- Vintra is committed to achieving and maintaining the trust
customers. Integral to this mission is providing a robust security and privacy program that carefully
data protection matters across our suite of services, including data submitted by customers to our
- This documentation describes the architecture of, the security- and
audits and certifications received for, and the administrative, technical, and physical controls
the services provided by Vintra.
1.1. Architecture and Data Segregation.
The Covered Services are operated in a multitenant
architecture that is designed to segregate and restrict Customer Data access based on business
architecture provides an effective logical data separation for different customers via
unique identifiers and allows the use of customer and user role based access privileges. Additional
segregation is ensured by providing separate environments for different functions, especially for
1.2. Control of Processing.
Vintra has implemented procedures designed to ensure that
is processed only as instructed by the customer, throughout the entire chain of processing
Vintra and its subprocessors, such as customer support and analytics providers. In particular,
its affiliates have entered into written agreements with their subprocessors containing privacy,
protection and data security obligations that provide a level of protection appropriate to their
activities. Compliance with such obligations as well as the technical and organizational data
measures implemented by Vintra and its sub-processors are subject to regular audits.
1.3. Third-Party Functionality.
The Covered Services may be fronted by third party providers,
than AWS, that provide resilience, analytics, security or latency improvements (like load balancers,
delivery networks and DDoS mitigation services) which may hold caches of Customer Data or logs
usage of the Covered Services. Additionally, a portion of customer support for the Covered Services
provided using third-party technology, which may contemplate data, including screenshots of
instances of the Covered
Services, being hosted on the third-party’s architecture.
1.4. Audits and Certifications.
The following security and privacy-related audits and
are applicable to the Covered Services:
1.5. Security Controls
● EU-U.S. and Swiss-U.S. Privacy Shield certification (expected in Q2 2018): Customer Data
the Covered Services is within the scope of an annual certification to the EU-U.S. Privacy
Framework and the Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of
Commerce. The certification will be available at https://www.privacyshield.gov by searching
“Vintra” in Q2 2018
● Service Organization Control (SOC) reports: Vintra’s information security control environment
applicable to the Covered Services undergoes an independent evaluation in the form of a SOC 2,
report. Additionally, the Covered Services undergo security assessments by internal personnel
parties, which include infrastructure vulnerability assessments and/or application security
on at least an annual basis.
● ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3
● Vintra uses infrastructure provided by a third party, Amazon Web Services, Inc. (“AWS”), to
Customer Data submitted to the Covered Services. Information about security and privacy-related
and certifications received by AWS, including those listed in Section 4.4 and information on ISO
certification and Service Organization Control (SOC) reports, is available from the AWS Security Website
and the AWS Compliance Website.
The Covered Services include a variety of security controls. These
● Unique user identifiers (user IDs) to help ensure that activities can be attributed to the
1.6. Security Policies and Procedures
● Password length controls;
● Password complexity requirements for Web and mobile access to the Covered Services;
● Two-Factor Authentication for access by Covered Services to its third-party hosting services;
● Web and mobile access to the Covered Services via authorization and authentication frameworks.
The Covered Services are operated in accordance with
following policies and procedures to enhance security:
● User passwords are stored using a salted hash format and are not transmitted unencrypted;
1.7. Intrusion Detection
● User access log entries will be maintained, containing date, time, URL executed or entity ID
on, operation performed (viewed, edited, etc.), and source IP address. Note that source IP
not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used
customer or its ISP;
● Logs are stored securely to prevent tampering;
● Passwords are not logged;
● No defined passwords are set by Vintra;
● Authentication tokens are encrypted and not transmitted unencrypted.
Vintra, or an authorized independent third party will monitor the
Services for unauthorized intrusions using network-based intrusion detection mechanisms. Vintra may
data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating
version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types,
security purposes, including to detect compromised browsers, to prevent fraudulent authentications,
ensure that the Covered Services function properly.
1.8. Security Logs
All Vintra systems used in the provision of the Covered Services log
to a centralized syslog server (for network systems) or AWS’ CloudTrail system (for agentless AWS
in order to enable security reviews and analysis.
1.9. Incident Management
Vintra maintains incident management policies and procedures. Vintra
notifies impacted customers without undue delay of any unauthorized disclosure of their respective
Data by Vintra or its agents of which Vintra becomes aware to the extent permitted by law.
1.10. User Authentication
Access to the Covered Services, directly or via the Vintra API,
valid user ID and password combination, or an API key/secret, both of which are encrypted via TLS
transmission. Every user ID is associated with exactly one customer. For API access, each request
authentication and authorization and is tied to a specific customer and user session. Once
all requests are required to have a valid session ID unique to the customer ID.
1.11. Physical Security
Production data centers used to provide the Covered Services have
control systems. These systems permit only authorized personnel to have access to secured areas. The
facilities are designed to withstand adverse weather and other reasonably predictable natural
are secured by around-the-clock guards, have implemented physical access screening and
access, and are also supported by on-site back-up generators in the event of a power failure.
1.12. Reliability and Backup
All networking components, load balancers, web servers, and
servers are architected for global resilience. Customer Data submitted to the Vintra Web UI is
geographically disparate cloud data systems for higher availability. All Customer Data submitted to
Vintra Web UI is backed up daily. All Customer Data submitted to the Vintra Data Collection services
stored on highly durability and redundant network storage service supplied by AWS.
1.13. Disaster Recovery
Production data centers are designed to mitigate the risk of single
failure and provide a resilient environment to support service continuity and performance. Vintra
disaster recovery procedures in place which provide for backup of critical data and services. A
recovery processes exists to bring business-critical systems for Covered Services back online within
period of time.
Vintra uses commercially reasonable efforts to ensure that each Covered Service
of viruses. Customer acknowledges that not all viruses can be detected by virus scanning programs,
therefore, Vintra does not represent or warrant the Covered Service(s) will be virus free.
Vintra may track and analyze the usage of the Covered Services for the
security and helping Vintra improve both the Covered Services and the user experience in using the
Services. Vintra may share anonymous usage data with Vintra’s service providers for the purpose of
Vintra in such tracking, analysis and improvements. Additionally, Vintra may share such anonymous
on an aggregate basis in the normal course of operating our business; for example, we may share
publicly to show trends about the general use of our services.