RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Similar documents
The following security and privacy-related audits and certifications are applicable to the Lime Services:

SECURITY & PRIVACY DOCUMENTATION

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Employee Security Awareness Training Program

QuickBooks Online Security White Paper July 2017

Cloud FastPath: Highly Secure Data Transfer

Security Information & Policies

Awareness Technologies Systems Security. PHONE: (888)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Security and Compliance at Mavenlink

Information Technology General Control Review

Checklist: Credit Union Information Security and Privacy Policies

KantanMT.com. Security & Infra-Structure Overview

Information Security Policy

PCI DSS Compliance. White Paper Parallels Remote Application Server

ISO27001 Preparing your business with Snare

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Layer Security White Paper

Daxko s PCI DSS Responsibilities

Trust Services Principles and Criteria

TRACKVIA SECURITY OVERVIEW

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

WHITEPAPER. Security overview. podio.com

Integrated Cloud Environment Security White Paper

IBM SmartCloud Notes Security

Juniper Vendor Security Requirements

Security+ SY0-501 Study Guide Table of Contents

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Policy and Procedure: SDM Guidance for HIPAA Business Associates

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Oracle Data Cloud ( ODC ) Inbound Security Policies

Projectplace: A Secure Project Collaboration Solution

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Security Architecture

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

The Common Controls Framework BY ADOBE

Red Flags/Identity Theft Prevention Policy: Purpose

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Emsi Privacy Shield Policy

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Security Policies and Procedures Principles and Practices

IBM Security Intelligence on Cloud

Inventory and Reporting Security Q&A

Morningstar ByAllAccounts Service Security & Privacy Overview

Data Security and Privacy Principles IBM Cloud Services

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

IBM Case Manager on Cloud

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

What can the OnBase Cloud do for you? lbmctech.com

EU Data Protection Agreement

GRANDSTREAM PRIVACY STATEMENT

Afilias DNSSEC Practice Statement (DPS) Version

Information Security at Veritext Protecting Your Data

Cloud Computing Lectures. Cloud Security

HIPAA Security and Privacy Policies & Procedures

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

The Nasuni Security Model

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Donor Credit Card Security Policy

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Information Security Policy

The Lighthouse Case Management System

Identity Theft Prevention Policy

Baseline Information Security and Privacy Requirements for Suppliers

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

MigrationWiz Security Overview

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Altius IT Policy Collection Compliance and Standards Matrix

MEETING ISO STANDARDS

University of Sunderland Business Assurance PCI Security Policy

Security Standards for Electric Market Participants

General Data Protection Regulation

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Best Practices Guide to Electronic Banking

(1) Top Page. Before Using GCMS Plus. Chapter3. Top Page. Top Page is the initial screen displayed after you log in. My Menu

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Twilio cloud communications SECURITY

Altius IT Policy Collection Compliance and Standards Matrix

HP Standard for Information Protection and Security for Suppliers/Partners

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Support for the HIPAA Security Rule

Sparta Systems TrackWise Digital Solution

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

HIPAA COMPLIANCE FOR VOYANCE

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Transcription:

ADIAN6 SECUITY, PIVACY, AND ACHITECTUE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services ( Customer Data ). Services Covered This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to the services branded as adian6 under the Salesforce Marketing Cloud brand ( adian6 Services ). Salesforce Infrastructure Salesforce owns or controls access to the infrastructure that Salesforce uses to host Customer Data submitted to the adian6 Services. Currently, this infrastructure is located in Canada. Salesforce uses third-party hosting providers only to temporarily access and process publicly available content. Currently, Amazon Web Services, Inc. ( AWS ) acts as a proxy server for collecting such publicly available content. AWS uses infrastructures located in the United States. Third-Party Architecture Salesforce may use one or more third-party content delivery networks to provide the adian6 Services and to optimize content delivery via the adian6 Services. Content items to be served to subscribers or end-users, such as images or attachments uploaded to the adian6 Services, may be stored with such content delivery networks to expedite transmission. Information transmitted across a content delivery network may be accessed by that content delivery network to enable these functions.

Audits and Certifications The following security and privacy-related audits and certifications are applicable to the adian6 Services: ISO 27001 certification: Salesforce is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. Salesforce has achieved ISO 27001 certification for its ISMS from an independent third party. The scope of Salesforce s ISO 27001 certification applicable to the adian6 Services is available here. Service Organization Control (SOC) reports: Salesforce s information security control environment applicable to the adian6 Services undergoes an independent evaluation in the form of a SOC 2 report. TUSTe Privacy Seal: Salesforce has been awarded the TUSTe Privacy Seal signifying that the Web Site Privacy Statement and associated practices related to the adian6 Services have been reviewed by TUSTe for compliance with TUSTe s program requirements, including transparency, accountability, and choice regarding the collection and use of personal data. Additionally, the adian6 Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis. Information about security and privacy-related audits and certifications received by AWS, including ISO 27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Web site and AWS Compliance Web site. Security Controls The adian6 Services include a variety of configurable security controls. These controls include: Unique user identifiers (user IDs) to ensure that activities can be attributed to the responsible individual. Controls to revoke access after several consecutive failed login attempts. Controls on the number of invalid login requests before locking out a user. Controls to ensure initial passwords must be reset on first use. Controls to terminate a user session after a period of inactivity. Password history controls to limit password reuse. Password length controls. Password complexity requirements (requires letters and numbers). The ability to accept logins to the adian6 Services from only certain IP address ranges. 2

Security Procedures, Policies and Logging The adian6 Services are operated in accordance with the following procedures to enhance security: User passwords are stored using a salted hash format and are never transmitted unencrypted. User access log entries will be maintained, containing date, time, User ID, UL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP. If there is suspicion of inappropriate access to the adian6 Services, Salesforce can provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis. Logs will be kept for a minimum of 90 days. Logs will be kept in a secure area to prevent tampering. Passwords are not logged under any circumstances. Salesforce personnel will not set a defined password for a user. Users are provided unique links via email. Upon clicking such links, a user must create a password in accordance with password length and complexity requirements. Intrusion Detection Salesforce may analyze data collected by users web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the adian6 Services function properly. Incident Management Salesforce maintains security incident management policies and procedures. Salesforce promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data by Salesforce or its agents of which Salesforce becomes aware to the extent permitted by law. User Authentication Access to the adian6 Services requires a valid user ID and password combination, which are encrypted via TLS while in transmission. Following a successful authentication, a random session ID is generated and stored in the user s browser to preserve and track session state. 3

Security Logs All Salesforce systems used in the provision of the adian6 Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis. Physical Security Production data centers used to provide the adian6 Services have systems that control access to the data center. This system permits only authorized personnel to have access to the data centers. The facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, physical access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure. eliability and Backup All networking components, load balancers, Web servers and application servers are configured in a redundant configuration. Customer Data submitted to the adian6 Services is stored on a primary database server with a backup database server for higher availability. All Customer Data submitted to the adian6 Services, up to the last committed transaction, is automatically replicated on a near real-time basis at the database layer and is backed up on a regular basis. Any backups are verified for integrity and stored in Salesforce data centers. Disaster ecovery The adian6 Services production systems are protected by disaster recovery plans which provide for backup of critical data and services. A comprehensive system of recovery processes exists to bring business-critical systems back online within the briefest possible period of time. ecovery processes for database security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after an outage. Viruses The adian6 Services do not scan for viruses that could be included in attachments or other data uploaded into the adian6 Services by customers. Uploaded attachments are not executable in the adian6 Services and therefore will not damage or compromise the online adian6 Services by virtue of containing a virus. Additionally, the adian6 Services may pull in information from the Internet and links to other Web sites that may contain malicious content. However, such Web sites are 4

not executable in the adian6 Services. Data Encryption The adian6 Services use industry accepted encryption products to protect Customer Data and communications during transmissions between a customer s network and the adian6 Services, including 128-bit TLS Certificates and 2048-bit SA public keys at a minimum. Social account OAuth tokens are encrypted with a minimum of 128-bit AES encryption. eturn of Customer Data Within 30 days post contract termination, to request return of Customer Data submitted to the adian6 Services, contact marketingcloudsupport@salesforce.com. Deletion of Customer Data After contract termination, to request deletion of Customer Data submitted to the adian6 Services, contact marketingcloudsupport@salesforce.com. Back-up data will be deleted within 90 days of deletion of Customer Data. This process is subject to applicable legal requirements. Sensitive Personal Data Important: The following types of sensitive personal data may not be submitted to the adian6 Services: governmentissued identification numbers; financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual s physical or mental health; and information related to the provision or payment of health care. For clarity, the foregoing restrictions do not apply to financial information provided to Salesforce for the purposes of checking the financial qualifications of, and collecting payments from, its customers, the processing of which is governed by the Marketing Cloud Web Site Privacy Statement. 5

Tracking and Analytics Salesforce may track and analyze use of the adian6 Services for purposes of security and helping Salesforce improve both the adian6 Services and the user experience in using the adian6 Services. Without limiting the foregoing, Salesforce may share anonymous data about Salesforce s customers or their users use of the adian6 Services ( Usage Statistics ) to Salesforce s service providers for the purpose of helping Salesforce in such tracking or analysis, including improving its users experience with the adian6 Services, or as required by law. Except when required by law, any such sharing of Usage Statistics to Salesforce s service providers will not include any identifying information about Salesforce s customers or customers users. Interoperation with Other Salesforce Services The adian6 Services may interoperate with other services provided by Salesforce. The Security, Privacy and Architecture documentation for such services is available in the Trust and Compliance Documentation section of help.salesforce.com. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback