Security

Our Customer Commitment

At Clarabridge, we are obsessed with the success of our customers.  It is this core value that drives us to maintain robust security and privacy measures that are designed to ensure the confidentiality, integrity, and availability of the data that is submitted to our Subscription Services by our customers or their agents or that is collected by us on behalf of our customers (collectively, the “Customer Data”).  This document provides an overview of the security and privacy program and infrastructure that are utilized by Clarabridge to support our Customer Experience (CX) Management software as a service (SaaS) solutions (the “Subscription Services”).

 


 

Clarabridge System Architecture

Clarabridge Subscription Services are implemented in a cloud environment utilizing industry established practices and commercially reasonable security countermeasures (e.g., network and host-based firewalls, antivirus/antispyware software, NIDS/NIPS, HIPS, SIEM, DLP):

Application tier:

The Application tier connects to the internet and is protected as described above using HTTPS.

Data tier:

The Data tier resides on a private-only network, with no internet access as we provision all systems within this tier to be a public interface. This tier is designed to be accessible only from the Application tier.

Clarabridge utilizes network-within-a-network topology that is designed to be highly secure. The network is made up of a private network, public network, and out-of-band management network.  A system can be a part of all three networks.

Only servers in the DMZ, like the load balancers, reverse proxies and data ingest servers, are in a public network. All other servers are part of private and management networks. The application tier and data tier servers are separated into zones and have explicit firewall rules governing their communication.

 


 

Assessments and Compliance

Clarabridge follows the OWASP standard for developing and testing our Subscription Services.  Application security assessments are performed internally, including static code analysis, with each major release of the Company’s Subscription Services.  We undergo annual independent third party assessments that include: the security program, web application assessment, vulnerability scans and penetration testing.  Our infrastructure provider also undergoes industry recognized annual third party assessments (SSAE-16 SOC 1, SOC 2, SOC 3, ISO, etc.).

We perform manual and automated testing of each Subscription Service code release. The environment applicable to the Subscription Services is further subject to weekly web vulnerability scanning, both internal and external—and noncredentialled and credentialed, respectively.

 

Privacy Shield Framework:

Clarabridge self-certifies its compliance with the EU/Swiss-U.S. Privacy Shield framework in relation to all Customer Data that is received by Clarabridge and uses TRUSTe for any dispute resolution in connection with such program. We also offer our customers that are based in the EU or that source data from the EU a  Data Processing Annex to our Subscription Services Agreement, which sets forth terms and conditions (including the incorporation of the European Commission’s Model Contractual Clauses) regarding the processing of personal data that is transferred from an EU to a non-EU jurisdiction, in accordance with the requirements of EU GDPR.  Further, Clarabridge is compliant with all other GDPR requirements.

 

Compliance:

Clarabridge is ISO 27001:2013 compliant which covers the information security management system (ISMS) supporting the Clarabridge CX Suite and associated services, systems, and technologies. Further, we are HITRUST and PCI DSS compliant with in-scope environments.  Customers can request a copy of these reports and these reports will be provided annually. We also provide our ISMS documentation and our statement of applicability that details the ISO 27001:2013 controls that are in scope.

 

Best Practices:

Clarabridge can provide Customers with a completed, detailed Cloud Security Alliance (CSA) questionnaire, as well as Standardized Information Gathering Questionnaire (SIG) outlining its security program and countermeasures.

 

Infrastructure Provider:

Clarabridge uses major Tier 3 data center providers. Clarabridge customers can request the latest SOC 1, SOC 2, and SOC 3 and/or ISO 27001:2013 reporting on the infrastructure and data centers from Clarabridge.  Our data center providers’ compliance documents (e.g., ISO 27001:2013, HIPAA, PCI) are also available upon request.

 


 

System Security

In addition to the architectural security measures described above, our data centers are operated so that while the datacenter provider manages the software, hardware and network, it has no access to the hardware once provisioned by Clarabridge for its Subscription Services.  Clarabridge manages the operating system and applications and disables physical access (e.g., removable media).  All access for system administration is only available over the VPN network (out of band management network).  All access for system administration of customer-hosted production systems requires two-factor authentication.  All servers are provisioned with a standard security configuration.  Group policy is used for locking down security configuration.  Active Directory based central authentication is separate from Clarabridge headquarters.

 


 

Data Center Physical Security

Clarabridge maintains industry standard physical and operational security measures, such as utilizing data centers that are located only in facilities with controlled access and 24-hour security, having no public-facing server room doors, server rooms that are staffed 24/7, unmarked entry and exit doors, digital security video surveillance, access that is strictly limited to data center employees using two-factor authentication (i.e., biometric system and keycard), prohibiting data center tours and barcode-only identification on hardware (i.e., no customer markings of any type on the servers themselves).

 


 

Data Center Locational and Environmental Redundancy

All core systems are configured to provide for geographic redundancy for disaster recovery and business continuity purposes in the locations described below.  This redundancy utilizing geographically separated data centers is designed to provide superior reliability and data integrity.

Country Company Location
United States IBM Cloud 900 Quality Way & 907 Security Row

Richardson, Texas 75081

United States IBM Cloud 4849 Alpha Road
Dallas, Texas 75244
United States IBM Cloud 6431 Longhorn Dr.
Irving, Texas 75063
United States IBM Cloud 907 Security Row
Richardson, Texas 75081
United States IBM Cloud 44610 Guilford Drive, Suites 4 & 7
Ashburn, Virginia 20147
United States IBM Cloud 1100 Space Park Drive

Santa Clara, California 95054

United States IBM Cloud 2001 Fortune Drive

San Jose, California 95131

European Union IBM Cloud Paul van Vlissingenstraat 16
1096 BK Amsterdam
The Netherlands
European Union IBM Cloud Weismüllerstr 40

Frankfurt am Main, Germany 60314

European Union IBM Cloud Eschborner Landstraße 100

Frankfurt am Main, Germany 60489

United Kingdom IBM Cloud Fountain Crt, Cox Ln
London, KT9 1SJ
United Kingdom
 European Union Unix Solutions BVBA Hoge Wei 37A, B-1930 Zaventem Belgium
United States Amazon Web Services
Region: US Standard
Amazon AWS’s data center location by region information is available at their website.
European Union Amazon Web Services
Region: EU Ireland
Amazon AWS’s data center location by region information is available at their website.
United States Google LLC
Google Compute EngineRegion: us-central1-a
Google Compute Engine’s data center location information is available from their website.
European Union Google LLC
Google Compute EngineRegion: europe-west1-b
Google Compute Engine’s data center location information is available from their website.

Our data centers environmental redundancy measures include:  Thousands of amps of input power with multiple high voltage 480v power feeds, multiple UPS battery backup units, multiple diesel generators with on-site fuel storage, redundant HVAC units and pre-action dry pipe fire suppression.

 


 

Data Security, Data Transfer, and VPN Access

In addition to the security measures described above, our data security, data transfer and VPN access measures include the following:  access to customer data is controlled using access control lists, permissions, separation of duties, and role-based groups and all customer data is segmented into dedicated database schemas and is not intermingled with other customer data.

Data transfer:A secure REST/SOAP API and SFTP based solution is used to facilitate secure channel for data transfer. Our secure environment supports these 3 protocols: FTP over SSH, FTP over TLS, and HTTPS. Unencrypted FTP connections and physical media transfer are not allowed. Clarabridge also utilizes REST APIs for data transfer over HTTPS.

VPN: A robust VPN network is in place for all system administration access. This access is only available over VPN connection, which requires two-factor authentication for access to Subscription Services systems.

 


 

Incident Management and Notification

Clarabridge has implemented and maintains security incident management policies and procedures.  Clarabridge will promptly notify any impacted customer of verified or believed security incidents, such as any unauthorized disclosure of Customer Data, to the extent not prohibited by law, regulation or the order of any court or legal authority.

 


 

Security Policy Overview

Clarabridge maintains a security program and policy suite based on ISO 27001:2013, PCI, HITRUST, and NIST standards. Policies are available to customers under non-disclosure agreement. Policy highlights include:

All systems are deployed utilizing an industry standard security configuration.  Access to systems is provided enforcing ‘need to know’ and ‘least privilege’ principles after documented approval. All access to the data center are managed over VPN or SSH and require 2FA.  All application tier servers only have port 443 (HTTPS).

Base password strength policy is customizable by customer in the Subscription Servicers platform provided that it must conform to the following minimums: “strong” passwords that are a minimum of 10 characters in length and have a maximum age of 90 days. All applications are required to implement a username and password authentication.  Account lockout for 15 minutes occurs after 3 failed login attempts.  Default application and system username and passwords are changed or disabled. This policy applies to all Clarabridge systems in addition to our Subscription Services.

Further, to provide greater assurance that our security program is followed, all Clarabridge employees undergo security training within 30 days of hire and must go through annual security refresher training.

 


 

Customer Assessments

Clarabridge supports one annual customer assessment. Customers may submit reasonable requests for information upon completion by Customer of a review of Clarabridge provided third party attestations and reports (ISO, HITRUST, PCI, etc.), provided such submissions do not request information that is duplicative of the information already provided in such attestations and reports.  Clarabridge provides a detailed third-party penetration test report to its customers upon request, not more than once annually, and may allow an annual penetration test to be performed by Customer against a test environment that mirrors our production Subscription Services systems if Clarabridge either fails to remediate any high or medium risk findings in the provided report or where Clarabridge fails to have a third party penetration test completed beyond a period over one year.  All Customer assessments and tests, if approved, will be conducted on no less than twenty days advanced written notice and so as to minimize the disruption to Clarabridge personnel and operations and all production systems and networks are out of scope for testing.

 


 

Encryption Standards

Clarabridge implements, monitors, and upgrades encryption based on current NIST guidelines as well as industry recognized practices and standards. We support TLS 1.2 for HTTPS and HTTPS API, and industry recognized encryption standards for file transfer. For our customers who purchase an enhanced security environment, we provide encryption-at-rest (AES-256), encrypted backups (RSA 4096 or AES-256), and data erasure using National Institute of Standards and Technology (NIST) 800-88 standards upon customer termination. We do not use SSL, or TLS 1.0 or TLS 1.1.  Clarabridge uses a key management solution with limited access enforcing least privilege and separation of duties principles.

 


 

Media Sanitization and Data Deletion

At the termination of Subscription Services, Clarabridge deletes all Customer Data.  Further, all data is removed from re-provisioned and decommissioned machines and enhanced security environments with secure data erasure following National Institute of Standards and Technology (NIST) 800-88. Customer may receive a Certificate of Sanitization upon request following termination of services.

 


 

Logging and Monitoring

 

Data Center Monitoring:

Data center provider uses advanced monitoring solutions to monitor hardware and network and notifies Clarabridge as soon as any issues are identified. Automated tickets are immediately opened to address any issues. Network Operations Center (NOC), and redundant NOC, provides 24 hour monitoring of the infrastructure. Datacenter provider also monitors Host Ping + IPMI Statistics.

 

Clarabridge Monitoring:

Clarabridge uses a robust monitoring solution to proactively monitor the Clarabridge hosted Subscription Services around the clock in order to maintain uptime and proactively resolve issues.  Automated notifications are in place to notify the team of issues or outages.

 

Clarabridge Logging:

All logs from Subscription Services, Application and Database tiers, firewalls, and SFTP server are pulled into a centralized SIEM for 24/7 monitoring and alerting.  We retain SIEM logs for 7 years.

 


Backups and Disaster Recovery

Clarabridge has implemented a high-speed disk based backup solution.  All applications, databases and configurations are backed up daily.  Backups are located in a geographically separate location from the source data (Application and Database servers).  Access to the backup system is controlled and only authorized users can access the backup system.  Backups are never stored on removable or physical media.
Clarabridge performs quarterly disaster recovery exercises. They include a variety of tests to validate recovery time objectives (RTO), as well as recovering in a separate data center in the event the primary data center becomes unrecoverable. A copy of our RTO/RPO is available upon request.

 


 

Privacy

Please refer to the following online resources regarding privacy:
For our website users:  Privacy Policy: https://clarabridge.com/privacy-policy/
For our customers:  Data Processing Annex: https://clarabridge.com/eu-dpa/
For both:  GDPR Compliance and Awareness: https://clarabridge.com/GDPR/

For both:  California Consumer Protection Act 

https://www.clarabridge.com/ccpa/