We are an email marketing software platform that helps organizations execute effective marketing campaigns. We are known for our industry expertise and unrivaled customer service. We empower organizations to achieve business goals through a suite of professional services, including strategic campaign consulting, email design, content strategy and more. We are also committed to securing our customers’ data to the highest degree. That’s why trust is the foundation of our privacy and data security promise to our customers.
Our adaptive, forward-looking measures are our promise to you.
Dedicated security team
We have a dedicated information security team, responsible for securing the application, identifying vulnerabilities and responding to security events.
Data storage and processing locations
We store data in a US-based, hybrid cloud environment. Our co-location provider, Equinix, meets critical standards that fulfill requirements of a variety of mandates, including HIPAA, PCI DSS and SOX, supported by third-party SSAE18/SOC attestation reports. In addition, we leverage AWS cloud services for data processing.
We have a security policy in place aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
All employees receive security awareness and security training annually. Additional training is provided as needed based upon existing threats. Further, all new employees are required to read and acknowledge the security policy.
We implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data center controls
Customer data is stored in an SSAE 16 facility with cameras, 24 hour manned surveillance, man-traps, biometrics, and a 24 hour Operations Service Center (OSC). Entering and exiting is controlled manually by OSC personnel and logged. Photographic ID is required and must be worn at all times in the facility.
Data center compliance
Our data center provider is certified to the following compliance standards: HIPAA, PCI-DSS, SOX and SOC 1 / 2.
Our cloud provider has the following certifications: PCI-DSS, ISO 27001, SOC 1 / 2 / 3, IRAP, ISO 27018 and ISO 9001.
Our application has been designed with focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a combination of regular scheduled scans of our application, penetration testing as well as bug bounty programs, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability. We and we also leverage the services of an external third party to perform a yearly penetration testing exercise against our platform to make sure we’ve got every angle covered.
Secure code development
We follow a continuous integration methodology for software engineering. Our development methodology and approach addresses security needs by undertaking code reviews as part of code release process. All releases are deployed to our staging environment for testing before being deployed to production.
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development. We do not use production data in our test and development environments.
To protect data, we encrypt information at rest, including our backups, using AES 256. We maintain encryption for data in transit over the public internet by supporting TLS 1.1 and 1.2.
We offer our customers the ability to protect their accounts using multi-factor authentication. We help further protect their data by storing each account’s data within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.
We put considerable effort into ensuring the integrity of sessions and authentication credentials. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API/FTP which uses secure transfer protocols.
Logging and cookie management
All key actions on the application are logged and audited. For instance whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.
How can I keep my Delivra account secure?
We know you care about the security of your Delivra account. So do we. Whether you received an email from us encouraging you to provide personal details or you've noticed suspicious activity, here are our top recommendations for keeping your account and personal information safe.
Use a password unique to Delivra
If you use the same password across multiple software and services, a breach on one of those systems could mean a breach on all of them. In addition to using a password that is unique to Delivra, we also recommend a password that is:
- at least 30 characters long
- a mix of uppercase letters, lowercase letters, numbers, and symbols
- something not easily guessed, like a passphrase or personal motto
- consider using a Password Manager service
Give each member of your team a unique login
It’s easy to invite additional users to your account to avoid the need to share login details. Login details should be unique to each individual using Delivra.
Set-up Multi-Factor Authentication
When Multi-Factor Authentication is enabled, an additional code is sent to an authenticator app on your phone that’s required to successfully log in. You can quickly set this up in the Account Settings section of your account.
Be aware of possible phishing attempts
Phishing emails are used by criminals to trick people into handing over sensitive information such as usernames, passwords, PIN numbers and credit card details.
Phishers will go to great lengths to try to take over your account or steal your personal information. They may create fake websites that look like Delivra or send emails that imitate us and ask you for personal information.
We will never send you an email asking you to provide your personal or credit card information.
Keep your computer safe
To ensure the best possible Delivra experience, it's important to keep your computer free of malware and viruses. There are signs you can look for that may indicate your computer has been infected:
- Unusually slow or sluggish computer performance
- Unexpected reboots, crashes, or freezing
- If you think your computer might be infected, you can use the anti-malware, anti-adware, or anti-virus software recommended by your computer manufacturer or a trusted IT professional.
Report fraudulent or suspicious activity
At Delivra, we take fraud very seriously. If you notice suspicious activity, please contact us immediately so we can help you investigate.
Sign out of unused devices
If you are planning to get rid of a device that you previously used, you should sign out of all accounts and services that you used on the device, including Delivra.
Report security flaws to us
If you believe you've found a security vulnerability within Delivra, we urge you to inform us as quickly as possible and to not disclose the vulnerability publicly until it is fixed. We appreciate your help, and rest assured we review all security flaws submitted.
If you have questions about the privacy of your information, please see our Privacy Notice.