Security Policy

Security Statement

At Social27 Inc., we have put technical and organizational measures in place that show our commitment to protecting the confidentiality, integrity, and availability of our information systems and our customer’s/users’ data. We continually enhance our security measures and evaluate their efficacy to give you confidence in the Social27 solution. This page provides an overview of the security measures we have put in place to protect your data. If you have any questions, you can reach our security team at support@social27.com.

Cloud Security

Data Center Physical Security

Facilities
Social27 uses Amazon AWS and Microsoft Azure for data center hosting. AWS and Azure data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. Learn more about Compliance at AWS and Learn more about Compliance at Azure. AWS and Azure employ robust controls to secure the availability and security of their systems, including controls such as backup power, fire detection and suppression equipment, and secure device destruction. Learn more about Data Center Controls at AWS and Learn more about Data Center Controls at Azure
On-Site Security
AWS and Azure implement layered physical security controls to ensure on-site security, including vetted security guards, fencing, video monitoring, and intrusion detection technology. Learn more about AWS Physical Security and Learn more about Azure Physical Security

Network Security

Social27 has implemented industry standard security controls to protect customer data from loss or unauthorized disclosure. and have created network boundary protection mechanisms for our production systems.

Access to production systems containing customer information require two-factor authentication through a VPN connection. Only authorized persons can access customer data. Developers and/or system admins are not authorized to access customer data, and all customer data is protected with strong encryption. Social27’s service-level agreement (SLA) includes the specifics of data maintenance services provided and excluded, conditions of service availability, standards (such as time window for each level of service), responsibilities of each party, escalation procedures, and cost/service trade-offs.

In-House Security Team
Social27 has a dedicated and passionate global security team that responds to security alerts and events.

Third-Party Penetration Tests
Third-party penetration tests are conducted against the application and supporting infrastructure at least annually and as needed (in case of changes in the application and/or infrastructure). Any vulnerabilities found during penetration tests are tracked and remediated. These penetration test reports are available by request with a Non-Disclosure and Confidentiality Agreement (NDA) in place.

Threat Detection
Social27 leverages threat detection services within AWS and Azure to continuously monitor for malicious and unauthorized activity.

Vulnerability Scanning
Social27 performs regular internal vulnerability scans of infrastructure, and the identified issues are tracked and remediated.

DDoS Mitigation
Social27 uses DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize AWS Shield to protect from DDoS attacks.
Social27 has also implemented Akamai's Web Application Protector that provides automated web application firewall (WAF) and distributed denial-of-service (DDoS) protection. It helps in DDoS and application-layer security that simplifies the task of securing our web applications with automated updates to security protections. It automatically drops network-layer attacks at the edge and respond to application-layer attacks within seconds to minimize any downtime.

Encryption

All data is automatically encrypted and stored on the cloud. Azure Key Vault and AWS KMS are used to store tokens, passwords, certificates, API keys, and other secrets. Azure Key Vault and AWS KMS are used as a key management solution.

In Transit
Communication with Social27 is encrypted via TLS 1.2 or higher over public networks. Data in transit via email is encrypted via S/MIME and TLS. We monitor community testing and research in this field and continue to follow best practices for Cipher adoption and TLS configuration.

At Rest
Social27 data at rest is encrypted with a symmetric encryption key and decrypted transparently with industry standard AES-256 encryption. Data at rest can be protected using Customer keys or AWS keys. The same encryption key is used to decrypt the data as it is readied for use in memory. Keys are stored in a secure location with identity-based access control and audit policies.

Application Security

Quality Assurance
Social27’s Quality Assurance (QA) team reviews and tests the code base on a per-pod basis. The security team has all required tools and resources to investigate and recommend remediations and solutions for security vulnerabilities within code. Regular syncs, security resources, and trainings are provided to the QA team. Environment Segregation
The testing, staging, and production environments are logically separated from one another. No customer data is used in any development or test environment.

Logs

Social27 preserves detailed log data, including audit logs, transaction logs, event logs, error logs, message logs, backup logs, network flow logs and infrastructure change logs.

Infrastructure / system level logs for production environments are kept for one year. Testing and Staging environments have a lower retention policy. These logs are kept only for the purpose of, and as long as is necessary for, the Permitted Purpose, and are permanently deleted within 24 hours of the termination and/or expiration of the Agreement.

Personnel Security

Social27 only hires skilled professionals who successfully complete a background screening and sign a confidentiality agreement, acceptable use of information systems agreement, and code of conduct. Access control changes following personnel transfers are based on a Least Privilege model: Employees are given the minimum amount of access/permissions needed in order for them to perform their jobs.

Security Awareness

Social27 conducts a robust Security Awareness Training program, which is delivered within 30 days of hire and annually for all employees. In addition, we conduct quarterly focused training for key departments, including Secure Coding, Data Legislation, and Compliance.

Information Security Program

Social27 Inc. maintains an information security program focused on the security and integrity of Customer Data. Our comprehensive set of information security policies cover a range of topics. These policies are distributed to both employees and vendors, and are accompanied by key policies such as Acceptable Use, Information Security, and an Employee Handbook.

Our Information Security Program includes the adoption and enforcement of internal policies and procedures that are designed to:

• Help customers secure their against accidental or unlawful loss, access, or disclosure
• Identify reasonably foreseeable and internal risks to security and unauthorized access to our network
• Minimize security risks through risk assessment and regular testing

Social27’s information security program includes administrative, technical, and operational controls appropriate for the size of its business and the types of information it processes. We measure training effectiveness through quizzes and analyzing the trend of security incidents post-training, and re-train employees as needed.

Employee Background Checks

All Social27 employees undergo a background check prior to employment, which includes identity verification, qualification verification, criminal history, and employment verification.

Confidentiality Agreements

All employees are required to sign Non-Disclosure and Confidentiality Agreements (NDAs).

Access Controls

Access is limited using a Least Privilege model: Employees are given the minimum amount of access/permissions needed in order for them to perform their jobs. Access controls are frequently audited and are subject to technical enforcement and monitoring to ensure compliance. Two-Factor Authentication is required for all production systems.

Access to systems and network resources is based on a documented, approved request process. Logical access to server platforms and management systems require two-factor authentication. Periodic checking ascertains whether the owner of a user ID is still employed and assigned to the appropriate role. Access is further limited by device permissions using a Least Privilege model, and all permissions require documented business needs.

Exceptions found during the verification process are remediated and validation is conducted on a quarterly basis to determine whether access is commensurate with the user's job function. Exceptions found during the validation process are remediated.
Business needs are validated on a quarterly basis to determine whether access levels are commensurate with the user's job function. Exceptions found during the validation period are remedied.
User access is revoked upon termination of employment or change of job role.
To authenticate to internal systems using AWS infrastructure, Social27 uses Identity and Access Management (IAM) to define and manage roles and access privileges. For customers, we use Customer Identity Management, and for employees, we use Employee Identity Management. For internal system access, we use Active Directory for centralized authentication and authorization. To authenticate to customer-facing systems, we use Customer Identity and Access Management (CIAM).

Third Party Security

Vendor Management

Social27 understands the risks associated with improper vendor management. We evaluate and perform due diligence on all our vendors prior to engagement to ensure their security meets our standards. If they do not meet our requirements, we do not move forward with them. Selected vendors are monitored and reassessed on an ongoing basis, taking into account relevant changes.

Third-Party Sub Processors

Social27 uses third-party sub-processors to provide core infrastructure and services that support the application. Prior to engaging any third party, Social27 evaluates the vendor’s security as per our Vendor Management Policy.

Vendor (Sub-Processor)	Relevant Services	Corporate Location	International Transfer Mechanism	Vendor DPA
Amazon Web Services, Inc.	Infrastructure Provider	US (West 2); EU (Frankfurt)	Standard Contractual Clauses	https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
Microsoft Azure	Infrastructure Provider	US (West 2); EU (West)	Standard Contractual Clauses	https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA
Akamai Technologies	CDN, DoS protection and WAF	US	Standard Contractual Clauses	https://www.akamai.com/fr/fr/multimedia/documents/akamai/akamai-data-protection-addendum.pdf
Datadog	Log Aggregation & Analysis	US	Standard Contractual Clauses	https://www.datadoghq.com/legal/msa/
Tray.io, Inc.	Connect and automate the APIs	US	Standard Contractual Clauses	Available on Request
Stripe	Payment Processing	US and EU	Standard Contractual Clauses	Available on Request
Microsoft SQL Server	Data Storage	US	Standard Contractual Clauses	https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA
Twilio, Inc.	Provides features and services to allow communication with End User via SMS, chat, and voice.	US	Standard Contractual Clauses	https://www.twilio.com/legal/data-protection-addendum
Pendo.io, Inc.	Provides integrated platform for digital product teams in order to combine powerful product usage analytics with user guidance, communication, feedback, and planning tools.	US	Standard Contractual Clauses	Available on Request
Zendesk, Inc.	Provides customer relations management software and a customer support platform to enable Social27 to support and manage Social27’s relationship with the Controller.	US	Standard Contractual Clauses	https://www.zendesk.com/company/privacy-and-data-protection/
SalesForce.com, Inc.	Provides customer relations management software and a customer support platform to enable Social27 to support and manage Social27’s relationship with the Controller.	US	Standard Contractual Clauses	https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
Google LLC	Internal Collaboration & Storage / Firebase / Analytics	US	Standard Contractual Clauses	https://workspace.google.com/terms/dpa_terms.html
Mailgun Technologies, Inc.	Email and office applications	US	Standard Contractual Clauses	Available on Request
SendGrid, Inc.	Cloud-based email services provider to communicate review request emails to End Users.	US	Standard Contractual Clauses	https://s3.eu-west-2.amazonaws.com/primalbase/privacy/SEND+GRID+data+contract.pdf
Microsoft Teams / Office 365	Microsoft Teams / Office 365 is used for creating roundtables, and SSO	US	Standard Contractual Clauses	https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67
Zoom Video Communications, Inc.	Provides cloud platform for video, voice, content sharing, and chat runs.	US	Standard Contractual Clauses	https://zoom.us/docs/doc/Zoom_Data_Processing_Addendum_Processor_Form_Final-SIGNED.pdf
Atlassian Pty Ltd (Jira)	Internal support collaboration	US	Standard Contractual Clauses	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjH9svhrfrtAhUOgdgFHZeoClAQFjAAegQIBRAC&url=https%3A%2F%2Fwww.atlassian.com%2Fdam%2Fjcr%3A2a96b9d9-aa4e-4d21-b029-12cbaaa549e7%2FAtlassian%2520Data%2520Processing%2520Addendum%25202019%252012%252024%2520FNL.pdf&usg=AOvVaw1uvFr7ZpvjyGwI7U_dNqSM

Responsible Disclosure

If you find a vulnerability in Social27 Inc.'s information systems, you may report it to support@social27.com. The report must contain enough information that the vulnerability can be repeated.

Performance and Availability

Performance and Scaling

Social27 is hosted on public cloud infrastructure. Services are deployed in multiple availability zones and regions and are designed to scale dynamically in response to measured and expected loads. Cloudfront is used to distribute services globally. Simulated load tests and API response time tests are integrated in Social27’s release and testing cycles.

Social27 maintains a publicly available status webpage that details system availability categorized into product areas, scheduled maintenance windows, service incident history, and security incident details.

Social27 employs an Autoscaling Group that automatically terminates a faulty instance in one hosting location and transitions to a new healthy instance at another location. Because services are deployed in different availability zones, business can continue as usual by using other availability services.

Social27 has run events with 25,000 concurrent users and can scale further using Autoscaling to automatically scale up and scale down our infrastructure. Social 27 currently can scale anywhere from 10k to 100k peak user load. The platform can be scaled up or down in response to demand in 5 – 10 minutes.
All customer environments are separated from one another, so one customer cannot cause an outage for another customer.

Social27 runs load tests directly on the web application. We set up and run performance tests to maintain the availability of services. We also run network load tests, system load tests, and vulnerability testing on our infrastructure, application, and code before pushing them to production.

Cloud Watch alarms and Operations management alert Social27 to potential performance problems. Our current mean time to detection of customer-impacting issues is 5 – 10 minutes, and our mean time to resolution of these issues is 15 minutes for system or application-level issues (per our SLA). More extensive issues or fixes may take anywhere from one day to one week.

Disaster Recovery

In the event of a significant regional downturn, Social27 can deploy the application to a new hosting region. Our Disaster Recovery Plan maintains and ensures availability of services and ease of recovery in the case of a disaster. This plan is regularly tested and evaluated for improvement and automation.
Disaster Recovery Deployment is handled by the same design and release management processes as our production environment, ensuring that all security settings and controls are correctly implemented.

Customer data is replicated to the Azure SQL database by using Data Export Service.

Social27’s backup arrangements meet the requirements of business continuity plans. Critical systems are determined and backup arrangements made to recover all critical system information, applications, and data in the event of a disaster. Automated backup solutions are sufficiently tested prior to implementation and at regular intervals thereafter. Where confidentiality is of importance, backups are protected by means of encryption and all encryption keys are kept securely at all times with clear procedures in place to ensure that backup media can be promptly decrypted as required.
Data recovery operations are only performed by competent, authorized staff. Recovery of data from backups takes no more than 24 – 72 hours, depending on the amount of data.