Last Update: July 17, 2017
We take privacy and security very seriously at Bizible. We built our product with this in mind from the very beginning. We comply with TrustArc/TRUSTe, EU-U.S. Privacy Shield, and U.S.-Swiss Safe Harbor.
If you are a prospective customer and need a full architecture document, please reach out to email@example.com.
Bizible Information and Data Security Policy
This Bizible Information and Data Security Policy (“IDSP”) summarizes Bizible’s handling of data and information which it collects in the course of conducting its business, including, management’s role, training, confidentiality of client data, acceptable use of resources, and more (collectively, the “Information Security Program”). All Bizible staff must review this policy during on-boarding.
Bizible’s Information Security Program relies on various procedures implemented throughout Bizible’s operations, including specialized policies and procedures governing practices such as incident response process, audits, security, and backups. This IDSP is a summary of the Information Security Program, as more detailed policies and procedures are defined as standalone documents, and communicated separately to the appropriate audience on a confidential basis and are generally not shared to non-Bizible employees unless required by law or to improve Bizible’s data handling and security practices (e.g., outside consulting firms or contractors subject to confidentiality obligations). To the extent this IDSP is shared with non-Bizible employees, such individuals or entities who receive this IDSP must keep this IDSP confidential unless disclosure is otherwise allowed by Bizible in writing. To the extent this IDSP is disclosed to a non-Bizible employee (e.g., a Bizible customer), the recipient acknowledges that this IDSP does not create any warranties or covenants of any kind by Bizible unless agreed upon in a writing executed by the recipient and Bizible. Bizible may update this IDSP from time to time in its sole discretion.
Categories of Information That Bizible Handles
Bizible collects, aggregates, processes and handles a variety of types of information in connection with its business. For purposes of the Information Security Program, Bizible categorizes such information as follows:
Public data is information that may be disclosed to any person regardless of their affiliation with Bizible, i.e., data that does not require any level of protection from disclosure. Public data may be shared with a broad audience both within and outside Bizible and no steps need be taken to prevent its distribution. Examples of public data include: press releases, news articles about Bizible or its customers, information general available on the Internet which is not subject to any contractual (e.g., terms of service) or legal (e.g., copyright) restrictions.
Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of Bizible without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as internal or “for Bizible eyes only” where appropriate, however, Bizible employees are trained to identify data which by its nature should be classified as internal data. Examples of Internal data include: internal memos, correspondence, and corporate meeting minutes, internal e-mail correspondence, contact lists that contain information that is not publicly available, and procedural documentation that should remain internal.
It is the responsibility of the data owner and/or disclosure to designate information as “confidential” where appropriate. Individuals and departments that create or circulate confidential data should clearly designate the data by clearly marking both hard copies and electronic version of documents as confidential. Those who receive data marked as confidential should take appropriate steps to protect it.
Any unauthorized disclosure or loss of confidential data must be reported a Bizible C-level executive. Such executive, working with Bizible’s IT team, will determine if confidential information was indeed disclosed. If confidential information was improperly disclosed, Bizible will notify affected parties as required by law, contract and/or in accordance with Bizible’s Information Security Program.
Examples of confidential data include:
- Personally identifiable information entrusted to our care that is not public data, such as the personal identifiable information of our customers;
- Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees;
- Legally privileged information; and
- Information that is the subject of a confidentiality agreement.
Bizible’s IT and software development teams use prevailing industry standards to manage the day-to-day security of its internal systems which touch upon the data and information handled by Bizible, such as default deny rules for firewalls, intrusion detection systems and patch management.
Key processes and security checks in Bizible’s production environment are documented. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team. All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the relevant stake holders within Bizible who are familiar with the Information Security Program.
Both scheduled and emergency changes are tested in separate environments, reviewed and approved by operations, engineering, and technical support before deployment to the production environment.
Emergency changes must be peer reviewed.
All documents, apparatus, equipment, electronic media, and other physical property is the sole property of Bizible. Employees are required to lock their systems prior to leaving the office, or bringing them to and from the office each day. All documents, materials and property will be returned to Bizible when requested. All other unauthorized equipment is not allowed on the office network.
Client Data Management
All data collected by Bizible on behalf of its clients is classified as highly confidential under the Information Security Program classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.
Bizible generally prohibits copying client data on a removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes (e.g., testing, trouble-shooting, improving Bizible’s products and services). All personnel who handle storage media must comply with this IDSP and the Information Security Program.
Confidential client information is generally deleted from storage mediums within Bizible’s control after the relationship between the client and Bizible ends. The date of deletion may vary based on a number of factors, e.g., back-up deletion schedules, legal requirements (e.g., the date is subject to a formal legal dispute), contractual requirements, etc.
Vulnerability and Risk Management
Bizible has practices in place to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients. These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.
Manual and automated vulnerability testing is performed during the development process. During the software development process, Bizible conducts a network vulnerability scan and application vulnerability scan and penetration test of any new Bizible products and services. Bizible uses automated tools and documented procedures to build and configure systems, platforms and applications to minimize security risks. Bizible deploys security fixes to the extent a vulnerability is identified.
Bizible has in place an incident management process (“IMP”) to address data breach and security events related to its products and services in an efficient and timely manner. The IMP describes the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements.
Data breach and security incidents are escalated from the initial responders to the internal technical and security support team for evaluation and prioritization. In certain cases (e.g., as required by applicable law and/or the agreement between Bizible and the affected customer), Bizible will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or data breach, but in any event within 24 hours for significant events and within 2 business days for non-critical events.
Protection against Malware
Bizible workstations have antivirus software deployed with automatic update, and are scanned per policy; all Windows production external-facing web servers have anti-malware software installed and are scanned regularly; and all deploy code is scanned for malware.
Bizible tests and audits its entire Information and Security Program from time to time to minimize the chance of data breaches, and no less than once per calendar year. If an audit uncovers a potential flaw in security, Bizible’s IT team will assess the scope of the problem, identify workarounds and fixes to address the problem, and ultimately resolve the problem. To the extent Bizible’s internal IT team cannot accomplish any of the foregoing, Bizible will retain an outside firm to address the issue. Bizible’s IT team is composed of C-level executives, software developers and engineers.
Confidentiality and security is a serious concern for our clients and Bizible employees are required to sign agreements which require the employees to keep client information confidential. General information security training is provided to all new employees. Development and IT staff receive training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data. Violation of Bizible’s security policies can result in employee discipline, including termination. Bizible’s Human Resources department manages a formal termination process, which includes notification of IT, return of computers, and disabling of passwords. The exit interview reminds ex-employees of their remaining employment restriction and contractual obligations. Background checks are conducted on all employees upon hire.
The Bizible service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center. Back-ups of critical client data occur at least daily. Non-anonymous data aggregated by Bizible on behalf of clients (e.g., data about our customer’s customers) is eventually deleted according to a regularly scheduled purge.
Segregation of Duties
Only authorized Bizible personnel and contractors can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.
Bizible may use contractors for development, infrastructure management, testing and other legitimate processes. Some contractors may work under the direct supervision of Bizible employees and may have access to client data in accordance with contract terms as necessary for Bizible to conduct its business.
Generally, Bizible doesn’t give suppliers direct access to client data or network/equipment management responsibility. Colocation providers have access to the facility hosting the infrastructure, and may provide remote-hand service for hardware maintenance under Bizible’s direction, but they do not have direct access to client data network environment unless necessary to provide services to our clients, and only if such providers are subject to a confidentiality obligation.
If you have any questions, comments, or concerns regarding this Security document, please reach out to firstname.lastname@example.org.