Security as a Company Value
Last edited on 09-28-2022
Alight Analytics, LLC. DBA ChannelMix’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.
Secure Personnel
Alight Analytics, LLC. DBA ChannelMix takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All Alight Analytics, LLC. DBA ChannelMix contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
- All development projects at Alight Analytics, LLC. DBA ChannelMix, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
Alight Analytics, LLC. DBA ChannelMix deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
Cloud Security
Alight Analytics, LLC. DBA ChannelMix Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.
Alight Analytics, LLC. DBA ChannelMix Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All customer cloud environments and data are isolated using Alight Analytics, LLC. DBA ChannelMix’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
- All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained Alight Analytics, LLC. DBA ChannelMix experts.
- We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
- Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Compliance
Alight Analytics, LLC. DBA ChannelMix is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Alight Analytics, LLC. DBA ChannelMix’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Alight Analytics, LLC. DBA ChannelMix has in place.
SOC 2 Type 2
Alight Analytics, LLC. DBA ChannelMix successfully completed the AICPA Service Organization Control (SOC) 2 Type 2 audit. The audit confirms that Alight Analytics, LLC. DBA ChannelMix’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
Alight Analytics, LLC. DBA ChannelMix was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc.
A SOC 2 Type 2 certification demonstrates to the Alight Analytics, LLC. DBA ChannelMix’s current and future customers that they manage their data with the highest standard of security and compliance.
Frequently Asked Questions (FAQs)
How is the application designed and deployed?
ChannelMix is a web-based application deployed via cloud and built on AWS, following all AWS cloud security standards. The application is compatible with Chrome, Safari, Firefox and IE 8+ browsers. Reports can be built using Tableau or Power BI by connecting to the data in Redshift. Alight Analytics dba ChannelMix is responsible for managing the data warehouse structure.
Clients may choose to install optional 3rd-party applications for a more self-service solution. Tableau Desktop is optional when clients wish to manage or update marketing dashboard templates themselves. A database client install is optional for use of querying the cloud-hosted data warehouse.
What kind of data is stored in the application? How is it stored?
ChannelMix stores aggregated marketing data through authenticated connections to third-party marketing platforms, automated emails, secure FTP and direct file upload. Data is securely stored on an AWS Redshift cluster. In most cases, every client will have their own cluster to store data in. We require at least TLS 1.2 or higher for data in transit. ChannelMix does not store customer data or PII/PHI.
How are data and the application accessed?
Through the ChannelMix platform, Alight Analytics dba ChannelMix only has rights to access those data sources clients have granted permissions to. Clients have the right to revoke permissions for any reason.
ChannelMix users are set up upon request of the ChannelMix client, and an account manager at Alight Analytics dba ChannelMix will configure the users on behalf of client. ChannelMix uses a single sign-on framework to manage users and can de-provision users on behalf of client. Shared account access is managed through an enterprise password manager.
Through the SSO service, the application can authenticate users, force password changes and lock accounts. ChannelMix will enforce session timeouts after 120 minutes of inactivity.
Employees can access to the network through VPN and multi-factor authentication. Physical access to the network and databases is managed via badged access to the office and within the office. The office building provides security during and after office hours.
No access to the client network is required.
What types of security testing are performed on the application? Is an incident response plan in place?
A penetration test are completed every two years in accordance with industry standards. An Advanced Web Application Security Assessment was completed on January 15th, 2020 by Depth Security. The ChannelMix application demonstrated a strong security posture, defending itself well during testing. No critical, high or medium-severity issues were discovered. Only twenty low and one informational-severity issue was discovered. Assets are regularly scanned and patched by our IT service provider.
A documented and tested incident response plan is in place. Our response capability includes the use of legally admissible forensic data collection and analysis techniques and enables us to isolate a security event or incident to a specific client environment.
A disaster recovery and business continuity plan is in place and includes data and application restore and recovery capabilities.
What policies are in place to ensure standards are enforced?
- We have formal disciplinary measures and sanctions in place for employees who have violated security policies and procedures.
- We perform background checks on all temporary and permanent employees, including SSN Trace, Sex Offender Search, Global Watchlist Search, National Search and County Searches.
- We revoke all access for terminated employees on the last day of work or upon termination.
- We carry cybersecurity insurance.
- An asset management program is in place to track, maintain and retire software and hardware assets.