Vintra’s Corporate Trust Commitment - Vintra is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).

Services Covered - This documentation describes the architecture of, the security- and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to, the services provided by Vintra.

1. SECURITY, PRIVACY, AND ARCHITECTURE
1.1. Architecture and Data Segregation. The Covered Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific unique identifiers and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
1.2. Control of Processing. Vintra has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by Vintra and its subprocessors, such as customer support and analytics providers. In particular, Vintra and its affiliates have entered into written agreements with their subprocessors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by Vintra and its sub-processors are subject to regular audits.
1.3. Third-Party Functionality. The Covered Services may be fronted by third party providers, other than AWS, that provide resilience, analytics, security or latency improvements (like load balancers, content delivery networks and DDoS mitigation services) which may hold caches of Customer Data or logs describing usage of the Covered Services. Additionally, a portion of customer support for the Covered Services is provided using third-party technology, which may contemplate data, including screenshots of customers’ instances of the Covered
Services, being hosted on the third-party’s architecture.
1.4. Audits and Certifications. The following security and privacy-related audits and certifications are applicable to the Covered Services:
● EU-U.S. and Swiss-U.S. Privacy Shield certification (expected in Q2 2018): Customer Data submitted to the Covered Services is within the scope of an annual certification to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of Commerce. The certification will be available at https://www.privacyshield.gov by searching under “Vintra” in Q2 2018
● Service Organization Control (SOC) reports: Vintra’s information security control environment applicable to the Covered Services undergoes an independent evaluation in the form of a SOC 2, Type II report. Additionally, the Covered Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and/or application security assessments, on at least an annual basis.
● ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3
● Vintra uses infrastructure provided by a third party, Amazon Web Services, Inc. (“AWS”), to host Customer Data submitted to the Covered Services. Information about security and privacy-related audits and certifications received by AWS, including those listed in Section 4.4 and information on ISO 27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Website and the AWS Compliance Website.
1.5. Security Controls The Covered Services include a variety of security controls. These controls include:
● Unique user identifiers (user IDs) to help ensure that activities can be attributed to the responsible individual;
● Password length controls;
● Password complexity requirements for Web and mobile access to the Covered Services;
● Two-Factor Authentication for access by Covered Services to its third-party hosting services; and
● Web and mobile access to the Covered Services via authorization and authentication frameworks.
1.6. Security Policies and Procedures The Covered Services are operated in accordance with the following policies and procedures to enhance security:
● User passwords are stored using a salted hash format and are not transmitted unencrypted;
● User access log entries will be maintained, containing date, time, URL executed or entity ID operated on, operation performed (viewed, edited, etc.), and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by a customer or its ISP;
● Logs are stored securely to prevent tampering;
● Passwords are not logged;
● No defined passwords are set by Vintra;
● Authentication tokens are encrypted and not transmitted unencrypted.
1.7. Intrusion Detection Vintra, or an authorized independent third party will monitor the Covered Services for unauthorized intrusions using network-based intrusion detection mechanisms. Vintra may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Covered Services function properly.
1.8. Security Logs All Vintra systems used in the provision of the Covered Services log information to a centralized syslog server (for network systems) or AWS’ CloudTrail system (for agentless AWS services) in order to enable security reviews and analysis.
1.9. Incident Management Vintra maintains incident management policies and procedures. Vintra notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Vintra or its agents of which Vintra becomes aware to the extent permitted by law.
1.10. User Authentication Access to the Covered Services, directly or via the Vintra API, requires a valid user ID and password combination, or an API key/secret, both of which are encrypted via TLS while in transmission. Every user ID is associated with exactly one customer. For API access, each request requires authentication and authorization and is tied to a specific customer and user session. Once authenticated, all requests are required to have a valid session ID unique to the customer ID.
1.11. Physical Security Production data centers used to provide the Covered Services have access control systems. These systems permit only authorized personnel to have access to secured areas. The facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, have implemented physical access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
1.12. Reliability and Backup All networking components, load balancers, web servers, and application servers are architected for global resilience. Customer Data submitted to the Vintra Web UI is stored on geographically disparate cloud data systems for higher availability. All Customer Data submitted to the Vintra Web UI is backed up daily. All Customer Data submitted to the Vintra Data Collection services is stored on highly durability and redundant network storage service supplied by AWS.
1.13. Disaster Recovery Production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. Vintra has disaster recovery procedures in place which provide for backup of critical data and services. A system of recovery processes exists to bring business-critical systems for Covered Services back online within a brief period of time.
1.14. Viruses Vintra uses commercially reasonable efforts to ensure that each Covered Service is free of viruses. Customer acknowledges that not all viruses can be detected by virus scanning programs, and, therefore, Vintra does not represent or warrant the Covered Service(s) will be virus free.
1.15. Analytics Vintra may track and analyze the usage of the Covered Services for the purposes of security and helping Vintra improve both the Covered Services and the user experience in using the Covered Services. Vintra may share anonymous usage data with Vintra’s service providers for the purpose of helping Vintra in such tracking, analysis and improvements. Additionally, Vintra may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.