OPTIZMO™ Data Security Practices
Maintaining the security of your data is our mission.
Governance, Risk and Compliance Program
Our Governance, Risk and Compliance Program sits at the core of our security practices. We feed regulations, policies, procedures and customer requirements as input into this program, identify risks across our business and execute compliance activities against both governance and risk. We treat security concerns as an evolving landscape and continually strive to improve our product and operational security practices, aligning them with industry best practices.
As further transparency into our security processes, we have standardized our security assessment process and made our CSA STAR questionnaire available for download and review by current and prospective customers and partners.
Product security at OPTIZMO is of paramount importance, addressed in feature ideation and design, all the way through release and ongoing operation. We implement these robust controls at every stage to keep your data safe. Our team follows an agile scrum process and we triage all potential security items and address them within prescribed timeframes.
Data transmitted over public networks is secured with Transport Layer Security (TLS) 1.0-1.2 using RSA 2048 to secure it against unauthorized access. Our implementation of TLS uses A Grade certificates negotiated to the strongest form of encryption your browser supports. The OPTIZMO system process trillions of records a month and we encrypt your Opt-Out data at the disk level to deliver data security, as well as lightning fast response times. To maintain customer data ownership, we fully enable you to easily use client-side hashed Opt-Out and other Suppression email addresses and phone numbers (for SMS) on our services.
Security testing starts at the product design phase, with mappings created between regulations, standards and policies to features to be developed. We carry out threat modeling during the design process to assess and treat security concerns and ensure our products and features are secure from the outset. Every line of code we write is peer-reviewed by a senior developer who is trained in security best practices, such as OWASP secure coding. Our application is vulnerability tested using the OWASP Zed Attack Proxy at regular intervals and prior to the release of new features. Our SaaS platform has a very high coverage of unit, integration and end-to-end tests that verify account and role security and are executed automatically as part of our continuous integration process.
OPTIZMO’s products are hosted in the SOC-2 and ISO27001 certified AWS cloud to underpin our infrastructure security and protect it from physical harm. Our infrastructure is built from peer-reviewed code and deployed to development, staging and production environments automatically, as part of our continuous integration and deployment process (CI/CD). We execute frequent, automated reviews of our infrastructure and security rules against industry best practices.
We control access to our cloud using virtual private cloud (VPC) routing, firewall rules and IP whitelists, then monitor it using intrusion detection systems (IDS). All communication to and between our servers is over encrypted channels. OPTIZMO staff are granted access permissions on a role-based model and strictly as-required. Their connections to our infrastructure are made over device certificates, two-factor authentication (MFA), and use of jump boxes (proxies) for access into VPC’s.
Prior to release and on an ongoing basis, our product teams automatically test and monitor all of our products at the application, network and infrastructure levels. OPTIZMO also engages with various third-party companies to execute penetration tests on a semi-regular basis. Penetration testing reports are made available to our customers after any discovered vulnerabilities have been addressed.
The reliability and availability of our platforms are a critical concern at OPTIZMO as our products underpin our customers’ compliance with the CAN-SPAM Act. With that in mind, we undertake a number of key activities, designed to deliver industry-leading reliability.
Availability and Redundancy
Our products are hosted in the AWS cloud and we have data redundancy and backups that span AWS geographic regions and for all your stored information. We design and maintain our products to deliver the 99.5% up-time promised within our standard Service Level Agreement.
We have created, maintain and test our disaster recovery and business continuity programs to ensure our dedicated product teams are available and prepared for emergencies. Our teams also perform regular risk assessments and execute treatments to mitigate perceived risks to our platforms availability and redundancy.
The safety of your data is our central concern and we treat and secure it with all due care. We strictly use highly available and secure data stores that are backed up using a mixture of real-time replication and incremental backups. Backups are performed as follows:
- All databases have real-time streaming backups to replica databases hosted in different AWS geographical regions.
- Full database snapshots of Opt-Out Data are created and stored each month and incremental backups are completed every other day.
- Full database snapshots of customer metadata are created every day.
- All backups are transferred via SSL encrypted channels, PGP encrypted and stored in AWS S3 indefinitely.
- OPTIZMO honors customer data purge requests and applies these against all backups.
Business Continuity and Disaster Recovery
If and when a disaster occurs, we are committed to streamlining our recovery process to get our systems back up and running as quickly as possible. We do this through a tried and tested set of Business Continuity (BC) and Disaster Recovery (DR) plans.
We leverage our Governance, Risk and Compliance program to mandate the ongoing identification of risks across our products and business, then put treatments and plans in place for disaster. Our compliance audit schedule drives the testing of these plans to ensure their validity and performance. With our real-time streaming backups to geographically dispersed regions and along with infrastructure as code (IaC) and a mature continuous integration and deployment (CI/CD) pipeline, we can quickly stand-up an entirely new production application stacks in any AWS data center in the world. We also provide a public health dashboard to inform you of any service disruptions and our resolution progress.
Operational Security Practices
At OPTIZMO, we leverage a holistic approach to security that not only encompasses our products, but governs the day-to-day processes and operations we perform internally.
We only hire the best, highly-qualified and capable team members and then invest in a host of ongoing policy, process and security training to ensure all our employees are well-versed in operational security. We train our developers on OWASP secure coding practices and every line of code in our SaaS platform is peer-reviewed to ensure the security of your data.
During recruitment, all staff must receive clear employment and police background checks. They must also sign a confidentiality agreement prior to officially joining the company.
Access to Your Data
Production data is highly secured and accessed only by staff in authorized roles and strictly as-required. We also log all access to our production systems. If our support team is helping you with an issue, temporary time-boxed credentials are issued and all access and changes are logged against your account log for you to see.
All server and data store access and activity is centrally logged with automated, real-time alerting on any potential suspicious activity. If accidental or unauthorized access occurs, a security incident is raised in accordance with our Security Incident Management Program, which includes notifying customers if a data breach has occurred.
Data on our underlying disk storage is encrypted and AWS employs comprehensive physical security measures including biometric scans, 24/7 security guards, closed-circuit video monitoring and more.
At OPTIZMO, we build agile, cross-functional and empowered teams and entrust these teams with ownership over their products. Corporate change management processes and their associated reliance on less informed departments outside of the product team for change approval sits at odds with our values. Instead, we rely on in-team change management through peer-reviewed infrastructure and application code, shoulder checks to deliver a steady, unbroken stream of small low-risk features to our customers.
Security issues found during automated testing enter our agile development process and are triaged and resolved in accordance with our issue management processes.
Our comprehensive unit, integration and end-to-end tests must be passed, prior to all production releases in a staging environment which gives us the confidence that our automated, continuous deployments are safe and tested.
Security Incident Management
Even with the best controls in place, security incidents can happen. We have invested in our Security Incident Management Program (Link to Security Incident Management Page) to minimize the duration, impact and scope of security incidents. We define the Security Incident Roles and Responsibilities which include our customer touch-points and both OPTIZMO and customer responsibilities during and after the incident.
We capture and transfer all logs to a centrally managed and secured location to ensure we have data available for both internal and where necessary external forensic analysis. We maintain law enforcement and external security contact points for use during and after a serious security incident.
The underlying infrastructure and applications of our SaaS platforms is secured by OPTIZMO and our partners (such as AWS), but the security of data in our clients’ accounts forms part of a shared responsibility.
Customers manage their users and their roles within our platform(s) and have a responsibility to ensure those users follow best practices around securing their credentials against misuse.
Customers are responsible for the legality of their data and ensuring their use of the OPTIZMO SaaS platforms is in compliance with the customer’s own information security processes and procedures.
The General Data Protection Regulation (GDPR) is a legislative change to the European data privacy laws and includes international companies that collect or process personal data of individuals located inside the EU. OPTIZMO is classified as a data processor under GDPR and we have completed the entirety of our GDPR evaluation with our EU legal team, Hunton Andrews Kurth LLP, validating that all generally available services and features adhere to the high privacy bar and data protection standards required of data processors by the GDPR.
Ensuring the privacy of our clients’ data is paramount to us and we maintain strict controls around access, transmission and encryption of your data to ensure it remains both secure and private. We treat every customer’s Personally Identifying Data (PII) with the same level of care and security that we apply to all customer data. We honor all customer data purge requests and will remove requested data from both active data stores and all backups.