Security, privacy, and compliance

Learn more about the security and privacy efforts that Strivacity makes to ensure that we can deliver on our service commitment to our customers.

Strivacity Trust Center

Strivacity Trust Center

The Strivacity Trust Center is a repository of public and confidential information about Strivacity’s compliance controls and policies. It lists Strivacity’s certifications and links to reports on accessibility, security compliance, and security resiliency. Public and confidential claims and documents can be requested, viewed, and subscribed to there.

Visit the Strivacity Trust Center for more information.

1) Our commitment to security and privacy

Strivacity is committed to the earning and maintaining the trust of our customers through its products, services and relationships. This commitment is reinforced by the controls and policies that are put in place to protect customer data and privacy.

2) Information security management program (ISMP)

Strivacity's information security management program contains administrative, technical, and physical policies and procedures that are appropriate to a) the scope and nature of its business, b) the types of data that Strivacity may store and process on behalf of its customers, and c) the need for security and protection from any unauthorized access disclosure of such customer data. The ISMP and its policies and procedures are updated based on changes in legal and regulatory requirements related to privacy standards, regulatory standards, and data and security best practices applicable to the Strivacity service.

Strivacity’s ISMP is intended to:

  • Protect the availability and integrity of all Strivacity services
  • Prevent the unauthorized disclosure by Strivacity of any customer data
  • Protect against threats to the integrity and availability and disclosure of customer data
  • Protect against unauthorized access, use, and destruction of customer data
  • Protect against accidental damage, loss or destruction of any customer data

3) Data processing

Strivacity ensures through design and policies that customer data is segregated and restricted based on business needs. Customer data is separated through architectural design environments, and access to that data is granted only by the customer administrator and Strivacity employees that are designated to work in the customer’s environment.

4) Data integrity and management

Strivacity maintains logical controls, self-implemented encryption standards, in addition to partner encryption standards to properly segregate Customer Data amongst our customer base.

Data Backup and Archival:

  • All Strivacity customer application and network log data will be retained for a period of 35 days.
  • All production data in Kubernetes is backed up on an hourly basis and RDS data is backed up daily in accordance with procedures outlined in Strivacity’s Production Data Backup & Restoration procedures.
  • Data restoration can only be performed by a designated engineering production resource as designated by Strivacity’s CTO or VP of Engineering.

5) Secure deletion

Customer data is destroyed with the decommissioning of a customer's environment or upon their request. Customer data is subject to our retention policies.

6) Covered services

Strivacity consists of a number of service components, user interfaces, APIs, and SDKs. All services are covered under our information security management program (ISMP) and our security and privacy commitment.

7) Architecture

Strivacity architecture is based on the concept of microservices – small virtual machines – working together, with each service responsible for a distinct task or set of tasks. Microservices form a network of ‘mini computers’ inside a customer instance where they communicate with each other. In addition, Strivacity uses a Service Mesh, a microservice paradigm that's in charge of setting the stage for a secure, continuous service-to-service communication inside a customer instance. Service Meshes are responsible for controlling communication, routing traffic, and issuing certificates to microservices to fulfill the requirements of Transport Layer Security (TLS). Lastly, Strivacity uses serverless components to allow brands to add custom business logic to their workflows, via the Lifecycle Event Hooks feature.

8) Data isolation

Cloud has historically been a barrier to adoption for customer data, for many reasons, one of which is the safe isolation of said data. Strivacity deploys dedicated private clouds for each customer, a benefit of which is that there are no shared keys, databases or services between customers. This methodology lowers the blast radius of a breach, should one Strivacity customer be compromised the risk of compromise to other Strivacity customers through Strivacity infrastructure is near zero.

We call this concept Isolation-by-Design.

9) Data residency

Strivacity is able to provide data residency for customer data within any geographic location where Strivacity has regional availability. A benefit of Isolation-by-Design, this ensures that local data protection and privacy laws can be respected by ensuring customer data is located in a country or a region of the customers choosing.

Details of Strivacity regional availability can be found here.

10) Requests for the retrieval of customer data

As part of standard functionality, customers have full access and ownership of all of their own data which can be extracted using the Strivacity API. However, in the event of a request prior to the effective date of termination of the customers agreement, Strivacity will make available (at no cost to the customer) a download containing all customer data (excluding account passwords).

11) Requests for security audit reports

Strivacity will provide, upon request (and free of charge) a copy of its latest audit report including the details of any findings and the details of each finding that was discovered.

12) Security controls

The Strivacity platform and all of its hosted services include a variety of configurable security controls that allow Strivacity customers to tailor its security for their own use.

Strivacity strongly encourages all customers to enable the use of multi-factor authentication features made available by Strivacity, and use Strivacity password policies to set password quality per their own acceptable standards.

13) Access controls

Strivacity maintains policies, procedures, and logical controls that are designed:

a) To enforce access limits to its information systems and facilities in which they are housed to properly authorized persons.

b) To prevent personnel and others who should not have physical or logical access to compartments or systems from obtaining access.

c) To remove Strivacity employee physical and logical access on a timely basis when access is no longer required or change in job status.

14) Physical and environmental security

Strivacity maintains policies to prevent the admittance of unauthorized personnel on its premises, damages to office spaces, and reporting procedures for the theft of property.

15) Support for security standards

The Strivacity Information Security Management Program (ISMP) includes compliance, testing, and certification wherever possible with the following security standards:

  • ISO 27001, 27002, and 27005 guidance
  • SOC2 Type II, with audits conducted annually by an accredited assessor, Schellman & Co.
  • SOC3, with audits conducted annually by an accredited assessor, Schellman & Co.
  • NIST standards and guidance, such as FIPS-140 and NIST 800-63B

See: Resources for compliance

16) Disaster recovery

The Strivacity disaster recovery plan defines the policies and procedures that Strivacity uses to prevent and respond to any interruption to service or the unauthorized theft or destruction of data.

The plan includes processes for the following:

Business continuity plan

The purpose of the Business Continuity Plan (BCP) is to establish procedures for execution and recovery of business activities for Strivacity to minimize disruption in an emergency or business impacting event.

Backup & data retention policy

The purpose of the Customer Backup & Retention Policy is to establish the requirements for maintaining and retaining customer data. This policy intends to stipulate the requirements to maintain our customer agreement with Strivacity customers.

Alternate work location plan

Strivacity has policies and procedures in place for alternate work locations in the event of:

a) A natural disaster to physical Strivacity office locations

b) A total loss of power Local travel impact to physical Strivacity office locations

Recovery point objective (RPO) and Recovery time objective (RTO)

The recovery point objective varies from service to service, and targets an RPO of 1 hour with a RTO of 2 hours.

17) Breach management and incident response

Strivacity will accommodate an impacted customer’s request for information regarding a security breach impacting their contracted services.

Strivacity’s Incident Response Process assigns roles and responsibilities to the following activities:

  • Detection
  • Analysis
  • Containment
  • Eradication
  • Recovery
  • Post-Incident Activities

Step-by-step procedures for responding to an incident are covered in Strivacity’s Incident Response Plan. The plan includes the following:

  • Who to report the incident to
  • What information to capture
  • Incident assessment guidance to leadership
  • Ticketing procedures
  • Investigation guidance
  • Remediation guidance
  • After action procedures and lessons learned

18) Incident management

Strivacity has a detailed Incident Response Policy that mandates the responsibilities and procedures to ensure a quick, effective, and orderly response to security and privacy incidents. Strivacity’s Incident Response Policy mandates:

  • Security and privacy events should be reported through appropriate management channels as quickly as possible.
  • Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected security weakness or vulnerability in systems or services.
  • Security and privacy events should be assessed, and it should be decided if they are to be classified as security or privacy incidents.
  • Security and privacy incidents should be responded to in accordance with documented Incident Response procedures.

19) Security awareness training

Strivacity requires that all employees and contractors undertake mandatory monthly security awareness training.

20) Background checks

Strivacity conducts background checks for all employees and contractors using an accredited third party service provider.

21) Disciplinary policies for employees and contractors

Strivacity maintains a disciplinary policy for all employees and contractors in the event that personnel violate any policy that forms part of the information security management program (ISMP).

22) Assigned security responsibilities

Strivacity assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:

a) Designating a security official with overall responsibility for product security.

b) Defining security roles and responsibilities for individuals to carry out in accordance with prescribed Strivacity Security Policies and Guidelines.

23) Confidentiality and security policies

Strivacity requires all personnel to acknowledge via electronic signature that they will comply with all prescribed ISMP policies, procedures, and guidance.

24) Change and configuration management

Strivacity maintains change management policies and procedures with the following mandates and guidance:

All production changes must be approved by engineering and customer success leadership. When needed, production changes should be cleared with customer success leadership and fall within a pre-agreed upon customer change window. All production changes should follow established release and upgrade procedures

25) Intrusion detection

Strivacity’s production environment is monitored by our Managed Detection Response (MDR) provider, Expel. Alerts are generated in near real time and communicated directly to Strivacity personnel.

26) Anti-virus and anti-malware control

Strivacity, through third party vendors, maintains anti-virus and anti-malware controls on company maintained laptops and production devices.

27) Penetration testing

Strivacity conducts penetration through a contracted third party vendor at least twice per year, and typically with every major product release.