Information Security Notice
Updated: February 2021
Data Confidentiality, Protection, and Access
The Siteimprove Suite supports the latest recommended secure cipher suites and protocols to encrypt traffic in transit. Confidential Customer Data is encrypted at rest.
Data Retention and Backup
Siteimprove will store Customer data for the duration of the contractual agreement. In other words :
- As long as the customer has a contractual agreement with Siteimprove, we process and retain the specific customers data.
- As soon as the duration of the contractual agreement between Siteimprove and a specific customer has ended, we start deleting the specific customer data, thus ending the retention period no later than 90 days from termination.
Siteimprove will retain some customer information after contract termination, due to legal and financial requirements.
When the contractual agreement with Siteimprove is terminated, the following will happen:
- The tables in the database, containing the customer results, history and specific customizations to the Siteimprove Suite will be dropped
- Crawled website data ( HTML ) and/or any linked documents (such as PDF files ) will be deleted
- Elimination from backup scheme is initiated ; due to the backup frequency and the technical setup, Customer Data will be fully rolled out of the backup scheme 90 days after initiation
Backup of Customer and non-customer data is being done a regular and frequent basis, depending on the data in scope. Backup material is encrypted and transferred to an offsite location, which is part of of the Siteimprove infrastructure.
Personal data belonging to Customers will be stored, processed and backed up in the EU components of the Siteimprove infrastructure.
For customers having their internet-facing website serviced by Siteimprove - the customers internet-facing website is public domain, making it open to anybody with access to the internet. Customers should keep in mind that, if not otherwise technically enforced, the internet-facing website will be crawled with no authorization or notice by crawling bots from projects such as Archive.org, Archive.is or search engines, which will retain the data indefinitely, if not otherwise specified. Siteimprove crawls customer internet-facing website data based on the contractual agreement, but it should be noted that this can be done by virtually anybody with access to the internet. More specific information on crawling can be found on Siteimprove Crawler FAQ section of the KnowledgeBase.
Access to Customer Data
The operation of the Siteimprove services requires that some employees have access to the systems which store and process Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. Technical controls and audit policies are in place to ensure that any access to Customer Data is controlled and logged.
User Management within the Siteimprove Suite
The customer is responsible for user management within the Siteimprove services. Access roles and rights within the application are predefined and detailed in the User Roles Right section of the KnowledgeBase. There is a minimum password policy in place, but this must be configured by the customer with more information being found on the Password Policy FAQ section of the KnowledgeBase. There is also a possibility to create additional user roles.
User Management in Siteimprove
Access to sensitive or critical information processing facilities is managed in accordance with the need to know and least privilege principles, ensuring that access is granted only to resources that require it to perform their duty. The assignment of access privileges must be based upon current job function responsibilities. Logs are centralized into separate information systems, which only staff with a relevant business need has access to.
Logging is used to troubleshoot and monitor Siteimprove systems for abnormal functional patterns, suspicious behavior and other activities incompliant with the existing legislation and Information Security policy.
Data storage, Infrastructure and Physical Security
The environment that hosts the Siteimprove services maintains multiple certifications for its data centers, including ISO 27001 compliance and SOC reports. This environment is globally distributed as detailed below.
Amazon Web Services (AWS)
Personnel Practices and Security Awareness
Prior to employment, candidates will be assessed and checked on their background, considering the position they will hold and the applicable law and regulations. Siteimprove has offices in many locations around the world and has HR resources who are familiar with local requirements. Criminal checks of employees prior to starting are normally only done for US employees.
Employees will be made aware of Security threats and practices during onboarding as well as on an ongoing basis. Upon employment, the employee signs off on the IT policy and code of conduct acknowledging that they have read and understood the document which is the basic set of rules which all employees must comply with. All personnel are required to sign a Confidentiality Agreement as a condition of employment.
Any violation to Siteimprove policies, procedures or code of conduct may result in disciplinary actions.
Siteimprove maintains a Master Disaster Recovery Plan that is directly linked with individual Disaster Recovery plans for critical systems and is updated at least once every 12 months.
Network and Host Protection
To ensure the protection of information in networks there is 2nd generation firewall installed with Deep packet inspection (DPI) and Intrusion Prevention System (IPS).
Siteimprove uses industry standard endpoint protection which relies on signature and heuristic based detection. Servers are restricted to run only the services they are intended to.
For user endpoints, Siteimprove has centrally managed patch management of OS, software, endpoint protection and automatic deployment capabilities for applications and services.
For servers, Siteimprove has the capability to rapidly patch vulnerabilities across all our computing devices, applications and systems. Patches are assessed before applied to production infrastructure equipment to minimize the risk of service disruption.
Security Auditing and Vulnerability Management
To continuously assure a reliable and secure product for its customers, Siteimprove has its application suite tested for security vulnerabilities, both internally and externally.
Internally, this is done through quality checks before each release as well as 'bug hunting' sessions, where Siteimprove’s developers will try out new features to discover if the application is not responding as it should. Specially, for those components and assets externally-facing which support Siteimprove customers, we have vulnerability scans performed on a quarterly basis and grey-box perspective.
Externally, this is done by a 3rd party entity that specializes in penetration testing services. The process concludes with a vulnerability report which will serve as input for the development of the application. This process is repeated every 6-9 months to verify that previously discovered vulnerabilities have been fixed and to uncover new vulnerabilities. The detailed vulnerability report as well as the detailed plan for fixing the vulnerabilities will not be shared with external parties due to the confidentiality of its contents. Siteimprove can provide to customers, upon request and a signed NDA, a high-level summary proving the fact that the penetration test has been done by a 3rd party entity.
Security Incident Response and Data Breach Notification
As part of the information security policy, Siteimprove maintains a Security Incident response plan that is based on guidelines from NIST ( 800-61 ).
Siteimprove commits to a notification via email to affected data controllers -customers/partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 48 hours of reasonable suspicion of a Data Breach. If there is an operational impact, an update can also be seen on status.siteimprove.com.
3rd Party Security
In order to conduct business in an effective way, Siteimprove collaborates with various vendors that are assessed based on the criticality and risk of the products and services being provided. Confidentiality clauses are standard in supplier contracts. Data-processing agreements and model contract clauses are used to further ensure a secure collaboration.