Keeping your organization’s data private and secure is extremely important to us. That’s why we are committed to end-to-end security and privacy compliance throughout our operations and architecture.
Security Features and Benefits
FunnelEnvy is built on a robust cloud security infrastructure and adheres to industry best practices and standards. When you send your organization’s data to us, you can rest assured that your data, and your customers’ data, is protected. We’re compliant with and regularly audited against multiple regulations and standards, including SOC2, ISO 27001, the E.U. General Data Protection Regulation (GDPR), and the Privacy Shield Framework. All of this trickles down to you – no matter how much data you send to us, it’s always protected.
Security Planning & Operations
FunnelEnvy maintains an Information Security and Privacy program with a dedicated budget and staff that covers the entire scope of its operations. The security program ensures that:
- An information security strategy, including goals and objectives, is adhered to and updated on a regular basis.
- All security documentation, including policies and procedures, is kept up to date.
- Regular risk assessments are conducted, and results inform the security controls that we implement.
- FunnelEnvy team members go through security awareness training on a regular basis.
- Regular checks and measurements are made to gauge and improve performance.
Infrastructure Security
FunnelEnvy is built within the Amazon Web Services (AWS) Cloud, and inherits security capabilities and services that increase privacy and security. These benefits are passed on to our customers. The AWS infrastructure provides:
- A robust security and compliance program that spans multiple domains, each with its own set of requirements and best practices.
- Network and web application firewall capabilities used to tightly control access to our networks, servers and applications.
- High levels of availability and resilience.
- Reliability and protection against threats such as Distributed Denial-of-Service (DDoS) attacks.
Encryption
To prevent unauthorized access to data, FunnelEnvy uses encryption for data in transit and at rest. Our encryption protocols ensure that:
- All traffic between your web browser, our servers, and third party integrations is encrypted with at least 256-bit AES encryption.
- All data stored in our data warehouse is fully encrypted at all times.
All encryption keys are managed via a strict key management process that leverages AWS Key Management technology.
Monitoring & Access Logs
FunnelEnvy maintains deep visibility into all transactions performed on its system. All events are fully logged to include the who, what, where and when of the transaction. Our monitoring program ensures that:
- Our administrators are automatically alerted when suspicious activities occur.
- All logs are aggregated and monitored for trends in real time.
- All logs are streamlined to support compliance reporting and investigations, if necessary.
- Logs are manually reviewed on a recurring basis to spot anomalies.
- All system activity is correlated against the latest threat intelligence data to pinpoint potential system reconnaissance or attacks.
Accounts and Access Control
FunnelEnvy maintains strong account management and access control procedures for our staff as well as for users on our platform. To ensure access remains secure:
- We require strong passwords for all users on the system.
- From the administration console, we provide subscribers with the ability to restrict data access to only those who need it.
- Privileged and development accounts are strictly managed based on the AWS Single-Sign On and AWS Identity and Access Management (IAM) services.
- We require our employees to use Multi-Factor Authentication (MFA).
Secure Development Practices
To ensure the highest quality of performance and security within the FunnelEnvy software, we adhere to the following development and operations practices:
- All code changes and application updates are tracked and reviewed for quality and security.
- Development, testing, staging and production are maintained as separate environments.
- Software libraries and subcomponents are fully vetted before use, thereby ensuring code-level reliability and security.
- Testing and deployment of application features are done through automated Continuous Integration and Continuous Delivery (CI/CD) pipelines.
Vulnerability Management
To protect the FunnelEnvy system and data from breaches as a result of software and system vulnerabilities, we conduct:
- Vulnerability scanning on a frequent basis, to include internal and external scanning for system and software vulnerabilities.
- Remediation and patching of vulnerabilities based on severity.
- Web application scanning of the FunnelEnvy application.
Disaster and Data Recovery
To protect the FunnelEnvy system and data, and ensure quick recovery in the event of an outage or incident:
- The FunnelEnvy application is deployed in multiple physical locations.
- The platform is configured with automatic self-healing, failover, rollback, backup and scaling capabilities.
- We regularly test our internal processes by holding simulated Business Continuity Exercises.
Privacy
FunnelEnvy ensures that the data it collects and retains is kept private by maintaining:
- Internal processes that govern removal and/or export of any subject’s personal data upon request.
- Its company-wide Information Security and Privacy Program.
- Strict incident response and data breach processes that ensure immediate response. These processes are tested regularly.
- Full compliance with all applicable laws and regulations, to include the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Privacy Shield, and others. For more information on legal compliance, please see our Compliance and Certifications section detailed below.
- Ability to anonymize visitors’ IP addresses by removing the last octet of their IP address before storing event data.
- Ability to enable non-consent mode, whereby website visitors who have not given consent will not be associated with personal data.
Compliance and Certifications
In order to maintain the highest levels of trust in our security and privacy policies, procedures and implementation, FunnelEnvy conducts internal and external audits on a regular basis to ensure continuous compliance with multiple legal, regulatory and contractual obligations, as well as industry standards.
ISO 27001
Since 2018, FunnelEnvy has maintained an active, ISO 27001-certified Information Security Management System (ISMS) for its operations. We follow the specified security management best practices and security controls, and maintain a rigorous information security program. ISO 27001 is a widely-recognized international security standard which specifies that we:
- Systematically evaluate our information security risks, evaluating the potential impact of threats and vulnerabilities.
- Maintain a comprehensive suite of information security controls and other forms of risk management.
- Operate an overarching management process to ensure that our information security controls are effective.
FunnelEnvy’s ISO 27001 auditor and registrar is Sensiba. A certificate of registration is available upon request.
SOC 2
FunnelEnvy meets the criteria for security in the American Institute of Certified Public Accountants (AICPA) TSP Section 100A, Trust Services Principles and Criteria. We complete SOC 2 Type II audits on an annual basis. A copy of FunnelEnvy’s most recent SOC2 report can be provided upon request.
California Consumer Privacy Act (CCPA)
On January 1, 2020, the California Consumer Privacy Act (CCPA) changed how businesses must handle the personal information of California residents. CCPA was designed to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement for residents in the state of California. FunnelEnvy implements and honors all aspects of CCPA, which includes the following key protections for California residents:
- Each visitor has the right to know what personal information is being collected and whether that information is sold, transferred or disclosed and to whom. We maintain a clear privacy policy to ensure it’s easy to understand what data we collect and the third parties we work with to process data.
- The right to opt-out of the sale of personal information. Opt-out requests should be emailed to [email protected].
- The right to access or delete personal information collected by FunnelEnvy. Requests to delete personal information should be emailed to [email protected]. We maintain internal processes to safely delete personal information upon request.
- The right to equal FunnelEnvy services and prices, regardless of privacy choices. Residents that choose to exercise their rights may still become FunnelEnvy customers without penalty or retribution. We are committed to a policy of non-discrimination.
General Data Protection Regulation (GDPR)
The E.U. General Data Protection Regulation (GDPR) strengthens and standardizes data protection laws for all individuals within and traveling inside the European Union (E.U.). FunnelEnvy implements and honors all aspects of the GDPR, which include:
- Expanded privacy rights for individuals: data subjects within the E.U. have the right to be forgotten and the right to request a copy of any stored personal data.
- Responsibility to implement appropriate security: organizations subject to the GDPR must implement appropriate security controls and policies, to include the completion of privacy impact assessments, records on data processed and held, and strict management of vendors.
- Data breach response and notification: data breaches must be reported to data protection authorities, customers, and under certain circumstances, affected data subjects.
- Profiling and monitoring requirements: the GDPR stipulates strict security and privacy rules on organizations engaged in profiling or monitoring of E.U. individuals.
Data Processing Addendum (DPA)
This addendum includes all required terms for GDPR compliance, plus Standard Contractual Clauses which serve as a safeguard to govern transfers of personal data out of the EU/EEA/Switzerland.
Sign Data Processing Addendum (via HelloSign)
Download Data Processing Addendum (PDF)
Privacy Shield
FunnelEnvy is a member of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce, the European Commission and Swiss Administration to provide organizations on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the U.S. in support of transatlantic commerce.
Our current Privacy Shield status can be found on the Privacy Shield website.
Reporting Vulnerabilities
FunnelEnvy’s steadfast commitment to security necessitates that it investigates all reported vulnerabilities. If you would like to report a vulnerability or have a security concern regarding our services, please contact our team at [email protected]. Along with your email, please provide any supporting material (code, system or tool output, etc.) that will help us to understand the nature and severity of the vulnerability. Our team will review the submission and will respond with next steps.
The information that you share with FunnelEnvy as part of this process is always kept confidential. It is not shared with third parties without your permission.
Contact the Security Team
Want more information about FunnelEnvy’s privacy and security? Contact our team at [email protected].