteimprove commits to a notification via email to affected parties (to the primary business contact registered upon contract signing) within 72 hours of reasonable suspicion of a Data Breach. If there is an operational impact, an update can also be seen on status.siteimprove.com

3rd party security

In order to conduct business in an effective way, Siteimprove collaborates with various vendors that are assessed based on the criticality and risk of the products and services being provided. Confidentiality clauses are standard in supplier contracts. Data-processing agreements and model contract clauses are used to further ensure a secure collaboration.