SupportLogic Security Overview

Access

Access to your data is strictly limited to SupportLogic employees that require access to perform role-specific duties. No data is shared, nor any documents or data derived from your data, with anyone except the SupportLogic employees specifically assigned to your projects. 

Employees can only store your data in approved locations, and cannot use your data for anything except troubleshooting or approved projects.  Employees are strictly prohibited from copying or storing any data that contains legally sensitive or personally identifiable information, including medical or financial data.

Data is securely deleted when your contract expires or is canceled. Any screenshots or other similar data is edited to redact/black-out any identifying information before storing in other systems. 

In case of off-boarding, SupportLogic stores only metadata and/or minimal, anonymized data as directly relevant to making ML predictions. In these cases, we do not store complete copies of your CRM data for ML purposes. Upon request, data can be deleted within 3 business days.

Usage

The data used by SupportLogic to train ML models is primarily composed of metadata and/or data created within the SupportLogic data platform. Metadata created within the SupportLogic data platform includes anonymized product usage and telemetry data. We do not use native CRM data to train machine learning models across environments.  

This created data is used to improve the product for end users (for example, improving pages that are most frequently used based on usage data; speeding up the slowest API requests based on telemetry data) and also for ML purposes. This data is not shared with third parties except in the case of highly aggregated data shared with limited audiences (namely, for example, the number of unique users that log into all SupportLogic instances on a month-by-month basis).

Data is only created within the SupportLogic data platform as a result of direct user action by SupportLogic users. Examples include additional support case comments (which may optionally be written back to the CRM) or actions taken through the SupportLogic UI that result in changes that are written back to the system of record. 

Regarding ML modeling, metadata and anonymized data used to train ML models outside of your specific data environment from which they originate consists of user-originated feedback about the accuracy and/or validity of ML model predictions and derived input and output data of the ML model used for prediction.

All data in the VPC is encrypted both At Rest and In Transit using HTTPS (TLS 1.2) and 2048-bit RSA SSL certificates signed with SHA256.

In transit, your data is encrypted before transmission. The system endpoints are then authenticated and the data is decrypted and verified on arrival. This protocol protects data in the event communications are intercepted while data moves between two systems.

At rest, your data is encrypted to protect from a system compromise or data ex-filtration.

Each VPC instance handles the encryption protocols and is fully FIPS 140-2 compliant. KMS is used to manage encryption keys for cryptographic functions and bulk data encryption. Specifically, the service encrypts third-party tokens that grant employee access to your data. This service enables a provable and monitorable root of trust (RoT) over all data in the system.

Penetration tests are used periodically to proactively address security gaps. These tests are the backbone of the information security audit. Both the SOC 2 audit and annual penetration test are renewed on an annual basis.

Audit vendors run two types of penetration tests: Network and Web Application. Each test has three risk ratings (Low, Medium, and High) with a risk score from 0 (lowest) to 40 (highest). The lower the risk score the better. The most recent tests received a risk score of 0 (the lowest possible) for the Network Penetration Test and a score of 1 for the Web App Penetration Test.

SupportLogic uses a combination of custom developed and commercial applications. These run on enterprise-grade server platforms supported by commercial databases. Redundancy is maintained for all components of the infrastructure, including firewalls and servers. This setup was developed to quickly enable the addition of bandwidth and server capacity to support your requirements. External services and internal applications constantly monitor communications, job logs, system performance, and security.

Data is collected from a variety of sources. This information is combined to help tailor communications and to develop and improve solutions. Refer to the Information Classification Policy for full policy details.

All information—including machines, data, code, documents, and intellectual property—are treated and managed as valuable resources. The compliance and
effectiveness of the following information security policies are measured using periodic reporting.

Access

• Any security weaknesses in SupportLogic software or technical infrastructure is logged as an issue.
• Any violation of SupportLogic security policies is reported to the EVP of Engineering.
• Attempted access to any data, document, email correspondence, or program contained on
  SupportLogic systems without authorization are prohibited.
• Access to your data is limited to employees that require access to the data to perform approved duties.
• The sharing of your data, or any documents or data derived from your data, with anyone except your employees and the SupportLogic employees
  specifically assigned to your projects is prohibited.

Credentials

• Sharing accounts, passwords, or any information or devices used for identification and authorization purposes is prohibited.
• Any remote access must be secure, and encryption and strong passphrases are mandatory.
• All corporate passwords must be strong (at least 8 characters and at least one numeric and one special character).

Storage

• SupportLogic avoids copying or storing any data that contains legally sensitive or personally identifiable
  information, including medical or financial data. Identifiable data never leaves the VPC.
• Your data is only stored in approved locations, and only used for troubleshooting or approved projects.
• Your data is securely deleted when your contract expires.
• All data on laptops is encrypted at either a file or file-system level. SupportLogic laptops are kept up to date with all relevant security patches.
• All BYOD systems (mobile phones) that contain
  SupportLogic information are configured with a secure password and kept up to date with software patches.

Management

• Unauthorized copies of copyrighted or SupportLogic-owned software are prohibited.
• The loss of any device containing SupportLogic data is immediately reported to the EVP of Engineering.
• Any open-source software used for the development of SupportLogic products must obtain the approval of the EVP of Engineering and must adhere to the terms of the open-source license.
• Any changes to information resources are managed and executed in accordance with a formal change control process.
• Any activity that may harass, threaten, or abuse others or intentionally access, create, store or transmit material which SupportLogic may deem to be offensive, indecent or obscene, or that is illegal according to local, state or federal law is prohibited.

Process is at the core of SupportLogic security. A continuous monitoring program is used to ensure the security compliance of the systems processing your data. The SupportLogic Continuous Monitoring Program is comprised of the following elements:

• Code Security Coverage: Identifies potential software vulnerabilities. Code vulnerabilities are reported upon check-in.
• Container Monitoring Service (CMS): Tracks the network throughput of applications hosted on each VPC instance.
• VM CVE Updates: Addresses security vulnerabilities with critical patch updates.
• Intrusion Detection System: Continuously monitors all networks and systems for malicious activity or policy violations.
• Web Application Firewall (WAF): Ensures security protocols on application network traffic, protecting APIs against common threats that may attempt to affect applications.
• Log Monitoring and Post-mortem: Used to understand all root causes and thoroughly document incidents for future reference and pattern discovery. 

Risk Assessment

Risk assessment is regularly performed as part of an overall risk management process. The goal is to uncover any vulnerabilities, both technical and non-technical, and develop practical strategies to minimize these risks. These assessments are conducted through an internal review process in conjunction with clearly defined objectives. To ensure it becomes part of the fabric of a risk management program, these assessments are performed annually and reviewed for modifications.

Service Resiliency

All internal business data​ (including, code, bug/feature databases, documentation, and configurations) is hosted online through cloud-based service providers. The data hosted on cloud-based service providers is protected against outages through best practices. Our technical operations team is responsible for updating the SupportLogic application, applying OS updates, performing backups, and performing restores in the event of an outage. Technical operations maintain a 24-hour recovery point objective (RPO) and 30-minute recovery time objective (RTO) for production systems.

SupportLogic uses best-of-breed third-party vendors. Vendor SOC reports and business recovery plans are regularly reviewed to ensure these tools meet all requirements.