Information Security

iPerceptions offers its solution in a SaaS model as an annual subscription with a web-based security login. The portal application, as well as all data at rest, are hosted in a SSAE16-certified Tier-1 Data Center located in Canada. A global network of cloud-based points of presence is also used for collecting transient data such as collection and clickstream data.

To ensure business remains uninterrupted, we operate under a 99.5% SLA availability commitment. Average monthly availability of 99.9% for the period including 2014, 2015 and 2016. Production systems are configured for high-availability and scalability with active 24/7 monitoring. We have a dedicated Online Operations Team that can be reached 24/7 through the Technical Emergency Hotline. The also company maintains a Business Continuity Plan (BCP).

Customer data is one of the most valuable assets our clients have. That is why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their businesses protected.

Compliance and Certifications

Governance

iPerceptions’ operations are governed by a formal Governance Risk and Compliance (GRC) Information Security program, with documented Information Security and Privacy policies. Our security guidance is aligned with the Cloud Controls Matrix v3.0 (CCM) and Consensus Assessments Initiative Questionnaire v1.1 (CAI) of the Cloud Security Alliance

Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CCM is publicly accessible material that documents the security controls provided for cloud computing offerings. We have completed the Consensus Assessment Initiative Questionnaire, based on the results of our due diligence self-assessment. The completed questionnaire can be made available for review upon request. 

Policies

We have Information Security policies in place that cover the following areas: Compliance, User Training, Personnel Screening, Code of Conduct, Logical Access, Network Security, Incident Response Handling, Information Systems Development and Maintenance, Information Governance, Information Exchange, Encryption Management, Audits & Reviews and Hosting Security. Information Security policies are formally acknowledged by employees and suppliers and training is provided twice a year. Regular assessment reviews of our suppliers’ Information Security posture are conducted and documented.

Physical security

iPerceptions’ virtual and physical servers are hosted at Tier I, SSAE-16, or ISO 27001 compliant facilities. Our facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both iPerceptions and the co-location providers. The latest compliance reports can be made available for review upon request.

Network security 

Our network is protected by redundant ICSA-certified layer 7 firewalls, best-of-class router technology, regular audits, network and application layer DoS protection and correlated multi-layer threat scanning that monitors for malicious traffic and network attacks. Appropriate logs and automatic alerts are maintained on all network systems. In addition to on-premises DoS protection, we also conduct weekly PCI DSS Requirement 11.2 intrusion vulnerability assessments.

Transmission security

All communications with iPerceptions servers are encrypted using industry standard SSL. For email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers. VPN connection is only attributed on a needs basis and employees use a VPN with token-based tree-factor authentication to connect with our systems. Automated transmission of data files and deliverables are performed through secure FTPS, SFTP or HTTPS.

Access control 

All access to data within iPerceptions is governed by access rights and authenticated by username and password. Our security architecture ensures need to know segregation of customer data and additional access controls include network IP restrictions. iPerceptions Online Operations Team as well as specific members of our Development Team are the only individuals with access to iPerceptions’ servers and production databases. Other iPerceptions employees do not have access to iPerceptions’ production servers.

Application security

iPerceptions’ SaaS platform follows industry best practices on secure credential storage by storing hashed and salted passwords and separately encrypting login fields for email addresses. iPerceptions’ SaaS platform supports task-based granular access privileges and configurable authentication settings for the duration of session inactivity time-outs, password length, complexity, expiry, limited number of retries and two step login verification. iPerceptions’ SaaS platform maintains a robust application audit log, to include security events such as user logins or configuration changes.

We contract with on-demand scrubbing providers to help mitigate OWASP threats and application-level Distributed Denial of Service (DDoS) attacks. We also sub-contract manual penetration tests from time to time to third parties as application evolution dictates.

Data Security

Archived data and backups are treated with the same level of care as active data and access to backups and to the restoration process are restricted. We maintain a disposition processes for records and media. Hard copy media, such as paper, are shredded and or destroyed beyond reconstruction. All data storage is properly sanitized before destruction or redeployment.

Incident management

We maintain a process that enforces notification to the affected customer within twenty-four (24) hours of an incident related to the security of information that likely or effectively resulted in wrongful access to data. Security incidents include the following: unauthorized physical access or breach, unauthorized logical access or breach, malware, DoS, breach of confidentiality, systems access by an employee or contractor without appropriate clearance for such access or who otherwise use the systems inappropriately. Clients will be notified of the approximate date and time of the incident, will be provided with a summary of all relevant facts as well as of actions taken to rectify the processes and any negative impact of the incident.

Privacy

iPerceptions’ privacy policy is published on its website. The policy identifies the information gathered, how it is used, with whom it is shared and the customer’s ability to control the dissemination of information. iPerceptions complies with the U.S.-EU Safe Harbour Framework and the U.S.-Swiss Safe Harbour Framework as administered by the United States Department of Commerce.

To deliver its services, iPerceptions must collect certain user information, including first/last name, email address and account level passwords for accessing iPerceptions SaaS platform. Unless expressly authorized, iPerceptions will not disclose this confidential information to any third party or use this information in any manner other than to deliver the agreed upon services. With its users’ express consent, iPerceptions sends service update messages to its users at the email addresses they provided when requesting the service. 

iPerceptions uses cookies and session storage on its customers’ visitors browsers as well as on SaaS portal end-users browsers. Cookies and session storage items may at times hold a generated unique number but never contain any personally identifiable information or sensible information such as passwords. Deleting cookies will not be detrimental to the user-experience of visitors, respondents or end-users or the proper working of iPerceptions products. We provide detailed and transparent documentation about how cookies and session storage are used.

Contact Us

We welcome any further questions, are happy to provide clarifications when needed and are open to audits by our customers. Please contact Jose Monast, Director of Operations, jose.monast@iperceptions.com, +1 514 484 3600.