Bizible Security Policy

Last Update: September 12, 2017

Introduction

We take privacy and security very seriously at Bizible. We built our product with this in mind from the very beginning. We comply with TrustArc/TRUSTe, EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

Product Architecture

If you are a prospective customer and need a full architecture document, please reach out to security@bizible.com.

Bizible Information and Data Security Policy

This Bizible Information and Data Security Policy (“IDSP”) summarizes Bizible’s handling of data and information which it collects in the course of conducting its business, including, management’s role, training, confidentiality of client data, acceptable use of resources, and more (collectively, the “Information Security Program”).  All Bizible staff must review this policy during on-boarding.

Bizible’s Information Security Program relies on various procedures implemented throughout Bizible’s operations, including specialized policies and procedures governing practices such as incident response process, audits, security, and backups.  This IDSP is a summary of the Information Security Program, as more detailed policies and procedures are defined as standalone documents, and communicated separately to the appropriate audience on a confidential basis and are generally not shared to non-Bizible employees unless required by law or to improve Bizible’s data handling and security practices (e.g., outside consulting firms or contractors subject to confidentiality obligations).  To the extent this IDSP is shared with non-Bizible employees, such individuals or entities who receive this IDSP must keep this IDSP confidential unless disclosure is otherwise allowed by Bizible in writing.  To the extent this IDSP is disclosed to a non-Bizible employee (e.g., a Bizible customer), the recipient acknowledges that this IDSP does not create any warranties or covenants of any kind by Bizible unless agreed upon in a writing executed by the recipient and Bizible.  Bizible may update this IDSP from time to time in its sole discretion.

 The IDSP should be read in conjunction with Bizible’s Privacy Policy at http://www.bizible.com/privacy (the “Privacy Policy”).

Categories of Information That Bizible Handles

Bizible collects, aggregates, processes and handles a variety of types of information in connection with its business.  For purposes of the Information Security Program, Bizible categorizes such information as follows:

Public

Public data is information that may be disclosed to any person regardless of their affiliation with Bizible, i.e., data that does not require any level of protection from disclosure. Public data may be shared with a broad audience both within and outside Bizible and no steps need be taken to prevent its distribution.  Examples of public data include: press releases, news articles about Bizible or its customers, information general available on the Internet which is not subject to any contractual (e.g., terms of service) or legal (e.g., copyright) restrictions.

Internal

Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of Bizible without the permission of the person or group that created the data.  It is the responsibility of the data owner to designate information as internal or “for Bizible eyes only” where appropriate, however, Bizible employees are trained to identify data which by its nature should be classified as internal data.  Examples of Internal data include: internal memos, correspondence, and corporate meeting minutes, internal e-mail correspondence, contact lists that contain information that is not publicly available, and procedural documentation that should remain internal.

Confidential

Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business who created and/or disclosed such confidential information.  This classification also includes data that Bizible is required to keep confidential, either by law or under a confidentiality agreement with an individual or entity unaffiliated with Bizible, such as a customer.  This information should be protected against unauthorized disclosure or modification.  Confidential data should be used only when necessary for business purposes or as otherwise allowed by the Privacy Policy, and should be protected both when it is in use and when it is being stored or transported.

It is the responsibility of the data owner and/or disclosure to designate information as “confidential” where appropriate.  Individuals and departments that create or circulate confidential data should clearly designate the data by clearly marking both hard copies and electronic version of documents as confidential. Those who receive data marked as confidential should take appropriate steps to protect it.

Any unauthorized disclosure or loss of confidential data must be reported a Bizible C-level executive. Such executive, working with Bizible’s IT team, will determine if confidential information was indeed disclosed.   If confidential information was improperly disclosed, Bizible will notify affected parties as required by law, contract and/or in accordance with Bizible’s Information Security Program.

Examples of confidential data include:

-          Personally identifiable information entrusted to our care that is not public data, such as the personal identifiable information of our customers;

-          Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees;

-          Legally privileged information; and

-          Information that is the subject of a confidentiality agreement.

Operations Security

Bizible’s IT and software development teams use prevailing industry standards to manage the day-to-day security of its internal systems which touch upon the data and information handled by Bizible, such as default deny rules for firewalls, intrusion detection systems and patch management.

Key processes and security checks in Bizible’s production environment are documented.  All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team.  All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the relevant stake holders within Bizible who are familiar with the Information Security Program.

Both scheduled and emergency changes are tested in separate environments, reviewed and approved by operations, engineering, and technical support before deployment to the production environment.

Emergency changes must be peer reviewed.

Electronics Policy

All documents, apparatus, equipment, electronic media, and other physical property is the sole property of Bizible. Employees are required to lock their systems prior to leaving the office, or bringing them to and from the office each day. All documents, materials and property will be returned to Bizible when requested. All other unauthorized equipment is not allowed on the office network.

Client Data Management

All data collected by Bizible on behalf of its clients is classified as highly confidential under the Information Security Program classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.

Bizible generally prohibits copying client data on a removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes (e.g., testing, trouble-shooting, improving Bizible’s products and services).  All personnel who handle storage media must comply with this IDSP and the Information Security Program.

Confidential client information is generally deleted from storage mediums within Bizible’s control after the relationship between the client and Bizible ends.   The date of deletion may vary based on a number of factors, e.g., back-up deletion schedules, legal requirements (e.g., the date is subject to  a formal legal dispute), contractual requirements, etc.

Vulnerability and Risk Management

Bizible has practices in place to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients.  These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.

Manual and automated vulnerability testing is performed during the development process.  During the software development process, Bizible conducts a network vulnerability scan and application vulnerability scan and penetration test of any new Bizible products and services.  Bizible uses automated tools and documented procedures to build and configure systems, platforms and applications to minimize security risks.  Bizible deploys security fixes to the extent a vulnerability is identified.

Incident Management

Bizible has in place an incident management process (“IMP”) to address data breach and security events related to its products and services in an efficient and timely manner. The IMP describes the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements.

Data breach and security incidents are escalated from the initial responders to the internal technical and security support team for evaluation and prioritization.   In certain cases (e.g., as required by applicable law and/or the agreement between Bizible and the affected customer), Bizible will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or data breach, but in any event within 24 hours for significant events and within 2 business days for non-critical events.

Protection against Malware

Bizible workstations have antivirus software deployed with automatic update, and are scanned per policy; all Windows production external-facing web servers have anti-malware software installed and are scanned regularly; and all deploy code is scanned for malware.

Audits

Bizible tests and audits its entire Information and Security Program from time to time to minimize the chance of data breaches, and no less than once per calendar year.  If an audit uncovers a potential flaw in security, Bizible’s IT team will assess the scope of the problem, identify workarounds and fixes to address the problem, and ultimately resolve the problem.  To the extent Bizible’s internal IT team cannot accomplish any of the foregoing, Bizible will retain an outside firm to address the issue.  Bizible’s IT team is composed of C-level executives, software developers and engineers.

Employee Security

Confidentiality and security is a serious concern for our clients and Bizible employees are required to sign agreements which require the employees to keep client information confidential.  General information security training is provided to all new employees.  Development and IT staff receive training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.  Violation of Bizible’s security policies can result in employee discipline, including termination.  Bizible’s Human Resources department manages a formal termination process, which includes notification of IT, return of computers, and disabling of passwords.  The exit interview reminds ex-employees of their remaining employment restriction and contractual obligations.  Background checks are conducted on all employees upon hire.

Disaster Recovery

The Bizible service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center.  Back-ups of critical client data occur at least daily.  Non-anonymous data aggregated by Bizible on behalf of clients (e.g., data about our customer’s customers) is eventually deleted according to a regularly scheduled purge.

Business Continuity Plan

The purpose of the Business Continuity Plan is to prepare Bizible in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All Bizible sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs. The plan identifies vulnerabilities and recommends necessary measures to prevent extended service outages. Full web version can be provided by IT.

Segregation of Duties

Only authorized Bizible personnel and contractors can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.

Supplier Relationships

Bizible may use contractors for development, infrastructure management, testing and other legitimate processes.  Some contractors may work under the direct supervision of Bizible employees and may have access to client data in accordance with contract terms as necessary for Bizible to conduct its business.

Generally,  Bizible doesn’t give suppliers direct access to client data or network/equipment management responsibility.  Colocation providers have access to the facility hosting the infrastructure, and may provide remote-hand service for hardware maintenance under Bizible’s direction, but they do not have direct access to client data network environment unless necessary to provide services to our clients, and only if such providers are subject to a confidentiality obligation.

Contact

If you have any questions, comments, or concerns regarding this Security document, please reach out to security@bizible.com.