This Security Statement applies to the Engage, ion Interactive and Visually platforms and services offered by Scribble Technologies, Incorporated, (“Scribble”). The protection and security of our customer data is a core tenant of how we operate our business. To provide transparency into our security processes with our customers, a detailed summary of our security posture is provided below.
- All of Scribble’s platforms are hosted in AWS. Any access to AWS is protected by federated SSO with multi-factor authentication, with whitelisted and authenticated VPN access to servers and databases. Access to AWS to restricted by role-based access control, based on least privilege access permissions.
Access Control Reviews
- Access permissions are reviewed at least quarterly by Information Systems owners and the Security Working Group, with access revoked immediately upon employee termination.
- Password policies are implemented for strong password complexity, rotation and re-use. All password fields hide user input.
- Scribble platforms are logically isolated at the network level in AWS into an Amazon Virtual Private Cloud (VPC) where we launch AWS resources in a virtual network that defined by Scribble. Scribble has complete control over our virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
- AWS has identified critical system components required to maintain the availability of the system and recover service in the event of outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones (AZ). Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling you to easily architect applications that automatically fail-over between Availability Zones without interruption.
- AWS Elastic Load Balancers are used to automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. This allows us to achieve greater levels of fault tolerance in the Scribble platforms, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
- Firewalls, routers, switches and internet backbone connections are all maintained with redundancy and high availability on a 24/7/52 basis by AWS.
- AWS manages redundant power to all infrastructure routers and switches, as well as the data centers themselves; redundant fiber connections to Internet backbone connectivity providers; and advanced route optimization technology to provide efficient routing among the multiple backbone carriers connected to the data centers.
- Scribble utilizes AWS firewall-equivalent Security Groups and Route Tables to restrict traffic to servers and subnets based on source, destination, port and protocol.
- Databases are encrypted and deployed in private subnet tiers protected by AWS firewall-equivalent Security Groups.
- Access to platform servers, when required, is only available over whitelisted and authenticated VPN access.
Server & Database Security
- Scribble uses AWS auto-scaling groups to automatically scale on-demand, replace failed instances, and seamlessly rollout new deployments.
- Hardware failures are replaced expeditiously using AWS native capabilities to spin up new servers or volumes in AWS on demand.
- Databases deployed on AWS RDS Managed Services helps to reduce operational overhead and risk by automating common activities such as change requests, monitoring, patch management, security, and backup/restoration services, and provides full-lifecycle services to provision, run, and support the infrastructure.
Monitoring & Logging
- Scribble platforms are constantly monitoring with New Relic for application & infrastructure monitoring; SumoLogic for centralized log aggregation (with logs encrypted using AES-256 during transport and at rest); AWS CloudWatch for alarms; PagerDuty for incident alerting and triage; host-based intrusion detection systems and file integrity monitoring; AWS Shield and AWS Web Application Firewall (WAF) for threat remediation; AWS CloudWatch and CloudTrail for auditing; and various other systems for real-time monitoring, alerting, forensics, and security.
- AWS Config and AWS Tag Manager maintain a real-time inventory for all the cloud platform assets.
- A central IT management system is used to track and maintain all corporate IT assets.
- Paid vendor licenses go through a formal assessment and review process. Open source licenses must comply with internal policies for acceptable and non-restrictive licensing.
Business Continuity & Disaster Recovery
- Business continuity and disaster recovery tests are reviewed and performed annually by the cross-departmental Security Working Group.
Storage & Backups
- Database backups are performed at least daily, and stored for at least 7 days. All backups are encrypted during storage and transfer.
- Hard disks are stored on AWS SSD EBS volumes that are replicated across multiple servers in an Availability Zone to prevent loss of data.
- Data storage in AWS S3 buckets are replicated across multiple devices across at least Availability Zones, providing 99.999999999% durability over a given year. AWS S3 is designed to sustain concurrent device failures by quickly detecting and repairing any lost redundancy, and also regularly verifies data integrity using checksums.
- Customer data is encrypted in transit using HTTPS/TLS and encrypted at rest.
- Customer databases are located in data tiers in private subnets, and encrypted at rest.
- All database backups are encrypted in transit and at rest.
- Passwords are transmitted over TLS encrypted channels. Where appropriate, passwords are hashed in advance of transmission, and stored with individually salted hashes in the database.
- Scribble maintains a data classification system for public, internal, confidential, personally identifiable information (PII) and sensitive PII data.
- Collection or storage of sensitive PII, including (but not limited to) financial, social security, health, sexual orientation, or any information that if exposed to be sensitive to the individual or permit discrimination is strictly prohibited.
- Employee laptops have hard disk encryption applied via a central IT management system.
Hardware & Media Disposal
- Scribble office equipment and AWS data centers policies and procedures implement the proper erasure and disposal of data on laptops, hard disks and other hardware & media, including techniques such as overwriting, degaussing and 2-pass wipes.
- Encrypted keys are managed via AWS Key Management Service (KMS), with separate keys for development and production environments. As this is a managed AWS service, no human users have access to any of the keys.
Information System (IS) Policies
Clean Desk, Screen Lock, Removable Media Policies
- Information System policies include a clean desk policy, screen lock policy applied to all employee laptops via a central IT management system, and a ban on all removal media.
- Scribble performs internal and major 3rd party vendor risk assessments at least annually.
Security Working Group
- Scribble has a formal Security Working Group composed of management and technical leadership representatives from Engineering, Customer Success, IT & Support, Legal and HR. This group meets at least quarterly to review overall security posture; major events, trends and escalations; procedure and policy review; and various procedure testing, including disaster recovery, business continuity and breach response.
HR & Organizational Security
Background Checks & Confidentiality
- All employees are undergo background checks covering 7+ years as part of the hiring process, including criminal, credit bureau inquiry, employment, education, reference and credential verification. The specific scope of any background checks shall always be subject to the applicable local laws and regulations.
- All employees are subject to confidentiality agreements as part their employment agreement.
- Employees that violate Scribble policies will be subject to disciplinary reviews and actions.
Employee Onboarding & Offboarding
- Employee onboarding and offboarding procedures utilize automated notifications, reminders and auditing by our HR management system.
- These processes include background checks, security & privacy training, access control enablement and revocation, and equipment removal and data destruction.
Security & Privacy Training
- All employees participate in security & privacy training as part of their onboarding process, as well as annually. This process is administered via Scribble’s learning management system (LMS), including automated notifications, reminders and audit records.
- Scribble’s major corporate offices have physical access control via mobile apps authenticated to each individual, with video monitoring of entrances.
- Offices are alarmed outside of regular business hours. Alarms that are not deactivated within a set time window will notify the authorities.
- Visitor handling policies apply for non-employee access, sign-in and management.
AWS Data Centers: Physical Access
- All Scribble platforms are fully hosted in AWS data centers in the United States.
- AWS security personnel are on duty 24/7/52.
- Physical access to AWS data centers is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
AWS Data Centers: Alarms, CCTV, Inspection
- Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response.
- Electronic intrusion detection systems are installed within the data layer to monitor, detect and automatically alert the 24/7 AWS Security Operations Centers and teams.
- Closed circuit video surveillance (CCTV) at all entrance points on the interior and exterior of the building housing the data center facilities.
- AWS data centers security alarms are tested monthly, consistent with requirements for ISO 27001 and SOC.
AWS Data Centers: Access Cards, Badges, Visitors
- All AWS personnel and visitors are required to display their identity badges at all times when onsite at AWS facilities.
- Two factor authentication is used to gain access to server rooms and sensitive areas of the datacenter.
- Only authorized AWS personnel have access to data center facilities.
- Visitor access control applies to all areas of the data centers, including business justification to access, least privilege, time-bound access, badges worn at all times, authorized staff escorts, and access limited only to justified areas.
AWS Data Center Infrastructure & Redundancy
Climate and Temperature
- AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages.
- Personnel and systems monitor and control temperature and humidity at appropriate levels.
Fire Detection and Suppression
- AWS data centers are equipped with automatic fire detection and suppression equipment.
- Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces.
- In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water.
- If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.
- AWS data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day.
- AWS ensures data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
Software Development Process
Agile SDLC Process
- Scribble R&D teams operate in an Agile environment with continuous delivery capabilities. Tasks go through our standard SDLC process, including sprint planning, task documentation, development, code reviews, QA, build server testing, multiple deployment environments, automated production deployment and rollback capabilities.
- These process include version control, coding standards and security best practices.
- Scribble has fully separated AWS accounts for each platform’s production and development environments. Customer data in production is fully isolated at a network, logical, and access control level from local and development environments.
Segregation of Duties
- Scribble has segregation of duties across the various departments and stages of the software development cycle. This includes onboarding processes triggered by HR, laptop and corporate IT access by IT administrators, engineering access by Engineering management, software testing by QA, platform support by Support teams, and shared security responsibility by Engineering, IT and the Security Working Group.
Patching and Anti-malware
- Scribble has patch management processes and anti-malware systems in place to proactively manage security updates.
Vulnerability & Penetration Testing
- Monthly vulnerability testing and quarterly independent, manual penetration testing are performed to check for OWASP Top 10 security risks, amongst other security considerations. Critical and high-level fixes are deployed on a priority basis.
Breach & Incident Response
DDOS & Attack Prevention
- DDoS prevention is managed by Scribble and AWS. Scribble has premier enterprise support with AWS for immediate escalation and support of critical issues, including DDoS attacks. Scribble will also work with 3rd party cyber breach response teams in the event of a major incident.
- Scribble platforms use a combination of threat management and monitoring including AWS Shield, AWS Web Application Firewall (WAF), CloudWatch alarms, SumoLogic centralized logging and IP threat database (powered via CrowdStrike), New Relic application & infrastructure monitoring, host-based intrusion detection & file integrity monitoring, and other tools to help monitor and prevent attacks.
- In the event of a major or reportable breach, affected customers will be notified within 72 hours, or earlier as required by law. Customers may be notified directly by Support or Customer Success teams, and the Scribble status page (https://status.scribblelive.com) will be updated. All subscribers to the status page will receive automated notifications of any updates to the incident.
- Incident response procedures involve clear identification of roles and responsibilities. The incident is first classified by impact to the system and whether breach has occurred, followed by escalation procedures and regular reporting intervals to affected customers. In the event of a major or reportable breach, Scribble may appoint a 3rd party independent auditor to assess the scope and impact of a breach, assist in remediation, and write a full report of its findings. This report can be confidentially provided to affected customers upon request.
- Scribble maintains a global support team for 24/7 support. Dedicated support teams work on regular North American and European business hours via email access, and have an on-call rotation for after-hour emergency ticket and PagerDuty alerts.
Keeping your data secure is a shared responsibility that also involves you maintaining appropriate security on your accounts. This includes ensuring sufficiently complex credentials & password rotation policies, safe storage and rotation of API access keys, embedding Scribble content into your own websites with HTTPS/TLS, and hosting of white-label sites with HTTPS certificates.
SOC 2 Audits
- System and Organization Controls (SOC) Reports are independent, 3rd party examination reports that demonstrate how Scribble achieves key compliance controls and objectives. Scribble has completed a SOC 2 security review in January 2019 for Scribble’s organization controls and Visually, ion and Engage platforms with no control deviations or disclosures identified. Scribble intends to perform these annually on an ongoing basis.
AWS Data Centers
- All Scribble platforms are fully hosted in AWS data centers in US regions. AWS maintains annual certifications and 3rd party audit reports including PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 & SOC 2.
GDPR & Privacy Shield
- Scribble and its platforms are designed to comply with the GDPR frameworks, EU-U.S. & Swiss-U.S. Privacy Shield Frameworks.
- The Standardized Information Gathering (SIG) Lite is an industry standard questionnaire for risk management of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. Scribble documents and maintains its security policies and procedures in an extensive and comprehensive internal SIG Lite document.
The information contained herein is for general information purposes only. While we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information, products, services, processes, activities or related materials referred to herein for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will Scribble be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising, including from loss of data or profits arising out of, or in connection with, reliance upon this information.