Last updated: December 07, 2022
At Impro.ai, security and privacy are at the core of our business
- We understand that our continued business success depends on the trust our customers and each individual participant place in our ability to safeguard their data.
- We are committed to providing a robust and secure service that protects your data, and to continually improve our practices to keep on top of evolving security threats.
- All customer and participant data is always handled according to strict confidentiality and privacy principles.
- Your data is protected by industry-leading security technology, continually evolving operational practices, ongoing investments in security training, independent audits and security testing and expert consulting.
Multi-layered security architecture
- Participant interactions are stored in our cloud-based platform only, with strict access controls limiting access
- Administrative access to the platform is limited to very few individuals with a job-requirement for such access
- Network access is restricted to ports and protocols required for the platform functions and operations
- We use serverless technology to minimize the threat surface of our platform
- All endpoints used internally to access the platform are protected via next-gen Endpoint Detection and Response(EDR) technology
- We follow strict operational practices to maintain security and privacy
Our service is hosted by Microsoft Azure
- We take full advantage of the security infrastructure and benefits provided by MS Azure.
- Azure manages the underlying infrastructure while we focus on securing and operating the application environment.
We are ISO 27001 Certified
Our privacy practices are aligned with key regulations such as GDPR and CCPA
- We have implemented privacy management practices designed to address privacy regulations in the jurisdictions our clients operate
- A Data Protection Addendum (DPA) is included in all our customers contracts, and we honor all Data Subject Requests (DSR) required by local privacy regulations.
Policies and Procedures
Built upon the ISO 27001 standard, our operational and security policies, standards, and procedures address the requirements, roles and responsibilities across all areas of security and privacy, including:
- Access management
- Data Protection
- Business Continuity and Disaster Recovery
- Secure Development
- Change Management
- Personnel Security
- Security Operations
- Vendor Management
- Technology and operational risks are analyzed formally at least once a year, and informally on an ongoing basis as part of our daily security operations
- Identified risks are ranked and monitored, and response plans developed to address them according to severity
- A penetration test is conducted at least annually by a professional 3rd party to help identify and resolve security issues
- We also conduct vulnerability scanning on our platform on a regular basis as part of our continuous monitoring efforts
All personnel are required to attend annual security and privacy awareness training, which includes acknowledgment of our policies and reinforcement of the importance of security and privacy to our organization
- We follow the principle of least privilege.
- Internal access to the platform is granted to personnel based on their job responsibilities. Access to the platform is removed immediately upon employee or contractor termination.
- We regularly review the access rights of all personnel and adjust access permissions as required to maintain least privilege.
- Databases are on Azure Relational Database System (RDS). RDS does not allow access to the database servers beyond the standard database protocol interface.
- Access to participant data is logically separated to ensure only the coach(es) assigned to a given participant have access to that participant’s data.
- We use MFA to provide additional security when logging into key systems and applications
- Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC.
- All code changes are controlled and approved and undergo strict Quality Assurance (QA) testing prior to production deployment.
- We have an Incident Response Plan to help manage incidents in an effective manner.
- The plan aims to minimize potential damages that could result from a security or privacy compromise, as well as ensuring relevant notifications to affected parties are well managed.
Where can I find details regarding the platform's use of personal data?
- In addition, all our contracts include a Data Processing Addendum to address GDPR and CCPA requirements.
What type of data is stored by the platform?
Where is personal data stored? Can we choose the storage location of data?
Currently, participant data is stored only in the United States. Although it is currently in our roadmap, at present time we do not have the ability to restrict data residency to specific regions or countries.C
Do you notify customers in case of a data breach?
Per our Data Protection Addendum, Impro.ai will, to the extent required under applicable Data Protection Laws, notify Customers without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed on behalf of the Customer.
How long is personal data stored?
Our internal data retention policy provides specific maximum retention periods that vary according to the specific data sensitivity and the legal, regulatory and/or business requirements that apply to each data category. Once records of personal data are no longer necessary or relevant for business or legal purposes, Impro.ai will anonymize/de-identify or securely destroy any such records.