Our security and privacy commitment
Learn more about the security and privacy efforts that Strivacity makes to ensure that we can deliver on our service commitment to our customers.
Strivacity is committed to the earning and maintaining the trust of our customers through its products, services and relationships. This commitment is reinforced by the controls and policies that are put in place to protect customer data and privacy.
Strivacity's information security management program contains administrative, technical, and physical policies and procedures that are appropriate to a) the scope and nature of its business, b) the types of data that Strivacity may store and process on behalf of its customers, and c) the need for security and protection from any unauthorized access disclosure of such customer data. The ISMP and its policies and procedures are updated based on changes in legal and regulatory requirements related to privacy standards, regulatory standards, and data and security best practices applicable to the Strivacity service.
Strivacity’s ISMP is intended to:
- Protect the availability and integrity of all Strivacity services
- Prevent the unauthorized disclosure by Strivacity of any customer data
- Protect against threats to the integrity and availability and disclosure of customer data
- Protect against unauthorized access, use, and destruction of customer data
- Protect against accidental damage, loss or destruction of any customer data
Strivacity ensures through design and policies that customer data is segregated and restricted based on business needs. Customer data is separated through architectural design environments, and access to that data is granted only by the customer administrator and Strivacity employees that are designated to work in the customer’s environment.
Strivacity maintains logical controls, self-implemented encryption standards, in addition to partner encryption standards to properly segregate Customer Data amongst our customer base.
Data Backup and Archival:
- All Strivacity customer application and network log data will be retained for a period of 35 days.
- All production data in Kubernetes is backed up on an hourly basis and RDS data is backed up daily in accordance with procedures outlined in Strivacity’s Production Data Backup & Restoration procedures.
- Data restoration can only be performed by a designated engineering production resource as designated by Strivacity’s CTO or VP of Engineering.
Customer data is destroyed with the decommissioning of a customer's environment or upon their request. Customer data is subject to our retention policies.
Strivacity consists of a number of service components, user interfaces, APIs, and SDKs. All services are covered under our information security management program (ISMP) and our security and privacy commitment. A full description of these service components can be found here.
Strivacity architecture is based on the concept of microservices – small virtual machines – working together, with each service responsible for a distinct task or set of tasks. Microservices form a network of ‘mini computers’ inside a customer instance where they communicate with each other. In addition, Strivacity uses a Service Mesh, a microservice paradigm that's in charge of setting the stage for a secure, continuous service-to-service communication inside a customer instance. Service Meshes are responsible for controlling communication, routing traffic, and issuing certificates to microservices to fulfill the requirements of Transport Layer Security (TLS). Lastly, Strivacity uses serverless components to allow brands to add custom business logic to their workflows, via the Lifecycle Event Hooks feature.
Cloud has historically been a barrier to adoption for customer data, for many reasons, one of which is the safe isolation of said data. Strivacity deploys dedicated private clouds for each customer, a benefit of which is that there are no shared keys, databases or services between customers.This methodology lowers the blast radius of a breach, should one Strivacity customer be compromise the risk of compromise to other Strivacity customers through Strivacity infrastructure is near zero.
We call this concept Isolation-by-Design.
As part of standard functionality, customers have full access and ownership of all of their own data which can be extracted using the Strivacity API. However, in the event of a request prior to the effective date of termination of the customers agreement, Strivacity will make available (at no cost to the customer) a download containing all customer data (excluding account passwords).
Strivacity will provide, upon request (and free of charge) a copy of its latest audit report including the details of any findings and the details of each finding that was discovered.
The Strivacity platform and all of its hosted services include a variety of configurable security controls that allow Strivacity customers to tailor its security for their own use.
Strivacity strongly encourages all customers to enable the use of multi-factor authentication features made available by Strivacity, and use Strivacity password policies to to set policy per their own acceptable password policies.
Strivacity maintains policies, procedures, and logical controls that are designed:
a) To enforce access limits to its information systems and facilities in which they are housed to properly authorized persons.
b) To prevent personnel and others who should not have physical or logical access to compartments or systems from obtaining access.
c) To remove Strivacity employee physical and logical access on a timely basis when access is no longer required or change in job status.
Strivacity maintains policies to prevent the admittance of unauthorized personnel on its premises, damages to office spaces, and reporting procedures for the theft of property.
The Strivacity Information Security Management Program (ISMP) includes compliance, testing, and certification wherever possible with the following security standards:
- ISO 27001, 27002, and 27005 guidance
- NIST standards and guidance, such as FIPS-140 and NIST 800-63B
The Strivacity disaster recovery plan defines the policies and procedures that Strivacity uses to prevent and respond to any interruption to service or the unauthorized theft or destruction of data.
The plan includes processes for the following:
- Business continuity plan
The purpose of the Business Continuity Plan (BCP) is to establish procedures for execution and recovery of business activities for Strivacity to minimize disruption in an emergency or business impacting event.
- Backup & Data Retention Policy
The purpose of the Customer Backup & Retention Policy is to establish the requirements for maintaining and retaining customer data. This policy intends to stipulate the requirements to maintain our customer agreement with Strivacity customers.
- Alternate work location plan
Strivacity has policies and procedures in place for alternate work locations in the event of:
a) A natural disaster to physical Strivacity office locations
b) A total loss of power Local travel impact to physical Strivacity office locations
- Recovery point objective (RPO) and Recovery time objective (RTO)
The recovery point objective varies from service to service, and targets an RPO of 2 hours with a RTO of 1 hour.
Strivacity will accommodate an impacted customer’s request for information regarding a security breach impacting their contracted services.
Strivacity’s Incident Response Process assigns roles and responsibilities to the following activities:
- Post-Incident Activities
Step-by-step procedures for responding to an incident are covered in Strivacity’s Incident Response Plan. The plan includes the following:
- Who to report the incident to
- What information to capture
- Incident assessment guidance to leadership
- Ticketing procedures
- Investigation guidance
- Remediation guidance
- After action procedures and lessons learned
Strivacity has a detailed Incident Response Policy that mandates the responsibilities and procedures to ensure a quick, effective, and orderly response to security and privacy incidents. Strivacity’s Incident Response Policy mandates:
- Security and privacy events should be reported through appropriate management channels as quickly as possible.
- Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected security weakness or vulnerability in systems or services.
- Security and privacy events should be assessed, and it should be decided if they are to be classified as security or privacy incidents.
- Security and privacy incidents should be responded to in accordance with documented Incident Response procedures.
Strivacity requires that all employees and contractors undertake mandatory monthly security awareness training.
Strivacity conducts background checks for all employees and contractors using an accredited third party service provider.
Strivacity maintains a disciplinary policy for all employees and contractors in the event that personnel violate any policy that forms part of the information security management program (ISMP).
Strivacity assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:
a) Designating a security official with overall responsibility for product security.
b) Defining security roles and responsibilities for individuals to carry out in accordance with prescribed Strivacity Security Policies and Guidelines.
Strivacity requires all personnel to acknowledge via electronic signature that they will comply with all prescribed ISMP policies, procedures, and guidance.
Strivacity maintains change management policies and procedures with the following mandates and guidance:
All production changes must be approved by engineering and customer success leadership. When needed, production changes should be cleared with customer success leadership and fall within a pre-agreed upon customer change window. All production changes should follow established release and upgrade procedures
Strivacity’s production environment is monitored by our Managed Detection Response (MDR) provider, Expel. Alerts are generated in near real time and communicated directly to Strivacity personnel.
Strivacity, through third party vendors, maintains anti-virus and anti-malware controls on company maintained laptops and production devices.
Strivacity conducts penetration through a contracted third party vendor at least twice per year, and typically with every major product release.