Security at Contentsquare
Contentsquare leverages third-parties as cloud providers benefiting from state-of-the-art facilities and strict security controls in place. The cloud provider manages the physical and environmental security of facilities and the logical security of high level services that Contentsquare relies on.
Annual penetration test targeting our infrastructure and public facing services is conducted by external security specialists. Monthly scans and cloud compliance assessments are also performed. As well, we have a bug bounty program in place.
We do not process nor store confidential data. However, strong cryptographic mechanisms are in place to ensure data in-transit and at-rest security:
– Data in transit is encrypted and secured from the user's browser to the application via TLS (ranked A by Qualys SSL labs)
– VPN and SSH for technical administratives accesses
Backup & Disaster Recovery
Contentsquare provides disaster recovery and business continuity through multiple means:
– Use of several Availability Zones in the region
– Use of an "infrastructure as code" paradigm which allows rebuilding a full platform from scratch
– Replication of data in a backup region
🔒 Technical Security Measures
Read our full Technical Security Measures for a deep dive into our our Cloud Security Infrastructure and Architecture.Read More
Before deployment, new developments are qualified, reviewed and automatically tested through our code quality pipeline which validates that the version conforms with our standards in terms of functionality, code coverage, performance and security.
Strong password policy is in place. Single Sign-On is available. The supported protocol is SAML 2.0.
We support two types of authentication: - Standard authentication (8 characters minimum length, complexity options and CAPTCHA), - SAML SSO v2.0 (complexity rules are imposed by the customer's IDP).
Contentsquare leverages a web-application firewall to detect and block application-level attacks, vulnerability and for incident response automation.
Contentsquare provides a multi-tenants service that means that customers share the same infrastructure. The segmentation of customer data is logical: all data collected is linked to a customer ID that is required by the application to fetch back the data.
Following CNIL’s regulation, acquired data is stored for 13 months and then erased from our servers for all clients. There is an auto-deletion policy after 13 months for each object kept in storage (S3 bucket rule). This requirement is implemented as a global lifecycle rule on all of our S3 buckets.
To protect against that we have the following layers of controls:
- SDLC process with peer-review, static code analysis and dynamic analysis of every change, this process is audited by external party is it is in the scope of our ISO 27001 certification
- External penetration tests of our tag (report can be provided on demand)
- Compatible CSP
While we acknowledge that SRI (sub-resources integrity) is a way to protect against these types of attacks, we have chosen another implementation for our default deployment.
- We change the Tag very often. SRI are not supported by all browsers and need to be activated by customers.
- In case of Tag hijacking, we would have to wait for customers to give us feedback about SRI errors and would thus lose a lot of time.
Security Organization & Governance
Contentsquare has an established function responsible for security and data compliance across the organization. Contentsquare security governance and ISMS closely follows ISO 27001 standard:
– Annual risk analysis
– Key Performance Indicators are issued quarterly to ensure that the ISMS is running efficiently
– Dedicated security policies and procedures that cover all of the 133 controls of the ISO 27001 (reviewed annually)
At Contentsquare, security starts with its people. Contentsquare invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for security. Before hire, limited background checks (identity, education) are performed.
Confidentiality agreements signature and security training completion are deployed and required upon employees’ onboarding.
Corporate IT Security
Contentsquare commits to the highest standards of security. As such, IT corporate resources require an appropriate level of safeguards:
– Corporate networks are fully segregated from production networks
– Corporate networks are monitored by an Intrusion Detection System
– Corporate networks and devices are analysed monthly with a vulnerability scanner
– Laptops are pre-configured with an endpoint protection and antivirus software
– Laptops hard-drives are encrypted at-rest
– Clean desk policy