CaptivateIQ Security Policy

OVERVIEW

CaptivateIQ provides a software solution for commission management and is committed to achieving and maintaining the trust of its customers. CaptivateIQ takes trust very seriously and has systems and procedures in place which are designed to protect access to customer accounts and Customer Data (as defined below). This security measures document (this “Security Measures Summary”) provides an overview of CaptivateIQ’s data security practices and procedures regarding CaptivateIQ’s commission management software services (collectively, the “CaptivateIQ Service”). The CaptivateIQ Service does not include, and this documentation does not apply to, pilot, beta, limited release, evaluation, non-production, trial or other similar services made available by CaptivateIQ that are not generally available to CaptivateIQ’s customers. Some of the security controls for the CaptivateIQ Service that are described in this Security Measures Summary are implemented in connection with reputable security service providers and the security controls of other trusted service providers. CaptivateIQ has built programs and mechanisms to align with industry standards on security and privacy. Please contact CaptivateIQ’s sales or customer support teams to request a copy of CaptivateIQ’s relevant security audit report(s).

Please note that CaptivateIQ reserves the right to change this Security Measures Summary and the security controls contained herein from time to time, in its sole discretion, but will make the most recent version of this Security Measures Summary available to its customers upon request.

ARCHITECTURE

The CaptivateIQ Service is built on Amazon Web Services (“AWS”).  CaptivateIQ has implemented industry standard security practices for AWS and continues to advance practices to help ensure the confidentiality, integrity and availability of data that CaptivateIQ’s customers provide to CaptivateIQ through the CaptivateIQ Service (the “Customer Data”). Information about security and privacy-related audits and certifications received by AWS, including information on its ISO 27001 certification and Service Organization Control (SOC) reports, is available on the AWS Compliance Programs Website. More information about AWS’ compliance program can be found on the AWS Compliance Website and in this section of the Amazon Web Services: Risk and Compliance Whitepaper.  Details on AWS’ security program can be found on the AWS Cloud Security Website and in this Introduction to AWS Security Whitepaper. 

‍WEB APPLICATION SECURITY 

The CaptivateIQ Service is hosted on AWS and delivered via a trusted Content Delivery Network (CDN). CaptivateIQ leverages the security controls provided by these platforms, including Web Application Firewall, DDOS mitigation, and security assessments at the web and DNS (Domain Name Service) layer, to help protect against various kinds of application attacks. Services, protocols, and ports of CaptivateIQ’s systems are restricted to only those required to run the CaptivateIQ Service.

VULNERABILITY SCANS

CaptivateIQ performs frequent vulnerability scans of its systems. The discovery of any security issue is logged in a vulnerability management process and remediated as deemed appropriate based on a risk assessment of the vulnerability.

SECURITY LOGS

Logs from all systems which provide services to the CaptivateIQ Service are sent to a centralized logging service to enable security reviews and analysis for security events, such as intrusions and threats. Alerts are correlated and enhanced with threat intelligence from the industry.

INTRUSION DETECTION

CaptivateIQ reviews logs for security and performance-related events. CaptivateIQ continuously monitors the CaptivateIQ Service for unauthorized intrusions and other malicious activities leveraging industry standard tools. All events and incidents are closed out upon completed review. 

INCIDENT MANAGEMENT

Procedures and processes are in place to respond to security incidents involving unauthorized access to or disclosure of Customer Data of which CaptivateIQ becomes aware. 

ACCESS MANAGEMENT

Access management controls are enforced to prevent unauthorized access to Customer Data. Two-factor authentication (2FA) is enabled for all accounts with access to CaptivateIQ's internal systems (collectively, “CaptivateIQ Internal Systems”). Below are additional controls in place:

• Each individual shall have a unique identifier (User ID) to log in to CaptivateIQ Internal Systems.
• Each individual shall be authenticated in order to access CaptivateIQ Internal Systems.
  
• Access rights for User IDs shall be restricted to least privilege necessary to perform job responsibilities.
  

Access to CaptivateIQ Internal Systems is automatically revoked based on inactivity after a defined timeframe to reduce risk exposure and enforce the policy of least privilege access. In addition, frequent reviews are completed to help ensure that access is aligned with CaptivateIQ’s least privilege access policy. 

PHYSICAL SECURITY

The CaptivateIQ Service is hosted in production data centers that have physical, operational, and environmental security controls in place. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, and are also supported by on-site back-up generators in the event of a power failure. Physical access to the production data centers is limited to authorized personnel subject to multi-factor authentication measures and to approved third parties escorted by authorized personnel. The facilities are also monitored by on-premises security guards and protected by additional physical security measures such as surveillance and intrusion detection systems.

RELIABILITY AND BACKUP

All Customer Data entered into the CaptivateIQ Service, up to the last committed transaction, are automatically replicated on a near real-time basis at the database layer and are backed up regularly on secure, encrypted, and redundant storage.

BUSINESS CONTINUITY AND DISASTER RECOVERY

CaptivateIQ maintains business continuity and disaster recovery plans for the CaptivateIQ Service. CaptivateIQ maintains reserved instances in different regions as a backup for the failure of the primary region.

In addition, CaptivateIQ’s hosting provider (i) utilizes disaster recovery facilities that are geographically diverse from its primary data centers, along with required hardware, software, and Internet connectivity, in the event production facilities at the primary data centers were to be rendered unavailable, and (ii) has disaster recovery plans in place that are tested at least annually to validate the ability to failover a production instance from the primary data center to a secondary data center utilizing developed operational and disaster recovery procedures and documentation. CaptivateIQ also performs regular tests of its own business continuity and disaster recovery plans. 

MALWARE PROTECTION

CaptivateIQ uses software and other industry-standard measures to limit the risk of exposure to software viruses, malware and other known indicators of compromise.

DATA ENCRYPTION

Customer Data in transit is encrypted using TLS 1.2 or higher. Customer Data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by AWS Key Management Service, and individual volume keys are stable for the lifetime of the volume. All backup files are stored in an encrypted S3 bucket in the US region.

RETENTION AND DELETION OF CUSTOMER DATA

Customer Data is deleted in accordance with CaptivateIQ’s agreements with customers.

SECURE DEVELOPMENT

CaptivateIQ has policies and mechanisms to enable developers to identify security issues (security bugs, third-party vulnerabilities, misconfigurations, etc.) in the development process. The tools utilized complete automated scans on each change and provide CaptivateIQ with information and guidance on how to remediate the issues before deployment. In addition, all changes are peer reviewed for alignment with defined secure software development practices. 

INFRASTRUCTURE AS CODE

CaptivateIQ infrastructure is built using infrastructure as code frameworks to automate the build and scale of the production workload. All code is scanned and reviewed for security and performance impacts before deployment. 

ENDPOINT SECURITY

CaptivateIQ user endpoints are managed to follow industry standards on security. In addition, policies and technical mechanisms are in place to restrict access to Customer Data from only CaptivateIQ managed endpoints.

CONTINUOUS ASSESSMENT

CaptivateIQ has enabled continuous monitoring tools to assess the security of its systems and services on a real-time basis and identify possible issues; reports of these assessments may be made available upon request. Any identified issue is reviewed and remediated as deemed appropriate based on the severity of the issue. 

OPERATIONAL AND SECURITY AUDITS

CaptivateIQ completes annual audits against SOC1 and SOC2 security requirements. Please contact CaptivateIQ’s sales or customer support teams to request a copy of such audit reports. The SOC2 Trust criteria covers the following areas:

• Security – The system is protected against unauthorized access (both physical and logical).
• Availability – The system is available for operation and use as committed or agreed.
• Confidentiality – Information that is designated “confidential” is protected according to applicable agreements.

SECURITY ASSESSMENTS

CaptivateIQ maintains a bug bounty program to allow for security reviews of its application and infrastructure by top security researchers, with the objective to identify security bugs or misconfiguration leading to material impact on CaptivateIQ’s security controls.