Security Policy

Bizible's Information and Data Security Policy

Last Update: November 9, 2018

Purpose

We keep information security and data security at the top of our minds here at Bizible. We built our product with this in mind from the very beginning. Presented in this document are security standards that Bizible complies with as well as policies and procedures.

Scope and Applicability

This Bizible Information and Data Security Policy (“IDSP”) summarizes Bizible’s handling of data and information which it collects in the course of conducting its business, including, management’s role, training, confidentiality of client data, acceptable use of resources, and more (collectively, the “Information Security Program”).  All Bizible staff must review this policy during on-boarding.

Bizible’s Information and Data Security Policy relies on various procedures implemented throughout Bizible’s operations, including specialized policies and procedures governing practices such as incident response process, audits, security, and backups.  This IDSP is a summary of the Information Security Program, as more detailed policies and procedures are defined as standalone documents, and communicated separately to the appropriate audience on a confidential basis and are generally not shared to non-Bizible employees unless required by law or to improve Bizible’s data handling and security practices (e.g., outside consulting firms or contractors subject to confidentiality obligations). To the extent this IDSP is shared with non-Bizible employees, such individuals or entities who receive this IDSP must keep this IDSP confidential unless disclosure is otherwise allowed by Bizible in writing. To the extent this IDSP is disclosed to a non-Bizible employee (e.g., a Bizible customer), the recipient acknowledges that this IDSP does not create any warranties or covenants of any kind by Bizible unless agreed upon in a writing executed by the recipient and Bizible.  Bizible may update this IDSP from time to time in its sole discretion.

The IDSP should be read in conjunction with Bizible’s Privacy Policy at http://www.bizible.com/privacy (the “Privacy Policy”).

Updates to this Policy

Bizible makes routine updates to this Information and Data Security Policy and will always show the latest version with the date of the most recent update. Bizible will notify all Bizible users of changes to this policy via in-app notification in our web application.

Bizible may also change its Terms of Service (POS) and Privacy Policy on occasion. When such changes occur, all customers will be notified via an in-app notification in our web application.

From time to time, Bizible may agree to specific policies for specific customers. When these policies change, the changes will be handled through direct communication with the customer and the execution of a new document detailing the edits to the existing agreement.

Audience

These standards and policies apply to all Bizible employees, contractors, suppliers, customers, and all other users of Bizible information systems that support the operations and assets of Bizible.

Shared Responsibility

While Bizible makes every effort to fulfill our defined responsibilities, customers are ultimately responsible for the security of their data as per the Bizible’s Terms of Service. Customers are responsible for maintaining the confidentiality of their Account login information and are fully responsible for all activities that occur under their Account. As customers, you agree to immediately notify Bizible of any unauthorized use, or suspected unauthorized use of your Account or any other breach of security. If any breach is suspected, contact security@bizible.com immediately.

Background

In compliance with TrustArc/TRUSTe, EU-U.S. Privacy Shield, and Swiss-US Privacy Shield, Bizible has developed standards and policies outlining necessary responsibilities to ensure the confidentiality, integrity, and availability of Bizible’s information and information systems. All digital services route through Verizon Edgecast as our content delivery network. All data is hosted and stored securely in Microsoft Azure data centers which fulfill the security, privacy, compliance, and risk management requirements as defined in the Cloud Security Alliance (CSA) and Cloud Control Matrix (CCM).

Roles and Responsibilities

This section provides roles and responsibilities for Bizible employees who have access to confidential data, with a responsibility for protecting the information and information systems.

Only authorized Bizible personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization. Roles are composed of: Chief Technology Officer, Information Security Team, Department Security Liaison, Authorized User.

For a full description of each role and their responsibilities, please contact security@bizible.com.

Data Classification

Bizible collects, aggregates, processes and handles a variety of types of information in connection with its business.  For purposes of the Information and Data Security Policy, Bizible categorizes such information as follows:

Public

Public data is information that may be disclosed to any person regardless of their affiliation with Bizible, i.e., data that does not require any level of protection from disclosure. Public data may be shared with a broad audience both within and outside Bizible and no steps need be taken to prevent its distribution.  Examples of public data include: press releases, news articles about Bizible or its customers, information general available on the Internet which is not subject to any contractual (e.g., terms of service) or legal (e.g., copyright) restrictions.

Internal

Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of Bizible without the permission of the person or group that created the data.  It is the responsibility of the data owner to designate information as internal or “for Bizible eyes only” where appropriate, however, Bizible employees are trained to identify data which by its nature should be classified as internal data.  Examples of Internal data include: internal memos, correspondence, and corporate meeting minutes, internal e-mail correspondence, contact lists that contain information that is not publicly available, and procedural documentation that should remain internal.

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business who created and/or disclosed such confidential information. This classification also includes data that Bizible is required to keep confidential, either by law or under a confidentiality agreement with an individual or entity unaffiliated with Bizible, such as a customer. This information should be protected against unauthorized disclosure or modification. Confidential data should be used only when necessary for business purposes or as otherwise allowed by the Privacy Policy, and should be protected both when it is in use and when it is being stored or transported.

It is the responsibility of the person using the data and/or disclosure to designate information as “confidential” where appropriate. Individuals and departments that create or circulate confidential data should clearly designate the data by clearly marking both hard copies and electronic version of documents as confidential. Those who receive data marked as confidential should take appropriate steps to protect it.

Any unauthorized disclosure or loss of confidential data must be reported a Bizible C-level executive. Such executive, working with Bizible’s IT team, will determine if confidential information was indeed disclosed. If confidential information was improperly disclosed, Bizible will notify affected parties as required by law, contract and/or in accordance with Bizible’s Information Data and Security Policy.

Bizible classifies two categories of confidential data: confidential customer data and confidential PII data.

Examples of confidential customer data include:

  • All data collected by Bizible on behalf of the customer, except for confidential PII data. This includes, but is not limited to, ads data, cost data, and CRM data.
  • Legally privileged information
  • Information that is the subject of a confidentiality agreement

Examples of confidential PII data include:

  • Personally identifiable information entrusted to our care specifically email address, IP address, and cookie IDs

Data Usage

Bizible collects information from our visitors and customers who provide it explicitly (like name, email, billing information, address, etc.) or implicitly (like web browser type and language, IP address, marketing source, etc.). The use of user data collected through our services shall be limited to the purpose of providing the services requested by the Customer.

Bizible does not sell personal information to third parties. Bizible does not use any third party personal information contained in our Customers’ customer data in ad targeting. Customers’ customer data means any and all information and content that a user submits to, or is collected through the Bizible javascript, or other online services which you connect to Bizible, or your business website.

To read up on more detail about data and privacy policies, please visit: https://www.bizible.com/privacy-policy.

Client Data Management

All data collected by Bizible on behalf of its clients is classified under the Information and Data Security Policy classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.

Bizible may publish anonymized and aggregated information from Customers’ customer data for marketing or any other lawful purpose, with the option for customer opt-out.

Bizible ensures secure transport and storage of data. Any and all transport of confidential customer data and confidential PII data is via secure connection (HTTPS) and all data is encrypted at rest. Bizible maintains logical separation of user data between customers. During the system design and development process the same stringent data management is used, and pre-production systems are deployed in identically secure environments as production.

Unless otherwise stated, confidential customer data and confidential PII data is deleted from storage mediums within 30 days after the relationship between the client and Bizible ends.

Access Control

Restricting Access

All application and database access requests should be granted by the Chief Technology Officer, reviewed by the Information Security Team, and approved by the Department Security Liaison. Access is granted based on legitimate business need based on a need-to-know principle. Access is revoked immediately upon termination.

User Access Review

Database access and permissions are reviewed on an annual basis. The Information Security Team must review accounts of Users who can access confidential data and information systems and ensure that their ability to access and level of access is appropriate.

Shared Accounts

Shared accounts is strictly prohibited under any circumstance. Unique user IDs are created for each employee. Bizible does not allow employees to access confidential data using a shared account, including but not limited to, access to the application and logging into the database.

Remote Access

This policy applies to remote access connections used to do work on behalf of Bizible, including accessing code repositories and production databases, excluding email. Remote access is disabled by default, including for Authorized Users. Permission must be explicitly approved by the Information Security Team and granted by the CTO. When accessing the Bizible network from outside of the office network, Authorized Users are responsible for preventing access to any Bizible resources or data by non-Authorized Users. Authorized Users shall protect their login and password, even from family members. While remotely connecting to Bizible’s corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control. All hosts that are connected to Bizible internal networks via remote access technologies must use the most up-to-date anti-virus software.

Performance of illegal activities through the Bizible network by any User (Authorized or otherwise) is prohibited.

Software Development Lifecycle

Purpose

Bizible has an established and formal Software Development Lifecycle Policy (“SDLC”) and supporting procedures. The policy and procedures are designed to provide the Bizible Product and Development teams with a documented and formalized SDLC that is to be adhered to and utilized throughout the organization at all times. Compliance with the stated policy and supporting procedures helps ensure the safety and security of Bizible’s system resources. Below is a brief summary of the policy. For the full version, please contact security@bizible.com.

Scope

This policy and supporting procedures encompasses all system resources that are owned, operated, maintained, and controlled by Bizible and all other system resources, both internally and externally, that interact with these systems.

  • Internal system resources are those owned, operated, maintained, and controlled by Bizible and include all network devices (firewalls, routers), workstations, and other system resources deemed in scope.
  • External system resources are those owned, operated, maintained, and controlled by any entity other than Bizible, like servers (both physical and virtual servers, along with the operating systems and applications that reside on them).

Change Management

Key processes and security checks in Bizible’s production environment are documented.  All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team.  All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the relevant stakeholders within Bizible who are familiar with the Information and Data Security Policy.

Both scheduled and emergency changes are tested in separate environments, reviewed and approved by product and development before deployment to the production environment.

Automated Testing

Manual and automated vulnerability testing is performed during the development process.  During the software development process, Bizible conducts a network vulnerability scan and application vulnerability scan and penetration test of any new Bizible products and services, and routinely runs third party tests every 12 months. If you need to obtain a copy of the latest penetration test, contact security@bizible.com.  Bizible uses automated tools and documented procedures to build and configure systems, platforms and applications to minimize security risks.  Bizible deploys security fixes to the extent a vulnerability is identified.

Application Hardening

All Bizible systems run in secure datacenters, that are managed and maintained by expert 3rd parties.  These 3rd parties provide all of our network level services, including load balancers, and network security. In addition, they provide services for intrusion detection, and DDOS.

On top of this, Bizible uses trusted 3rd party services to review and test Bizible application level code for common security threat vectors like the OWASP TOP 10. This automated testing is run weekly.

In addition, Bizible has a trusted 3rd party to perform manual and automated penetration testing. This testing is run twice per year.

Operations Security

Bizible’s IT and software development teams use prevailing industry standards to manage the day-to-day security of its internal systems which touch upon the data and information handled by Bizible, such as default deny rules for firewalls, intrusion detection systems and patch management.

Risk Assessment 

Bizible has practices in place to assist management in identifying and managing potential internal and external risks that could negatively affect the organization’s critical business processes and our ability to provide reliable services to our clients.  The approach is to understand the existing system and environment and identify risks through analysis of the information and data being collected. These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities. 

The risk assessment process must be reviewed every year in the light of new risks and technologies and must be re-issued if gaps or weaknesses are found. The Information Security Team is responsible for ensuring that annual risk assessments are performed in a timely manner and that management reviews these assessments.

This is a brief summary of the plan. For the full version, please contact security@bizible.com.

Impact Assessment

Once the assessment is complete, the report findings and expected actions are defined and documented by the Information Security team. All identified vulnerabilities are assessed for impact and criticality:

  • Low risk: If any observation is described as low risk, the Information Security team must determine whether corrective actions are still required or decide to accept the risk
  • Moderate risk: If any observation is described as moderate risk, corrective actions are needed and the Information Security Team must develop a plan to incorporate the actions within a reasonable period of time.
  • High risk: If any observation is described as high risk, there is a
    strong need for corrective measures. An existing system may
    continue to operate, but a corrective action plan must be put in place as soon as possible.

Documentation

Once the risk assessment has been completed, the results are documented in an official report and reviewed and approved by management.

Asset Management 

Personal computers and laptops are provided to all Bizible employees to perform work-related tasks. Bizible does not supply employees with mobile devices nor does it support a Bring Your Own Device (BYOD) policy.  Bizible maintains a centralized asset management platform to keep and administer an up-to-date inventory of Bizible’s assets.

Electronics Policy

All documents, apparatus, equipment, electronic media, and other physical property is the sole property of Bizible. Bizible enforces a Clean Desk Policy, where employees are required to lock their systems prior to leaving the office, or bringing them to and from the office each day. All internal or confidential data must be protected at all times from anyone who may pass by including other employees, cleaners, and office visitors. All documents, materials and property will be returned to Bizible when requested. All other unauthorized equipment is not allowed on the office network.

Removable Media Devices

Bizible prohibits copying client and confidential data on a removable media device, including flash drives, hard drives, tapes or other media. Removable media devices may be used for legitimate business purposes handling internal data such as presentations and slides, as long as no customer data is included. All personnel who handle storage media must comply with the Information Data and Security Policy.

Anti-Virus/Anti-Malware Protection

All Bizible workstations have antivirus software deployed with automatic update, and are scanned per policy.

All production services with any internet facing endpoint has anti-virus and anti-malware software installed and are scanned regularly.

Incident Management

Bizible has in place an incident management process (“IMP”) to address data breach and security events related to its products and services in an efficient and timely manner. Incidents can be identified by Users, customers, suppliers, or Bizible employees. An “incident” is a potential security or data breach which could include, but is not limited to: phishing, hacking, software piracy, cyber stalking, extortion, or threats. In certain cases (e.g., as required by applicable law and/or the agreement between Bizible and the affected customer), Bizible will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or data breach. In compliance with the EU General Data Protection Regulation (GDPR), Bizible will also notify supervisory authority within 72 hours of becoming aware of it unless the breach is unlikely to pose a risk to the rights and freedoms of natural persons. Bizible will also inform the data subject of the breach without undue delay unless the breach is unlikely to pose a risk to the rights and freedoms of those data subjects. 

Monitoring

Application Monitoring

All Bizible applications are monitored for both system and application level events.

Backup System Configurations

Bizible leverages Azures geo-replication features, to ensure that data is replicated transparently to our backup datacenter, in event of datacenter loss.  For database loss, Azure maintains 30 days of point in time backups for our core databases.

Intrusion Detection

Where possible, Bizible run services on subNets without inbound internet (for backend Services) or with http/s access managed by a Microsoft software gateway. These machines are required to run anti-malware, and intrusion detection software. Security incidents identified by this hardware are raised to security@bizible.com.

Audits

Bizible tests and audits its entire Information and Data and Security Policy from time to time to minimize the chance of data breaches, and no less than once per calendar year. If an audit uncovers a potential flaw in security, Bizible’s security team will assess the scope of the problem, identify workarounds and fixes to address the problem, and ultimately resolve the problem.  To the extent Bizible’s internal security team cannot accomplish any of the foregoing, Bizible will retain an outside firm to address the issue.  

Business Continuity/Disaster Recovery (BC/DR) Plan

Purpose

This purpose of the Business Continuity and Disaster Recovery Plan is to prepare Bizible in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All Bizible sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs.

The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. The scope of this plan is focused on localized disasters such as fires, floods, and other localized natural or man-made disasters, not national disasters such as nuclear war which are beyond the scope of this plan.

Below is a brief summary of the plan. For the full version, please contact security@bizible.com.

Background Information

Bizible’s core product is a software-as-a-service in which all data is hosted in Microsoft Azure datacenters located in North Central US.  Bizible headquarters in Seattle, Washington does not have any datacenters or servers on-site. As a division of Marketo, Bizible is integrated with Marketo procedures in addition to the Seattle specific procedures.

Recovery Point Objective (RPO)

Recovery Point Objective refers to the maximum allowable time that data can be lost before exceeding the threshold described in the BCP.  Bizible’s target RPO is available via to inquiry.

Recovery Time Objective (RTO)

Recovery Time Objective refers to the maximum allowable time in our BCP that Bizible’s platform can be degraded before full functionality is restored.  Bizible’s target RTO is available via inquiry.

In the event of interruption to use of Bizible premises, Bizible services should remain unaffected. Critical work from Success Managers and Development personnel can be effectively be conducted remotely while interim quarters are found and prepped. We anticipate some delay in responsiveness, during this time.

In the event of a datacenter outage, Bizible personnel will be unaffected, but there will be some level of interruption or delay in the delivery of Bizible services. In the worst case of a datacenter loss, Bizible will fail over to our backup datacenter. Note that there will be no loss of data from the outage, simply large delays in processing and delivery.

Employee Security 

Confidentiality and security is a serious concern for our clients and Bizible employees are required to sign agreements which require the employees to keep client information confidential.  Acknowledgement of the employee code of conduct (employee handbook) is required upon hire and each time updates are made. Topics covered include employee benefits, travel policy, anti-bribery/anti-corruption, privacy, physical property, clean desk policy, social engineering, and incident reporting. 

Background checks are conducted on all employees upon hire.

General information security training is provided to all new employees and repeated annually thereafter. All employees also take mandatory HIPAA and GDPR training. 

Violation of Bizible’s security policies can result in employee discipline, including termination.  Bizible’s Human Resources department manages a formal termination process, which includes notification of IT, return of computers, and disabling of passwords.  

Supplier Relationships 

Bizible may use contractors for development, infrastructure management, testing and other legitimate processes.  Some contractors may work under the direct supervision of Bizible employees and may have access to client data in accordance with contract terms as necessary for Bizible to conduct its business.

Generally,  Bizible doesn’t give suppliers direct access to client data or network/equipment management responsibility.  Colocation providers have access to the facility hosting the infrastructure, and may provide remote-hand service for hardware maintenance under Bizible’s direction, but they do not have direct access to client data network environment unless necessary to provide services to our clients, and only if such providers are subject to a confidentiality obligation.

Bizible uses exclusively established and reputable third party suppliers with respect to its IT and data handling systems, such as Microsoft (for cloud infrastructure) and Google (for e-mail hosting). 

Contact 

If you have any questions, comments, or concerns regarding this Information and Data Security Policy, please reach out to security@bizible.com.