This Security Policy was last modified on June 13, 2014.

1. Overview

At Convo, security is quintessential to a quality service and product. Providing best in class security requires taking a holistic approach. That is why our security initiative tackles all possible facets needed to provide a satisfying solution. Here is a list of those areas:

  • Data Security
  • Network Security
  • Physical Security
  • Activity Tracking and Monitoring
  • Product Development Life Cycle
  • Administrative Policies
  • Sharing Security Guidelines

2. Data Security

  • Encryption in transit is protected with 4096 bit RSA keys and 128/256 bit AES encryption.
  • Data at rest is protected with high-grade AES-256 encryption.
  • For encryption split knowledge and dual control is enforced within the key management procedures. Keys are rotated often.
  • Passwords and encryption keys are stored in encrypted manner.
  • All sensitive payment information data is at rest encrypted.
  • All user data and files belonging to Enterprise accounts are at rest encrypted.
  • Convo uses the latest technology and the industry best practices for data encryption of sensitive customer data. All Enterprise customer data and files are encrypted, in transit to and from Convo servers as well as while stored within Convo.

All sensitive data (including user specific data) is stored using Amazon Relational Database Service (RDS) and Amazon Simple Storage Server (S3) that use industry standards for security:

  • ISO 27001 certification for user data centers (Amazon S3).
  • Uninterruptible power and backup systems, plus fire and flood prevention at Amazon storage sites.
  • Convo employs multiple Amazon data centers to host customer data. All data centers employ physical security, strict access policies and secure vaults and cages.

For more details please see:

3. Network Security

Administrator access is restricted to the company’s owned static IPs through a firewall, and from allowed IPs, access is only possible if the administrator with special privileges has a key file.

There is a firewall for each of the connections to the internet or other untrusted networks.

  • No systems are directly connected to the internet.
  • Remote access is managed by secure Virtual Private Network (VPN). No other means are allowed for remote access to internal network.
  • Password based access is not allowed on production servers, and can only be accessed with SSH key file. Only authorized persons have access to this key.
  • There is a separate firewall for production servers which restricts administrator access to these servers from anywhere except from within the company’s secure internal network (with access strictly limited to only those with relevant job responsibility). Any change made in this firewall rules is logged with user identity, and time.

Access Control

  • Guidelines are in place for employees to change passwords frequently.
  • Each user is identified through a unique ID.
  • User identity is required at time of password reset.
  • Access to systems is established and approved according to business need and job responsibility. Employees are granted specific rights for access to resources like computer machines, code base, servers, office building etc.
  • Central computing systems are protected via firewalls, key files, access through SSH etc.

Keeping machines secure

  • Anti-virus products are required for all systems regardless of the purpose of the machine as long as it on the network.
  • All machines are kept up to date with latest security patches and updates from relevant vendors.

4. Physical Security

Company facilities that have access to software code, and authorized access to AWS data centers are strengthened with proper security measures in place to restrict any form of unauthorized physical access of the premises.

  • Doors require card readers for entry
  • Video surveillance is used to log and monitor premises
  • Employees are required to keep wear employee badges
  • Proper procedures are in place to distinguish full time employees from visitors
    • Visitors are required to sign-in
    • Visitors are escorted at all times
    • Visitors are given a token on check in which is returned on check out

5. Activity Tracking and Monitoring

  • Audit logs containing programmer activities (log ins, check ins etc.) are maintained.
  • Employees (including but not limited to engineers) are required to authenticate themselves before accessing any machine, network resource or source code (changes to which are tracked).
  • Logs are recorded and maintained for all access calls from authorized Convo personnel to Convo servers including the identity of the caller, the time of the call, the source IP address of the caller, the request parameters, and the response elements returned by the servers.

6. Product Development Life Cycle

All software code is developed based on strict and well defined industry standard software engineering product development life cycle principles.

  • No code is ever released without proper testing (including security testing). Tests include but are not limited to – Invalid user input, authentication issues, unauthorized access etc.
  • Security analysis and review is done for all new features especially for those where there is reasonable change to any existing system.
  • There are separate environments for test, development and production.
  • Production data is never used for testing.
  • All source code changes are peer reviewed.

7. Administrative Policies

  • Confidentiality and nondisclosure agreements are required from business partners.
  • All employees are required to sign a privacy and security acknowledgment document at time of hire.
  • Potential new hire candidates are screened to minimize chances of any internal breach.

8. Sharing Security Guidelines

Procedures are in place to ensure security documents, information and guidelines are broadly shared with all employees

  • Sharing security guidelines and procedures are part of onboarding a full time hire (FTE)
  • Initiatives for security specific knowledge sharing include publishing security related documents internally, conducting brown bags and related mandatory security meetings.

Updates to our Security Policy

This Security Policy may be updated periodically and without prior notice to you to reflect changes in our security practices. We will post a prominent notice on this Website to notify you of any significant changes to our Security Policy and indicate at the top of the statement when it was most recently updated.