Our Customer Commitment
At Clarabridge, we are obsessed with the success of our customers. It is this core value that drives us to maintain robust security and privacy measures that are designed to ensure the confidentiality, integrity, and availability of the data that is submitted to our Subscription Services by our customers or their agents or that is collected by us on behalf of our customers (collectively, the “Customer Data”). This document provides an overview of the security and privacy program and infrastructure that are utilized by Clarabridge to support our Customer Experience (CX) Management software as a service (SaaS) solutions (the “Subscription Services”).
Clarabridge System Architecture
Clarabridge Subscription Services are implemented in a cloud environment utilizing industry established practices and commercially reasonable security countermeasures (e.g., network and host-based firewalls, antivirus/antispyware software, NIDS/NIPS, HIPS, SIEM, DLP):
The Application tier connects to the internet and is protected as described above using HTTPS.
The Database tier resides on a private-only network, with no internet access (all public NICs are disabled). This tier is designed to be accessible only from the Application tier.
Clarabridge utilizes network-within-a-network topology that is designed to be highly secure (see the Hosted Deployment Model diagram below). The network is made up of a Private network, Public network, and Out-of-Band Management VPN network. A system can be a part of all three networks.
The Application servers are part of the Public, Private and VPN networks using HTTPS only. Database servers are hosted in the Private and VPN network only.
Assessments and Compliance
Clarabridge follows the OWASP standard for developing and testing our Subscription Services. Application security assessments are performed internally, including static code analysis, with each major release of the Company’s Subscription Services. We undergo annual independent third party assessments that include: the security program, web application assessment, vulnerability scans and penetration testing. Our infrastructure provider also undergoes industry recognized annual third party assessments (SSAE-16 SOC 1, SOC 2, SOC 3, ISO, etc.).
We perform manual and automated testing of each Subscription Service code release. The environment applicable to the Subscription Services is further subject to weekly web vulnerability scanning, both internal and external—and noncredentialled and credentialed, respectively..
Privacy Shield Framework:
Clarabridge self-certifies its compliance with the EU-U.S. Privacy Shield framework in relation to all Customer Data that is received by Clarabridge and uses TRUSTe for any dispute resolution in connection with such program. We also offer our customers that are based in the EU or that source data from the EU a Data Processing Annex to our Subscription Services Agreement, which sets forth terms and conditions (including the incorporation of the European Commission’s Model Contractual Clauses) regarding the processing of personal data that is transferred from an EU to a non-EU jurisdiction, in accordance with the requirements of EU GDPR. Further, Clarabridge is compliant with all other GDPR requirements.
Clarabridge is ISO 27001:2013 compliant which covers the information security management system (ISMS) supporting the Clarabridge CX Suite and associated services, systems, and technologies. Further, we are HITRUST and PCI DSS compliant with in-scope environments. Customers can request a copy of these reports and these reports will be provided annually.
Clarabridge can provide Customers with a completed, detailed Cloud Security Alliance (CSA) questionnaire, as well as Standardized Information Gathering Questionnaire (SIG) and SIGLITE outlining its security program and countermeasures.
Clarabridge uses a major Tier 3 data center provider. Clarabridge customers can request the latest SOC 1, SOC 2, and SOC 3 reporting on the infrastructure and data centers from Clarabridge. Our data center providers’ compliance documents (e.g., ISO 27001:2013, HIPAA, PCI) are also available upon request.
In addition to the architectural security measures described above, our datacenters are operated so that while the datacenter provider manages the hardware and network, it has no access to the hardware once provisioned by Clarabridge for its Subscription Services. Clarabridge manages the operating system and applications and disables physical access (e.g., removable media). All access for system administration is only available over the VPN network (out of band management network). All access for system administration of customer-hosted production systems requires two-factor authentication. All servers are provisioned with a standard security configuration. Group policy is used for locking down security configuration. Active Directory based central authentication is separate from Clarabridge headquarters.
Data Center Physical Security
Clarabridge maintains industry standard physical and operational security measures, such as utilizing data centers that are located only in facilities with controlled access and 24-hour security, having no public-facing server room doors, server rooms that are staffed 24/7, unmarked entry and exit doors, digital security video surveillance, access that is strictly limited to data center employees using two-factor authentication (i.e., biometric system and keycard), prohibiting data center tours and barcode-only identification on hardware (i.e., no customer markings of any type on the servers themselves).
Data Center Locational and Environmental Redundancy
All core systems are configured to provide for geographic redundancy for disaster recovery and business continuity purposes in the locations described below. This redundancy utilizing geographically separated data centers is designed to provide superior reliability and data integrity.
USA: Dallas Seattle Washington, DC
EU: Amsterdam London
Our data centers environmental redundancy measures include: Thousands of amps of input power with multiple high voltage 480v power feeds, multiple UPS battery backup units, multiple diesel generators with on-site fuel storage, redundant HVAC units and pre-action dry pipe fire suppression.
Data Security, Data Transfer, and VPN Access
In addition to the security measures described above, our data security, data transfer and VPN access measures included the following: access to customer data is controlled using access control lists, permissions, and role-based groups and all customer data is segmented into dedicated database schemas (on separate systems) and is not intermingled with other customer data.
Data transfer: A secure FTP based solution is used to facilitate secure channel for data transfer. Our secure FTP environment supports these 3 protocols: FTP over SSH, FTP over TLS, and HTTPS. Unencrypted FTP connections and physical media transfer are not allowed.
VPN: A robust VPN network is in place for all system administration access. This access is only available over VPN connection, which requires two-factor authentication for access to Subscription Services systems.
Incident Management and Notification
Clarabridge has implemented and maintains security incident management policies and procedures. Clarabridge will promptly notify any impacted customer of verified or believed security incidents, such as any unauthorized disclosure of Customer Data, to the extent not prohibited by law, regulation or the order of any court or legal authority.
Security Policy Overview
Clarabridge maintains a security program and policy suite based on ISO 27001:2013, PCI, HITRUST, and NIST standards. Policies are available to customers under non-disclosure agreement. Policy highlights include:
All systems are deployed utilizing an industry standard security configuration. Access to systems is provided enforcing ‘need to know’ and ‘least privilege’ principles after documented approval. All access to the data center are managed over VPN and require 2FA. All application tier servers only have port 443 (HTTPS).
Base password strength policy is customizable by customer provided that it must conform to the following minimums: “strong” passwords that are a minimum of 10 characters in length and have a maximum age of 90 days. All applications are required to implement a username and password authentication. Account lockout for 15 minutes occurs after 3 failed login attempts. Default application and system username and passwords are changed or disabled.
Further, to provide greater assurance that our security program is followed, all Clarabridge employees undergo security training within 30 days of hire and must go through annual security refresher training.
Clarabridge supports one annual customer assessment. Customers may submit reasonable requests for information upon completion by Customer of a review of Clarabridge provided third party attestations and reports (HITRUST, PCI, etc.), provided such submissions do not request information that is duplicative of the information already provided in such attestations and reports. Clarabridge may allow an annual penetration test to be performed by Customer against a test environment that mirrors our production Subscription Services systems. All Customer assessments and tests will be conducted on no less than twenty days advanced written notice and so as to minimize the disruption to Clarabridge personnel and operations.
Clarabridge implements, monitors, and upgrades encryption based on current NIST guidelines as well as industry recognized practices and standards. We support TLS 1.1 or higher for HTTPS and HTTPS API, and industry recognized encryption standards for file transfer. For our customers who purchase an enhanced security environment, we provide encryption-at-rest (AES-256), encrypted backups (RSA 4096), and data erasure using National Institute of Standards and Technology (NIST) 800-88 standards upon customer termination. We do not use SSL or TLS 1.0.
Media Sanitization and Data Deletion
At the termination of Subscription Services, Clarabridge deletes all Customer Data. Further, all data is removed from re-provisioned and decommissioned machines and enhanced security environments with secure data erasure following National Institute of Standards and Technology (NIST) 800-88. Customer may receive a Certificate of Sanitization upon request following termination of services.
Logging and Monitoring
Data Center Monitoring:
Data center provider uses advanced monitoring solutions to monitor hardware and network and notifies Clarabridge as soon as any issues are identified. Automated tickets are immediately opened to address any issues. Network Operations Center (NOC), and redundant NOC, provides 24 hour monitoring of the infrastructure. Datacenter provider also monitors Host Ping + IPMI Statistics.
Clarabridge uses a robust monitoring solution to proactively monitor the Clarabridge hosted Subscription Services around the clock in order to maintain uptime and proactively resolve issues. Automated notifications are in place to notify the team of issues or outages.
All logs from Subscription Services, Application and Database tiers, firewalls, and SFTP server are pulled into a centralized SIEM for 24/7 monitoring and alerting. We retain SIEM logs for 7 years.
Backups and Disaster Recovery
Clarabridge has implemented a high-speed disk based backup solution. All applications, databases and configurations are backed up daily. Backups are located in a geographically separate location from the source data (Application and Database servers). Access to the backup system is controlled and only authorized users can access the backup system. Backups are never stored on removable or physical media.
Clarabridge performs quarterly disaster recovery exercises. They include a variety of tests to validate recovery time objectives (RTO), as well as recovering in a separate data center in the event the primary data center becomes unrecoverable. A copy of our RTO/RPO is available upon request.
Please refer to the following online resources regarding privacy:
For our customers: Data Processing Annex: https://clarabridge.com/eu-dpa/
For both: GDPR Compliance and Awareness: https://clarabridge.com/GDPR/