Security Governance
Vectari's risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices.
Vectari maintains a comprehensive suite of information security policies that is regularly reviewed, updated, and approved on a predefined schedule. Risk management serves as the foundation of Vectari’s Information Security Program with a Defense-in-Depth (DiD) approach. We conduct industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk. Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments, penetration testing, and other forms of security reviews to capture the holistic state of our security posture.
Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration is integral for the effective review and management of information security risk.
People Security
Exployee Background Checks
Before onboarding new staff, Vectari verifies an individual’s education and previous employment, and performs internal and external reference checks. Where local labor law or statutory regulations permit, Vectari may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.
Mandatory Security Training
All Vectari employees and contractors undergo security training as part of the on-boarding process and receive ongoing security training throughout their tenure. As part of on-boarding, new employees must read and agree to the Vectari Acceptable Use Policy (AUP) and Code of Conduct, which highlights our commitment to keep customer information safe and secure.
Depending on their job role, additional training on specific aspects of security may be required. For instance, engineers periodically receive training on topics like secure coding practices, product design and automated vulnerability testing tools. This also covers topics like phishing, ransomware, social engineering, etc.
Operational Security
Access Management
For Vectari employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. All our personnel are required to use multi-factor authentication and strong passwords. Interactive access to production infrastructure is strictly controlled using a bastion host with user-unique SSH keys and token-based two-factor authentication for server-level authentication. Read access to logs and configuration, is limited to "just-in-time" access based on business need. Employee access to both corporate and production resources is subject to recertification performed, at a minimum, on a quarterly basis.
For our customers, Vectari supports logins using single sign on with multi-factor authentication using Microsoft Entra and via API access using API access keys. Access attempts are logged for review.
Vulnerability Management
We administer a vulnerability management process that involves periodic third-party scans for security threats using a combination of commercially available tools, third-party automated and manual penetration efforts, quality assurance processes, software security reviews and external audits.
Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The owner then tracks the issue and follows up until they can verify that the issue has been remediated.
Malware Prevention
An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Vectari takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware. We leverage anti-malware solutions on all corporate laptops and servers. Vectari's email system allows employees to report suspicious emails that may present risks of malware.
Monitoring and Alerting
Vectari invests automated monitoring, alerting and response capabilities so that potential issues are continually addressed—in addition to our complete automation of our build procedures. Administrators are alerted to anomaly occurrences—particularly application attacks, error rates, and abuse scenarios. Alerts to appropriate teams are triggered by these and other anomalies so that investigation and correction can occur. The occurrence of malicious or unexpected activities causes automated systems to bring in the right people to ensure issues are rapidly addressed. There are also numerous automated triggers designed into systems so that unforeseen situations can be detected and will be immediately addressed.
Data Center Security
Vectari primarily uses Microsoft Azure in the USA region for our cloud infrastructure. We do not move customer data outside of the USA. The physical security of the Microsoft Azure data centers features a layered security model, including safeguards like access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Periodically, Microsoft conducts physical security reviews of the facilities, to ensure the datacenters properly address Azure security requirements. Datacenter hosting provider personnel do not provide Azure service management. Personnel can't sign in to Azure systems and don't have physical access to the Azure collocation room and cages. Azure infrastructure is designed to meet a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2.
Data Encryption
Vectari customer data, and Vectari's own sensitive data, is encrypted when it’s on a disk using AES-256bit encryption. Data in transit over the Internet, or traveling between data centers is encrypted using TLS 1.2 or higher. Only standardized encryption protocols and algorithms are used. Passwords are stored securely using a one way hash. Vectari uses Azure Key Vault for encryption key management.
Recovery and High Availability Approach
Vetari designs the components of our platform to be highly redundant. Our production servers are hardened with stripped-down and hardened operating systems. Server resources are dynamically allocated, allowing for flexibility in growth and the ability to adapt quickly and efficiently, adding or reallocating resources based on customer demand. Additionally, backup strategies are in place and run on a regular basis using established frequencies and schedules. Seven days worth of backups are kept for any database, in a way that ensures restoration can be easily performed. Backups are encrypted and monitored so that successful execution is assured. In the event of any exceptions, alerts are generated. Any failure alerts are escalated, investigated and resolved. Data is backed up daily to its local region. Periodic testing is carried out for successful recoverability.
Data Security
Data Segregation
Customer data is logically separated in our databases. We maintain separate production, staging and development environments and no production data is used in lower environments.
Employee Access to Customer Data
We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, access is logged and monitored. Upon termination of work at Vectari, all access to systems is immediately revoked.
Audit Logs
All actions taken to make changes to the infrastructure or to access customer data for specific business needs are logged for auditing purposes. In order to protect customer privacy and security, only a small number of senior staff have direct access to production servers and databases. In addition, segregation of duty principles are applied so that the same individual does not have access to production and non-production environments.
Employee Authentication
Every Vectari employee is provided with a secure password manager account and is required to use it to generate, store, and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviors that reduce security. All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, SSH keys, bastion hosts and/or Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems.
Data Retention and Destruction
Data retention policies are in place to make sure we observe all applicable legal and contractual requirements regarding the retention and destruction of customer data.
Application Security
Secure Software Development Lifecycle
Standard best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Vectari source code repositories requires strong credentials and two-factor authentication.
Secure By Design
All features are reviewed by a team of senior engineers as part of the product prioritization process. Members of the Vectari team have substantial experience working with, and building secure technology systems. We believe in secure by design, hence we plan all functionalities with security in mind to protect the platform against security threats and privacy abuses. We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Security Testing
Once features are implemented, we perform automated security scanning to verify correctness and resilience against known attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.
Network Security
Firewalls and Network Segregation
A combination of Web Application Firewalls (WAF) and traditional layer 3 - layer 7 firewalls are used depending on the network topology and threat assessment of the area of the network. Additionally, production networks are segregated based on the nature of the infrastructure and business purpose of the functionality hosted in a given network subnet.
Intrusion Detection and Prevention
Intrusion Detection and Prevention Systems (IDPS) are used in the production environment to detect attacks, alert staff, and where practical, automatically prevent activity.
Third Party Vendor Management
We rely on several third-party vendors to deliver our service. Prior to onboarding third-party suppliers, Vectari conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Vectari has assessed the risks presented by the third-party supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms. A list of sub-processors is maintained within our data processing agreement (DPA). Prospective vendors are also checked against US sanctions lists. Vectari has risk controls in place to ensure on-going compliance with suppliers' security responsibilities.
Additional Information
