SoSuite Security Overview
1. OUR COMPANY AND PRODUCT
The SoSuite products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications, application programming interfaces (APIs), and email plugins and corn based Task management plugin.
SoSuite is the world’s leading inbound marketing and sales platform. Since 2016, SoSuite has been on a mission to make the world more inbound. Today, over tens of thousands of customers in more than 90 countries use SoSuite’s software, services, and support to transform the way they attract, engage, and delight customers. SoSuite’s inbound marketing and sales software includes social media publishing and monitoring, blogging, SEO, website content management, email marketing, and reporting and analytics, all in one integrated platform
2. SoSuite SECURITY AND RISK GOVERNANCE
SoSuite’s primary security focus is to safeguard our customers’ and users’ data. This is the reason that SoSuite has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of the dedicated Security Team. The Security Team is responsible for the SoSuite’s comprehensive security and risk management program and the governance process. The security team is focused on defining new and refining existing controls, implementing and managing the SoSuite security framework as well as providing a support structure to facilitate effective risk management. Our Chief Security Officer, who reports to the Chief Executive Officer, manages the Security Team.
3. OUR SECURITY AND RISK MANAGEMENT OBJECTIVES
We have developed our security framework using best practices in the SaaS industry. Our key objectives include:
- Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
- Availability and Continuity of Service – ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity
- Information and Service Integrity – ensure that customer information is never corrupted or altered inappropriately.
- Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best-of-breed guidelines for cloud security. In particular, we leverage standards like Cloud Security Alliance CCM, and align our practices with ISO 27001 and NIST SP 800-53.
4. SoSuite SECURITY CONTROLS
In order to ensure we protect data entrusted to us, we implemented an array of security controls. SoSuite’s security controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk. The following sections describe a subset of controls. For more information about the SoSuite security program, please check out all the details at SoSuite Security Overview.
4.1. SoSuite PRODUCT INFRASTRUCTURE
4.1.1. DATA CENTER SECURITY
SoSuite outsources hosting of its product infrastructure to leading cloud infrastructure providers. Principally, the SoSuite product leverages Amazon Web Services (AWS) for infrastructure hosting. These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. At present, SoSuite’s AWS cloud server instances reside in US locations; Our provider maintain an audited security program, including SOC 2 and ISO 27001 compliance. SoSuite does not host any production software systems within its corporate offices.
These world-class infrastructure providers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed between 99.95% and 100%, and the facilities ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to this provider sites is highly restricted to both physical access as well as electronic access through public (internet) and private (intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.
The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS compliance site.
4.1.2. NETWORK SECURITY & PERIMETER PROTECTION
The SoSuite product infrastructure is built with internet-scale security protections in mind. In particular, network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure. These security controls include enterprise-grade routing and network access control lists (firewalling).
Network-level access control lists are implemented in AWS Virtual Private Cloud (VPC) security groups which applies port- and address-level protections to each of the server instances in the infrastructure. This allows for finely grained control for network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate.
Changes in the network security model are actively monitored, and controlled by standard change control processes. All existing rules and changes are evaluated for security risk, and captured appropriately.
4.1.3. CONFIGURATION MANAGEMENT
Automation drives SoSuite’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that flexibly expands capacity and capability as needed. Server instances are fully puppetized, meaning that any server’s configuration is tightly controlled from birth through deprovisioning.
All server type configurations are embedded in images and Puppet configuration files. Server-level configuration management is handled using these images and configuration scripts when the server is built. Changes to the configuration and standard images are managed through a controlled change. Patch management and configuration control is typically handled by removing server instances that are no longer compliant with the expected baseline and provisioning a replacement instance in its place. Rigorous and automated configuration management is baked into our day-to-day infrastructure processing.
4.1.4. ALERTING & MONITORING
Not only does SoSuite fully automate its build procedures, we invest heavily in automated monitoring, alerting and response technologies to continuously address potential issues. The SoSuite product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses and alerts to the appropriate teams for response, investigation, and correction. As unexpected or malicious activities occur, systems bring in the right people to ensure that the issue is rapidly addressed.
Many automated triggers are also designed into the system to immediately respond to foreseen situations. Traffic blocking, quarantine, process termination, and similar functions kick in at pre-defined thresholds to ensure that the SoSuite platform can protect itself against a wide variety of undesirable situations.
The power behind SoSuite’s ability to detect and respond to anomalies is our 24x7x365 monitoring program and extensive logging. Our systems capture and store logs that include all the technologies that comprise our products. At the application layer, all logins, page views, modifications, and other access to SoSuite portals are also logged. In the infrastructure back-end, we log authentication attempts, horizontal and vertical permission changes, infrastructure health, and requests performed among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
4.1.5. INFRASTRUCTURE ACCESS
Entire categories of potential security events are prevented with a stringent, consistent, and well-designed access control model. Along those lines, access to SoSuite’s systems is strictly controlled.
SoSuite employees are granted access to corporate services, SoSuite sales and marketing portals, and product infrastructure based on their jobs, using a role-based access control model. More information about SoSuite’s RBAC model across the company is available in section 4.3.
For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs require it. For emergency access and access to administrative functions, SoSuite’s system uses a Just-In-Time-Access (JITA) model in which users can request access to privileged functions.
Users are assigned the privileges to make JITA requests by business unit and team. When non-standard, emergency access is needed, like sudo access on a Linux server, the user makes a JITA request. The JITA request is logged, and logs are continuously monitored for anomalous requests. Access to the privileged function is granted, and the person can go about his or her work.
Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or “jump box” before accessing QA or production environments. Server-level authentication uses user-unique SSH keys and token-based two factor authentication.
4.2. APPLICATION PROTECTION
4.2.1. WEB APPLICATION DEFENSES
As part of its commitment to protecting customer data and websites, SoSuite implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the SoSuite products or customer sites hosted on the platform. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure those customers’ sites and other parts of the SoSuite products are available continuously.
The WAF is configured with a combination of industry standard and custom rules that are capable of automatically enabling and disabling of appropriate controls to best protect our customers. These tools actively monitor real-time traffic at the application layer with ability to alert or deny malicious behavior based on behavior type and rate.
4.2.2. DEVELOPMENT & RELEASE MANAGEMENT
One of SoSuite’s greatest advantages is a rapidly-advancing feature set, and we provide constantly improving products through a modern continuous delivery approach to software development. New code is proposed, approved, merged and deployed hundreds of times daily. Code reviews and quality assurance are performed by specialized teams of engineers with intimate knowledge of the SoSuite platform as it is developed. Approval is controlled by designated repository owners. Once approved, code is automatically submitted to SoSuite’s continuous integration environment where compilation, packaging and unit testing occur. If all passes, the new code is deployed automatically across the application tier.
All code deployments create archives of existing production-grade code in case failures are detected by post-deploys hooks. The deploying team manages notifications regarding the health of their applications. If a failure occurs, roll-back is immediately engaged.
As part of the continuous deployment model, we use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch). Major feature changes, are communicated through in-app messages and/or [Product Update Page at Our WebSite] Customers and users can [SignUP Page] as soon as they are posted or at a frequency they choose.
4.2.3. VULNERABILITY SCANNING, PENETRATION TESTING, & BUG BOUNTIES
The SoSuite Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. We perform hundreds of vulnerability scanning and penetration testing activities against ourselves on a continuous basis. We perform vulnerability scanning continually against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run at least daily to ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws early in the development lifecycle.
Continually running scans, adaptive scanning inclusion lists, and continuously updating vulnerability signatures help SoSuite stay ahead of many security threats. To get a second opinion about our ability to identify and respond to security risks, we bring in industry-recognized third parties to perform four annual penetration tests. The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues. Penetration tests are performed against the application layers and network layers of the SoSuite technology stack, and penetration testers are given internal access to the SoSuite product and/or corporate networks in order to maximize the kinds of potential vectors that should be evaluated.
In addition to internal vulnerability scanning and independent penetration testing, SoSuite manages a bug bounty program. Independent security researchers are invited to participate in identifying security flaws in the SoSuite products and are rewarded for their submissions. Security community members and SoSuite customers are welcome to perform security testing against trial portals. Information about
SoSuite’s bounty program is available at
4.3. CUSTOMER DATA PROTECTION
4.3.1. CONFIDENTIAL INFORMATION IN THE SoSuite PRODUCTS
The SoSuite products are an integrated marketing and sales experience. The information collected in our products is sales and marketing data gathered through lead interaction, public directories, and/or reputable 3rd party sources. SoSuite’s online data-capture tools allow customers to define the type of information to be collected stored on their behalf. Per the SoSuite [Terms and Service] and [Acceptable use Policy] our customers ensure that they capture only appropriate information to support their marketing and sales processes. The SoSuite products are not used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
4.3.2. CREDIT CARD INFORMATION PROTECTION
Many SoSuite customers pay for the service by credit card. SoSuite does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely and according to appropriate regulation.
4.3.3. ENCRYPTION IN-TRANSIT & AT-REST
All sensitive interactions with the SoSuite products (e.g., API calls, login, authenticated sessions to the customer’s portal, etc.) are encrypted in-transit with TLS 1.0, 1.1, or 1.2 and 2,048 bit keys or better. Customers who host their sites on SoSuite may configure their sites to also use TLS. Please see our setup guide for more information about configuring TLS. Customers who would like to limit the encryption protocols used for HTTPS connections may start the process by contacting Customer Support or their Customer Success Manager.
SoSuite leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by SoSuite product server instances as well as long-term storage solutions use AES-256 encryption. Additionally, certain databases or field-level information is encrypted at rest, based on the sensitivity of the information. For instance, user passwords are hashed and certain email features work by providing an additional level of both at-rest and in-transit encryption.
4.3.4. USER AUTHENTICATION & AUTHORIZATION
The SoSuite products enforce a uniform password policy. The password policy requires a minimum of 8 characters that include a combination of lower and upper case letters, special characters, whitespace, and numbers. The minimum requirement cannot be changed on a per-portal basis. Users may also configure two-step verification using Google Authenticator and or SMS to provide second factor when logging in.
Application programming interface (API) access is enabled through either API key or Oauth (version 2) authentication and authorization. Customers have the ability to generate API keys for their portals. The keys are intended to be used to rapidly prototype custom integrations. SoSuite’s Oauth implementation is a stronger approach to authenticating and authorizing API requests. Additionally, Oauth is required of all featured integrations. Authorization for Oauth-enabled requests is established through defined scopes.
4.3.5. SoSuite EMPLOYEE ACCESS
SoSuite controls individual access to data within its production and corporate environment. A subset of SoSuite’s employees are granted access to production data based on their role in the company through role based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access).
Engineers and members of Operations teams may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose jobs require that access, and access is reviewed on a continual basis.
Customer Support, Services, and other customer engagement staff with a need-to-know may request just in time access to customer portals on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer’s portal for a 24 hour period. All access requests, logins, queries, page views and similar information are logged.
All employee access to both corporate and product resources is subject to daily automated review and at least semi-annual manual recertification to ensure the granted authorization is appropriate for an employee’s role and job needs.
4.4.1. DATA RETENTION POLICY
Customer data is retained for as long as you remain a customer and until impractical; your data will remain in the SoSuite’s system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. In general, former customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. SoSuite reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
4.4.2. PRIVACY PROGRAM MANAGEMENT
4.5. BUSINESS CONTINUITY & DISASTER RECOVERY
SoSuite maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, SoSuite’s goal is to quickly and transparently isolate and address the issue. Identified issues are published on SoSuite’s site and are subsequently updated until the issue is resolved.
4.5.1. SYSTEM RESILIENCY & RECOVERY
Business continuity testing is part of SoSuite normal processing. SoSuite recovery processes are validated continuously through normal maintenance and support processes. We follow continuous deployment principles, and create or destroy many server instances as part of our regular daily maintenance and growth. We also use those procedures to recover from impaired instances and other failures, allowing us to practice our recovery process every day.SoSuite primarily relies on infrastructure redundancy, real time replication and backups. All
SoSuite product services are built with full redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and all web, application, and database components are deployed with a minimum of n+1 supporting server instances or containers.
4.5.2. BACKUP STRATEGY
SoSuite ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across availability zones and infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience:
- Customer (production) data is backed up leveraging multiple online replicas of data for immediate data protection. All production databases have no less than 1 primary (master) and 1 replica (slave) copy of the data live at any given point in time. Seven days’ worth of backups is kept for any database in a way that ensures restoration can occur easily. Snapshots are taken and stored to a secondary service no less often than daily and where practicable, real time replication is used. All production data sets are stored on a distributed file storage facility like
- Because we leverage private cloud services for hosting, backup and recovery, SoSuite does not implement physical infrastructure or physical storage media within its products. SoSuite does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
- By default, all backups will be protected through access control restrictions on SoSuite product infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections.
4.6. SoSuite CORPORATE SECURITY
4.6.1 EMPLOYEE AUTHENTICATION & AUTHORIZATION
SoSuite enforces an industry-standard corporate password policy. That policy requires changing passwords at least every 90 days. It also requires a minimum password length of 8 characters and complexity requirements including special characters, upper and lower case characters, and numbers. SoSuite prohibits account and password sharing by multiple employees.
Employees generally authenticate to SoSuite product infrastructure using SSH keys. Where passwords are allowed, the password policy requires 12 character passwords. Additionally, many of the capabilities we use to build the SoSuite products leverage multi-factor authentication or are protected by single-sign on solutions that enforce multi-factor authentication.
4.6.2. ACCESS MANAGEMENT
SoSuite has regimented and automated authentication and authorization procedures for employee access to SoSuite systems, including the marketing and sales platforms. All access is logged. Most frequently, access is granted based on a role-based access control model. Just in time access is built into automated procedures around a set of rigorous authorization mechanisms.
We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage employee events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.
4.6.3. BACKGROUND CHECKS
All SoSuite employees undergo an extensive 3rd party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for all potential employees. Reference verification is performed at the hiring manager’s discretion. All employees receive security training within the first month of employment as part of the SoSuite security program along with role-specific follow-up training. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policy as part of access to corporate and production networks.
4.6.4. VENDOR MANAGEMENT
We leverage a small number of 3rd party service providers who augment the SoSuite products’ ability to meet your marketing and sales needs. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support SoSuite.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security team, General Counsel, and the business unit who owns each contract coordinate unique considerations for our providers as part of contract management.
4.6.5. SECURITY AWARENESS & SECURITY POLICIES
To help keep all our engineering, support, and other employees on the same page with regard to protecting your data, SoSuite developed and maintains a Written Information Security Policy. The policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics.
With this policy and the myriad protections and standards in place, we also ensure customers of SoSuite’s are well-trained for their roles. Multiple levels of security training are provided to SoSuite employees, based on their roles and resulting access. General security awareness training is offered to all new employees and covers SoSuite security requirements. After initial training, different training tracks are available based on an employee’s role. Developer-specific training is provided by and tailored to SoSuite’s engineering teams. In general, engineering training sessions are held weekly, a portion of which include security materials. Recurring training is provided through regular updates, notices, and internal wiki publications.
4.7. INCIDENT MANAGEMENT
SoSuite provides 24x7x365 coverage to respond quickly to all security and privacy events. SoSuite’s rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created in order to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.
Our Chief Security Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
5. PRODUCT SECURITY FEATURES
SoSuite’s security program is designed to protect all of the SoSuite products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations.
Whether our products are free or paid, feature-rich or lightweight, SoSuite works hard to maintain the privacy of data you entrust with us. Data you store in SoSuite products is yours. We put our security program in place to protect it, and use it only to provide the SoSuite service to you. We never share your data across customers and never sell it.
5.1. SoSuite MARKETING
About: The SoSuite marketing product is our industry-leading marketing automation solution. It provides easy-to-use and effective tools to manage your inbound marketing strategy.
Hosting: Primary Content Management System (CMS) infrastructure is hosted in Amazon Web Services and Google Cloud Platform. SoSuite’s hosting strategy enables additional redundancy capabilities, architecture flexibility, and infrastructure responsiveness. Our deployment processes leverage network security, server security, and availability features, described above.
Web Application Firewall: Customer sites hosted on the SoSuite products leverage the protections of our world-class Web Application Firewall (WAF). By default, your SoSuite-hosted website, blogs, landing pages, and other online presence is protected from state-of-the-art Distributed Denial of Service (DDoS) and other web application attacks. When security events occur, SoSuite’s Security Operations and Technical Operations teams take immediate action to ensure that your sites are protected continuously 24x7x365.
Transport Layer Security: SoSuite marketing customers have the ability to enable and configure TLS services for their sites, landing pages, and related visitor engagement. By default, TLS certificates use Subject Alternative Names and are managed through our content delivery provider, Akamai. If you are interested in taking advantage of other TLS options, please discuss our SSL offerings with your favorite SoSuite ter.
Encryption Options: By default, customer websites using HTTPS are configured to allow TLS 1.0, 1.1, and 1.2. It is possible to remove support for one or more of these algorithms. Customers may also opt into enabling HTTP Strict Transport Security (HSTS) for their SoSuite-hosted domain. To make these changes, please contact SoSuite Support or your Customer Success Manager.
5.2. SoSuite CRM
About: The SoSuite CRM is one of the many products your sales team will love. Sales professionals can start using CRM for a low cost and with no headaches. Getting started with SoSuite CRM takes minutes .
Secure by default: CRM takes advantage of the same sophisticated security measures that help protect the other SoSuite products. We leverage the advanced secure software development processes, infrastructure management, and alerting methodologies that we have honed in our years of product development.
Privacy: SoSuite always maintains the privacy of data you entrust with us. Data you store in SoSuite products is yours. We use it only to provide the SoSuite service to you.
Hosting: CRM infrastructure is hosted in Amazon Web Services, taking advantage of the infrastructure redundancy and flexibility that exists throughout SoSuite’s infrastructure. Our hosting strategy also helps ensure world class infrastructure and network security and availability.
Access control: The SoSuite CRM provides easy to manage and intuitive roles that give the right access to the right sales team members.
6. THIRD PARTY AUDITS AND CERTIFICATIONS OF SoSuite SECURITY CONTROLS
SoSuite is maintain compliance with the US Privacy Shield. Our services are housed in the US with world-class cloud infrastructure providers Amazon Web Services. All SoSuite infrastructure providers are SOC 2 Type II and ISO 27001 certified and maintain facilities secured against electronic and physical intrusion.
7. DOCUMENT SCOPE AND USE
SoSuite values transparency in the ways we provide solutions to our customers. This document is designed with that transparency in mind. We are continuously improving the protections that have been implemented and, along those lines, the information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between SoSuite and any parties, or to amend, alter or revise any existing agreements between the parties.