Information Security

iperceptions offers its solution in a SaaS model as an annual subscription with a web-based security login. The portal application, as well as all data at rest, are hosted in a SSAE16-certified Tier-1 Data Center located in Canada. A global network of cloud-based points of presence is also used for collecting transient data such as collection and clickstream data.

To ensure business remains uninterrupted, we operate under a 99.5% SLA availability commitment. Average monthly availability of 99.9% for the period including 2014 to 2017. Production systems are configured for high-availability and scalability with active 24/7 monitoring. We have a dedicated Online Operations Team that can be reached 24/7 through the Technical Emergency Hotline. The also company maintains a Business Continuity Plan (BCP).

Customer data is one of the most valuable assets our clients have. That is why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.

Compliance and Certifications

Governance

iperceptions’ operations are governed by a formal Governance Risk and Compliance (GRC) Information Security program, with documented Information Security and Privacy policies. Our security guidance is aligned with the Cloud Controls Matrix v3.0 (CCM) and Consensus Assessments Initiative Questionnaire v1.1 (CAI) of the Cloud Security Alliance

Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CCM is publicly accessible material that documents the security controls provided for cloud computing offerings. We have completed the Consensus Assessment Initiative Questionnaire, based on the results of our due diligence self-assessment. The completed questionnaire can be made available for review upon request. 

Policies

We have Information Security policies in place that cover the following areas: Compliance, User Training, Personnel Screening, Code of Conduct, Logical Access, Network Security, Incident Response Handling, Information Systems Development and Maintenance, Information Governance, Information Exchange, Encryption Management, Audits & Reviews and Hosting Security. Information Security policies are formally acknowledged by employees and suppliers and training is provided yearly. Regular assessment reviews of our suppliers’ Information Security posture are conducted and documented.

Physical security

iperceptions’ virtual and physical servers are hosted at Tier I, SSAE-16, or ISO 27001 compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both iperceptions and the co-location providers. The latest compliance reports can be made available for review upon request.

Network security 

Our network is protected by redundant ICSA-certified layer 7 firewalls, best-of-class router technology, regular audits, network and application layer DoS protection and correlated multi-layer threat scanning that monitors for malicious traffic and network attacks. Appropriate logs and automatic alerts are maintained on all network systems.

Transmission security

All communications with iperceptions servers are encrypted using industry standard TLS. For email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers. VPN connection is only attributed on a needs basis and employees use a VPN with token-based three-factor authentication to connect with our systems. Automated transmission of data files and deliverables are performed through secure FTPS, SFTP or HTTPS.

Access control 

All access to data within iperceptions is governed by access rights and authenticated by username and password. Our security architecture ensures need to know segregation of customer data and additional access controls include network IP restrictions. iperceptions Online Operations Team as well as specific members of our Development Team are the only individuals with access to iperceptions’ servers and production databases. Other iperceptions employees do not have access to iperceptions’ production servers.

Application security

iperceptions’ SaaS platform follows industry best practices on secure credential storage by storing hashed and salted passwords. iperceptions’ SaaS platform supports task-based granular access privileges and configurable authentication settings for the duration of session inactivity time-outs, password length, complexity, expiry, limited number of retries and two step login verification. iperceptions’ SaaS platform maintains a robust application audit log, to include security events such as user logins or configuration changes.

We sub-contract yearly manual application penetration tests.

Data Security

Archived data and backups are treated with the same level of care as active data and access to backups and to the restoration process are restricted. We maintain a disposition processes for records and media. Hard copy media, such as paper, are shredded and or destroyed beyond reconstruction. All data storage is properly sanitized before destruction or redeployment.

Incident management

We maintain a process that enforces notification to the affected customer within twenty-four (24) hours of an incident related to the security of information that likely or effectively resulted in wrongful access to data. Security incidents include the following: unauthorized physical access or breach, unauthorized logical access or breach, malware, DoS, breach of confidentiality, systems access by an employee or contractor without appropriate clearance for such access or who otherwise use the systems inappropriately. Clients will be notified of the approximate date and time of the incident, will be provided with a summary of all relevant facts as well as of actions taken to rectify the processes and any negative impact of the incident.

Privacy

iperceptions’ privacy policy is published on its website. The policy identifies the information gathered, how it is used, with whom it is shared and the individual's ability to control the dissemination of information.

iperceptions uses cookies and session storage on its websites, on its customers' visitors' browsers, as well as on SaaS portal end-users' browsers. iperceptions' cookies policy is published on its website.

Contact Us

We welcome any further questions, are happy to provide clarifications when needed and are open to audits by our customers. Please contact legal@iperceptions.com