Last updated: September 10th, 2019
VSight provides a cloud communications platform for a wide range of customer and business needs. Recognizing the importance of information security, we have invested considerable time and effort into ensuring our platform’s security.
This document summarizes various technical and organizational security measures we have implemented to protect our customers’ data from malicious or accidental destruction, alteration, loss, unauthorized access or disclosure.
VSight’s data processing environment is built on the Google Cloud platform with geographically located Frankfurt data centers. VSight Cloud platform complies with various security standards - including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, ISO 22301:2012, ISO 31000:2009, HITRUST CSF v8.1, SOC 2, SOC 3 - and guarantees protection of physical infrastructure and facilities.
VSight stores all production data in physically secure data centers, including Google Cloud, Microsoft Azure facilities. VSight’s cloud storage vendor (Google Cloud Datastore), are compliant with ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, SOC 2, and SOC 3, NIST 800-171.
Certificates can be reached from the links:
VSight’s office facilities are secured by 24/7 guards, interior and exterior video surveillance, alarm systems, security gates, and doors equipped with access card readers or locks.
VSight data processing systems are designed to ensure only authorized access and processing of customers’ data.
The granting or modification of access rights follows an established workflow with a mandatory approval from the line management. Workflow tools provide accountability through recordkeeping.
All account actions can be traced to the particular user taking action on the account. The time, date, and type of action are recorded for all privileged account actions.
Only properly authorized personnel are allowed to access and manage customer data. Team-wide security roles covering critical tools and applications are applied.
VSight’s onboarding process mandates that domain credentials for each employee are requested by the HR function in a formal, accountable manner. Employment termination triggers revocation of issued credentials.
VSight ensures that personnel are notified of significant requirements as well as personal and corporate consequences of engaging in improper activities. All employees complete a periodic mandatory security training and a Code of Conduct training covering business ethics and professional standards, each at least annually.
Customers can manage their accounts through VSight Admin Panel - a dedicated web page which supports two-factor authentication and IP address verification security mechanisms. If enabled, VSight Customer Dashboard will in addition to customer’s password require a one-time verification code - an SMS sent to the phone registered on the customer’s account when the customer’s IP address differs from the one used previously.
VSight Customer Dashbord password-based authentication utilizes secure hashing and salting to protect against impersonation and brute-force attacks.
VSight supports HTTPS and SMPP over TLSv1.2 as main protocols for encrypted communication.
VSight’s data processing environment is separated from the outside world and from the test environment with firewalls. Fine-grained segmentation inside production and test environments is achieved with the help of VLANs.
VSight employs a three-fold vulnerability management strategy which includes proactive updates of 3rd-party applications, internal monthly vulnerability scans, and external penetration tests. VSight keeps itself up to date with patches/upgrades and updates 3rd-party applications promptly as new versions are released.
VSight's development process is built on the principle of segregation of duties and employs mandatory reviews and approvals. Each change to production environment is submitted by Development, tested by Quality Assurance, and reviewed by Operations before deployment.
Apart from system level logging to ensure traceability of account actions, VSight commits to logging of all API requests to recognize, investigate, and protect customers from fraudulent activity. Among other information, logs contain: source IP, account Id, type of activity and timestamp. All successful/unsuccessful authentication attempts are logged and investigated, as appropriate.
Customers control and configure VSight services through a portal (VSight Admin Panel). To provide an audit trail, all changes and actions performed using the customer dashboard are recorded.
Internal administration activities are performed via tools accessible only by authorized VSight personnel. All activities including provisioning of VSight services are logged.
VSight’s business continuity planning incorporates procedures to sustain critical functions, backup and recover data, and protect company assets.
Single points of failure are eliminated for critical services with multi-node and multi-channel network design and load-balancing strategy.
VSight follows a Data Backup Policy which mandates regular backups of configuration and account data required for continuous service operation and usage of off-site storage, and daily data restoration tests where appropriate.
VSight recognizes a potential internal attack surface originating from compromised end-user machines used by VSight employees, and to mitigate this threat implements a set of security measures including hard drive encryption, secure data erasure upon laptop decommissioning, virus/malware protection with automated updates, browsing/traffic control, and centralized domain-based authentication.
VSight utilizes two main strategies to protect customer’s data: data encryption for long-term data and limited data retention for short-lived data.
VSight retains data processing logs for a minimum of three days.
VSight provides, upon customer’s request and subject to applicable legal requirements, a true data anonymization by means of data redaction. Data redaction is a one-way process that substitutes original data with a predefined set of characters that reveals no information on the original data except that it was anonymized.
If you believe that you have found a VSight security vulnerability, please contact us at security@vsight.io for further investigation.