Security Overview

At CustomerIQ, our objective is to blend cutting-edge technology with a profound regard for the data you provide us. During our application's development, we integrate a comprehensive security system, a standard we continually uphold through rigorous development practices. Our chief goal remains the provision of product upgrades that enhance the efficiency of your workplace, all the while maintaining the integrity of your data's safety.

We appreciate that your choice to entrust us with your corporate data is a momentous one. This awareness has motivated us to establish a robust security protocol to offer you the peace of mind you need. We guarantee the secure segregation of your data from that of other customers, and similar measures are implemented in regulating access within our team. At CustomerIQ, we value your privacy, ensuring your data is accessed only with your knowledge and never used to produce any metadata for future resale. Our exclusive focus is on delivering the promised value without any deviation.

Compliance

We host our services in Amazon Web Services, which is a state-of-the-art data center utilizing innovative architectural and modern engineering approaches. Amazon’s data centers have been validated for compliance against a number of strict standards, regulations and assorted frameworks. To learn more about Amazon’s Compliance, you can learn more here: https://aws.amazon.com/compliance.

For inquiries regarding our information security practices, to provide feedback, suggestions to our team, or to report an identified security vulnerability in our application, please email us at hello@getcustomeriq.com.

Privacy

We may update this section as the global regulations emerge or are updated and if any additional information is required.

GDPR

The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law that took effect on May 25, 2018.

Under GDPR, CustomerIQ is a data processor; therefore, we provide support to data controllers in order to enable them to fulfill their obligations under GDPR, and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.

CustomerIQ has taken various steps to give customers assurance that the use of CustomerIQ’s products and services is consistent with the GDPR:

  • Data Protection Agreements are established with relevant customers and third parties to ensure appropriate processing and safeguards are in place for EU personal data.
  • We have standardized processes and technical capabilities in order to help our customers respond to data subject requests for access, rectification or erasure of personal data maintained by CustomerIQ.
  • We apply a risk-based approach in the selection and monitoring of all third-party vendor relationships.

Subprocessors: CustomerIQ uses third-party services for business & operational efficiency. These subprocessors have limited access to requisite customer data in order to provide specific functionality within our service. We establish data protection agreements that require third-party services to adhere to confidentiality and privacy commitments that we have made to our customers. For a list of current subprocessors, please contact us via email at hello@getcustomeriq.com

CCPA

CustomerIQ is a service provider, as defined by the California Consumer Privacy Act of 2018 (“CCPA”) which is a California state law that went into effect on January 1, 2020. CCPA gives California consumers new privacy rights and creates new obligations for businesses that are covered by the law.

  • The rights for California consumers include:
  • The right to know what personal information a business is collecting and how that information is being used and shared;
  • The right to a copy of the personal information a business holds about a consumer;
  • The right to delete personal information a business holds about a consumer;
  • The right to stop the sale of personal information by a business; and
  • The right to have equal service and price, even if a consumer exercises their privacy rights.

Our business has processes in place in order to respond to consumer requests related to the CCPA.

Security Governance

Information Security Program

CustomerIQ maintains a formal information security program that is supported by written information security policies, approved by management, published and communicated to staff. 

Security Leadership Committee

The security leadership committee provides executive-level oversight and approval for security and compliance initiatives and planning through various actions.

Application & Product Security

Authentication

  • User passwords are protected by the latest recommendations for strong encryption and hashing (i.e. AES-256 and bcrypt).
  • CustomerIQ APIs only communicate over encrypted channels and are only accessible to verified users.

Access Controls

  • Our system has a multitenant architecture that logically separates customer data through access control that is based on workspace, users, and roles. Our application has extensive access control lists, authentication, and authorization mechanisms that allow data access for authorized users only.
  • All customer accounts are assigned a unique GUID which will allow access to only services and data consistent with the privileges assigned.

Resilient & Secure Architecture

Redundant and Scalable Infrastructure

  • CustomerIQ data and services are deployed across geographically distributed availability zones in the United States maintained by an industry-leading service provider (Amazon Web Services).
  • Scalable infrastructure is used to distribute application load across resources and support high availability.
  • Properly isolated network resources restrict inbound traffic from untrusted zones.
  • Capacity thresholds are defined to automatically provision additional resources to meet spikes in application demand.

Encryption

  • We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocol, and SHA2 signatures for data traveling between clients and CustomerIQ service; and between CustomerIQ services over public networks.
  • AES-256 bit encryption is utilized to protect application and customer data at rest.
  • We observe a strict key management policy that includes a key rotation procedure and minimum entropy requirements with access restricted to delegated key custodians.

Threat Monitoring

  • Technology and tooling are in place to detect and alert on suspected network intrusion, command and control attempts or potential system compromise.
  • We have a documented security incident response process that includes appropriate escalation procedures, root cause analysis, impact assessment, and containment.
  • External communications can be made in a timely manner to impacted customers, third parties and authorities.

Recovery Capabilities

  • Data is replicated across multiple availability zones to support continuity in the event of a regional outage.
  • Complete data backups are performed daily, with proactive retention periods observed.
  • Backup restoration procedures are documented, and tested regularly to confirm the efficacy of our processes.
  • Our disaster recovery strategy is documented, with appointed responsible personnel and supported through regular review with our security team.

Secure build

Design & Build Practices:

  • A Software Development Lifecycle (SDLC) policy is documented to guide engineers on appropriate development practices and change control.
  • Code is evaluated for design, functionality, and expected security exposures.
  • Changes to the source code are governed by a standardized change management process.
  • In addition to automated and manual testing, our code is peer-reviewed prior to being deployed to production.

Penetration Testing

  • We engage third-party security experts to perform comprehensive penetration tests on an annual basis.

Personnel Practices

Recruitment & Selection Practices:

  • We rely on comprehensive background verification and employment history when selecting candidates for employment opportunities with CustomerIQ.
  • Employees are required to sign non-disclosure and confidentiality agreements upon joining CustomerIQ.

Access Controls:

  • Only authorized employees are granted access to production systems for fulfilling their job responsibilities.
  • Access is regularly reviewed for business justification.

‍If you have questions about CustomerIQ’s security practices or you believe a security incident has occurred, please contact hello@getcustomeriq.com.