Data Security
We are an email marketing software platform that helps organizations execute effective marketing campaigns. We are known for our industry expertise and unrivaled customer service. We empower organizations to achieve business goals through a suite of professional services, including strategic campaign consulting, email design, content strategy and more. We are also committed to securing our customers’ data to the highest degree. That’s why trust is the foundation of our privacy and data security promise to our customers.
Operational Security
Our adaptive, forward-looking measures are our promise to you.
Security team
We have a security team responsible for securing the application, identifying vulnerabilities and responding to security events.
Data storage and processing locations
We store data in a US-based cloud environment. Our cloud provider, AWS, meets critical standards that fulfill requirements of a variety of mandates, including PCI DSS, supported by third-party SSAE18/SOC attestation reports.
Security policies
We have a security policy in place aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
All employees receive security awareness and security training annually. Additional training is provided as needed based upon existing threats. Further, all new employees are required to read and acknowledge the security policy.
Physical security
We implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data center controls
Customer data is stored in a facility with cameras and 24 hour manned surveillance. Monitoring is performed using global Security Operations Centers (SOC) which provide 24/7 support. Entering and exiting is controlled manually by professional security staff surveillance, detection systems, and other electronic means. All physical access is logged and retained. Authorized staff must use multi-factor authentication mechanisms to access the data center.
Data center compliance
Our cloud provider has certifications from accreditation bodies across geographies and verticals, including: PCI-DSS, SOC 1/SSAE 16 /ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018, FISMA, DIACAP, and FedRAMP.
Application security
Our application has been designed with a focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.
Security testing
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a combination of regular scheduled scans of our application and penetration testing, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability. We may occasionally leverage the services of an external third party to perform penetration testing exercises against our platform to make sure we’ve got every angle covered.
Security controls
We protect our application using a number of security controls including a Web Application Firewall (WAF). Our reputation is critical to our and clients’ success, and therefore, privacy is a cornerstone of our operations. The bottom line is that we’ll never use the information you entrust to us for purposes other than that information’s intended use. See our full privacy policy for more details.
Secure code development
We follow a continuous integration methodology for software engineering. Our development methodology and approach addresses security needs by undertaking code reviews as part of code release process. All releases are deployed to our staging environment for testing before being deployed to production.
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development. We do not use production data in our test and development environments.
Data encryption
To protect data, we encrypt information at rest, including our backups, using AES 256. We maintain encryption for data in transit over the public internet by supporting TLS 1.2 and 1.3.
User access
We offer our customers the ability to protect their accounts using multi-factor authentication. We help further protect their data by storing each account’s data within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.
We put considerable effort into ensuring the integrity of sessions and authentication credentials. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API/FTP which uses secure transfer protocols.
Logging and cookie management
We use cookies for user authentication. We use session IDs to identify user connections. Those session IDs are contained in HTTPS-only cookies not available to JavaScript.
All key actions on the application are logged and audited. For instance whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.
Last updated: June 6, 2023