iPerceptions offers its solution in a SaaS model as an annual subscription with a web-based security login. The portal application, as well as all data at rest, are hosted in a SSAE16-certified Tier-1 Data Center located in Canada. A global network of cloud-based points of presence is also used for collecting transient data such as collection and clickstream data.
To ensure business remains uninterrupted, we operate under a 99.5% SLA availability commitment. Average monthly availability of 99.9% for the period including 2014, 2015 and 2016. Production systems are configured for high-availability and scalability with active 24/7 monitoring. We have a dedicated Online Operations Team that can be reached 24/7 through the Technical Emergency Hotline. The also company maintains a Business Continuity Plan (BCP).
Customer data is one of the most valuable assets our clients have. That is why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.
Compliance and Certifications
iPerceptions’ operations are governed by a formal Governance Risk and Compliance (GRC) Information Security program, with documented Information Security and Privacy policies. Our security guidance is aligned with the Cloud Controls Matrix v3.0 (CCM) and Consensus Assessments Initiative Questionnaire v1.1 (CAI) of the Cloud Security Alliance.
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CCM is publicly accessible material that documents the security controls provided for cloud computing offerings. We have completed the Consensus Assessment Initiative Questionnaire, based on the results of our due diligence self-assessment. The completed questionnaire can be made available for review upon request.
We have Information Security policies in place that cover the following areas: Compliance, User Training, Personnel Screening, Code of Conduct, Logical Access, Network Security, Incident Response Handling, Information Systems Development and Maintenance, Information Governance, Information Exchange, Encryption Management, Audits & Reviews and Hosting Security. Information Security policies are formally acknowledged by employees and suppliers and training is provided twice a year. Regular assessment reviews of our suppliers’ Information Security posture are conducted and documented.
iPerceptions’ virtual and physical servers are hosted at Tier I, SSAE-16, or ISO 27001 compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both iPerceptions and the co-location providers. The latest compliance reports can be made available for review upon request.
Our network is protected by redundant ICSA-certified layer 7 firewalls, best-of-class router technology, regular audits, network and application layer DoS protection and correlated multi-layer threat scanning that monitors for malicious traffic and network attacks. Appropriate logs and automatic alerts are maintained on all network systems. In addition to on-premises DoS protection, we also conduct weekly PCI DSS Requirement 11.2 intrusion vulnerability assessments.
All communications with iPerceptions servers are encrypted using industry standard SSL. For email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers. VPN connection is only attributed on a needs basis and employees use a VPN with token-based three-factor authentication to connect with our systems. Automated transmission of data files and deliverables are performed through secure FTPS, SFTP or HTTPS.
All access to data within iPerceptions is governed by access rights and authenticated by username and password. Our security architecture ensures need to know segregation of customer data and additional access controls include network IP restrictions. iPerceptions Online Operations Team as well as specific members of our Development Team are the only individuals with access to iPerceptions’ servers and production databases. Other iPerceptions employees do not have access to iPerceptions’ production servers.
iPerceptions’ SaaS platform follows industry best practices on secure credential storage by storing hashed and salted passwords and separately encrypting login fields for email addresses. iPerceptions’ SaaS platform supports task-based granular access privileges and configurable authentication settings for the duration of session inactivity time-outs, password length, complexity, expiry, limited number of retries and two step login verification. iPerceptions’ SaaS platform maintains a robust application audit log, to include security events such as user logins or configuration changes.
We contract with on-demand scrubbing providers to help mitigate OWASP threats and application-level Distributed Denial of Service (DDoS) attacks. We also sub-contract manual penetration tests from time to time to third parties as application evolution dictates.
Archived data and backups are treated with the same level of care as active data and access to backups and to the restoration process are restricted. We maintain a disposition processes for records and media. Hard copy media, such as paper, are shredded and or destroyed beyond reconstruction. All data storage is properly sanitized before destruction or redeployment.
We maintain a process that enforces notification to the affected customer within twenty-four (24) hours of an incident related to the security of information that likely or effectively resulted in wrongful access to data. Security incidents include the following: unauthorized physical access or breach, unauthorized logical access or breach, malware, DoS, breach of confidentiality, systems access by an employee or contractor without appropriate clearance for such access or who otherwise use the systems inappropriately. Clients will be notified of the approximate date and time of the incident, will be provided with a summary of all relevant facts as well as of actions taken to rectify the processes and any negative impact of the incident.
To deliver its services, iPerceptions must collect certain user information, including first/last name, email address and account level passwords for accessing iPerceptions SaaS platform. Unless expressly authorized, iPerceptions will not disclose this confidential information to any third party or use this information in any manner other than to deliver the agreed upon services. With its users’ express consent, iPerceptions sends service update messages to its users at the email addresses they provided when requesting the service.
We welcome any further questions, are happy to provide clarifications when needed and are open to audits by our customers. Please contact Jose Monast, Director of Operations, firstname.lastname@example.org, +1 514 484 3600.