FunnelEnvy Privacy, Security and Compliance 2020-07-13T00:12:52-07:00

Keeping your organization’s data private and secure is extremely important. That’s why FunnelEnvy is committed to end-to-end security and privacy compliance throughout its architecture.

Security Features and Benefits

FunnelEnvy is built on a robust cloud security infrastructure and leverages industry best practices and standards. When you send your organization’s data to us, you can rest assured that your data, and your customers’ data, is protected. We’re compliant with and regularly audited against multiple regulations and standards, including SOC2, ISO 27001, the E.U. General Data Protection Regulation (GDPR), and the Privacy Shield Framework. Best of all, our security scales with you – no matter how much data you send to our cloud infrastructure, it’s always protected.

Security Planning & Operations

FunnelEnvy maintains an Information Security and Privacy program that covers the entire scope of its operations. The security program maintains a strict set of objectives with dedicated budget and staff. The security program ensures that:

  • An information security strategy, including goals and objectives, is adhered to and updated on a regular basis.
  • All security documentation, including policies and procedures, is kept up to date.
  • Regular risk assessments are conducted, with results actively informing the security controls that the organization implements.
  • Training and awareness of FunnelEnvy team members is conducted on a regular basis.
  • Regular checks and measurements occur to gauge and improve performance.

Infrastructure Security

FunnelEnvy is entirely built within the Amazon Web Services (AWS) Cloud, which provides several security capabilities and services that increase privacy and security.

  • AWS operates an extremely robust compliance program that spans multiple domains, each with its own set of requirements and best practices. For more information, we recommend referencing their compliance documents.
  • We leverage AWS’ network and web application firewall capabilities to tightly control access to our networks, servers and applications.
  • As an AWS user, FunnelEnvy and its customers benefit from high levels of availability and resilience, as well as specialized services, thereby ensuring reliability and protection against threats such as Distributed Denial-of-Service (DDoS) attacks.

      Encryption

      FunnelEnvy performs regular reviews of its architecture and infrastructure to ensure that your data is kept confidential using the best encryption available. To prevent unauthorized access to data, FunnelEnvy uses full end-to-end encryption, which includes encryption for data in transit and at rest.

        • All traffic between your web browser, FunnelEnvy’s servers, and third party integrations is encrypted with at least 256-bit AES encryption.
        • All data stored in FunnelEnvy’s data warehouse is fully encrypted at all times.
        • To ensure the highest levels of security, all encryption keys are managed via a strict key management process that leverages AWS Key Management technology.

        Monitoring & Access Logs

        FunnelEnvy maintains deep visibility into all transactions performed on its system. All events are fully logged, to include the who, what, where and when of the transaction.

        • FunnelEnvy’s administrators are automatically alerted when suspicious activities occur.
        • All logs are aggregated and monitored in real time for trends.
        • All logs are streamlined to inform compliance reporting and investigations, if necessary.
        • Logs are manually reviewed on a recurring basis to spot anomalies.
        • All system activity is correlated against the latest threat intelligence data to pinpoint potential system reconnaissance or attacks.

          Accounts and Access Control

            FunnelEnvy maintains strong account management and access control procedures for its own staff as well as for users on its platform.

            • FunnelEnvy requires strong passwords for all users on the system.
            • Subscribers have the ability to restrict data access to only those who need it. User accounts and permissions are fully customizable within the subscriber’s administration console.
            • Privileged and development accounts are strictly managed based on the AWS Identity and Access Management (IAM) service.
            • Internally, FunnelEnvy leverages best practices such as Single-Sign On (SSO) with Multi-Factor Authentication (MFA) requirements.

            Secure Development Practices

            In order to ensure the highest quality of performance and security within its software, FunnelEnvy follows strict development and operations policies.

            • All code changes and application updates are tracked and reviewed for quality and security before release.
            • FunnelEnvy maintains separate development, testing, staging and production environments.
            • Software libraries and subcomponents are fully vetted before use, thereby ensuring code-level reliability and security.

            Disaster and Data Recovery

              • FunnelEnvy is deployed in multiple physical locations by leveraging multiple availability zones in the AWS US-East (N. Virginia) region. The FunnelEnvy platform is configured with automatic self-healing, failover, rollback, backup and scaling capabilities.
              • To ensure business continuity, FunnelEnvy maintains internal processes with strict Recovery Time Objectives (RTOs). We test our internal processes on a regular basis by holding simulated Business Continuity Exercises.

              Compliance and Certifications

              In order to maintain the highest levels of trust in our security and privacy policies, procedures and implementation, FunnelEnvy conducts internal and external audits on a regular basis to ensure continuous compliance with multiple legal, regulatory and contractual obligations, as well as industry standards.

              ISO 27001

              Since 2018, FunnelEnvy has maintained an active, ISO 27001-certified Information Security Management System (ISMS) for its operations. The ISO 27001 standard specifies security management best practices and comprehensive security controls, and requires the development and implementation of a rigorous information security program. ISO 27001 is a widely-recognized international security standard which specifies that FunnelEnvy:

                • Systematically evaluates its information security risks, taking into account the impact of threats and vulnerabilities.
                • Designs and implements a comprehensive suite of information security controls and other forms of risk management to address security risks.
                • Operates an overarching management process to ensure that FunnelEnvy’s information security controls are effective.

                FunnelEnvy’s ISO 27001 auditor and registrar is A-LIGN. A certificate of registration is available upon request.

                AICPA SOC

                 

                 

                AICPA SOC

                FunnelEnvy meets the criteria for security in the American Institute of Certified Public Accountants (AICPA) TSP Section 100A, Trust Services Principles and Criteria. FunnelEnvy completed a SOC2 Type 1 audit in February 2019 and completed its SOC2 Type 2 audit in February 2020. Type 2 audits are performed each year. A copy of FunnelEnvy’s most recent SOC2 report can be provided upon request.

                Privacy Shield

                FunnelEnvy is a member of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce, the European Commission and Swiss Administration to provide organizations on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the U.S. in support of transatlantic commerce.

                Our current Privacy Shield status can be found on the Privacy Shield website.

                General Data Protection Regulation (GDPR)

                The E.U. General Data Protection Regulation (GDPR) strengthens and standardizes data protection laws for all individuals within and traveling inside the European Union (E.U.). FunnelEnvy implements and honors all aspects of the GDPR, which includes:

                  • Expanded privacy rights for individuals: data subjects within the E.U. have the right to be forgotten and the right to request a copy of any personal data stored in their regard. FunnelEnvy maintains internal processes to ensure that it can remove and/or export any customer or data subject’s personal data upon request.
                  • Responsibility to implement appropriate security: organizations subject to the GDPR must implement appropriate security controls and policies, to include the completion of privacy impact assessments, records on data processed and held, and strict management of vendors. FunnelEnvy completes all of these activities under its company-wide Information Security and Privacy Program.
                  • Data breach response and notification: data breaches must be reported to data protection authorities, customers, and under certain circumstances, affected data subjects. In the unlikely event of a data breach, FunnelEnvy maintains strict incident response and data breach processes that ensure immediate response.
                  • Profiling and monitoring requirements: the GDPR stipulates strict security and privacy rules on organizations engaged in profiling or monitoring of E.U. individuals. FunnelEnvy is fully compliant with all GDPR profiling and monitoring requirements.

                  IP Anonymization

                  As IP addresses could be considered personal data, FunnelEnvy allows you to easily anonymize IP addresses by removing the last octet of your visitors’ IP address before storing event data.

                  Non-Consent Mode

                  FunnelEnvy allows for a non-consent mode of operation whereby website visitors who have not given consent will not be associated with personal data.

                  Data Processing Addendum (DPA)

                  This addendum includes all required terms for GDPR compliance, plus Standard Contractual Clauses which serve as a safeguard to govern transfers of personal data out of the EU/EEA/Switzerland.

                  Sign Data Processing Addendum (via HelloSign)
                  Download Data Processing Addendum (PDF)

                  California Consumer Privacy Act (CCPA)

                  On January 1, 2020, the California Consumer Privacy Act (“CCPA”) changes how businesses handle the personal information of California residents. CCPA was designed to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement for residents in the state of California. FunnelEnvy implements and honors all aspects of CCPA, which includes the following key changes for California residents:

                  • The right to know what personal information is being collected and whether that information is sold, transferred or disclosed and to whom. FunnelEnvy maintains a clear privacy policy to ensure you understand the data we collect about and which third parties we work with to process data.
                  • The right to opt-out of the sale of personal information. Opt-out requests should be emailed to [email protected].
                  • The right to access or delete personal information collected by FunnelEnvy. Requests to delete personal information should be emailed to [email protected]. FunnelEnvy maintains internal processes to safely delete personal information upon request.
                  • The right to equal FunnelEnvy services and prices, regardless of privacy. Residents that choose to exercise their rights may still become FunnelEnvy customers without penalty or retribution. FunnelEnvy is committed to a policy of non-discrimination.

                  Vulnerability Disclosures

                  California Consumer Privacy Act (CCPA)

                  FunnelEnvy’s steadfast commitment to security necessitates that it investigates all reported vulnerabilities. If you would like to report a vulnerability or have a security concern regarding FunnelEnvy’s services, please contact our team at [email protected]. Along with your email, please provide any supporting material (code, system or tool output, etc.) that will help us to understand the nature and severity of the vulnerability. Our team will review the submission and will respond with next steps.

                  The information that you share with FunnelEnvy as part of this process is always kept confidential. It is not shared with third parties without your permission.

                  Contact the Security Team

                  Want more information about FunnelEnvy’s privacy and security? Contact our team at [email protected].