close
close

Overview of Syndigo’s Technical and Organizational Security Measures

Syndigo’s relationship with its customers is built on trust. We believe that our early investment and commitment to privacy and security have built the foundation for becoming the largest global SaaS-based content and information management solution for digital product information.

1. Certifications and Assessments

Our systems are built on a solid foundation of data security and privacy and compliance to help all our customers meet their compliance requirements, including data protection requirements.

 Syndigo has received SOC 2 Type II attestations for its Core Syndication, Enhanced Content Syndication, Analytics, Product Information Management (PIM), and Master Data Management (MDM) solutions. Riversand Technologies India Pvt Ltd has also received an ISO 27001 Certification. This demonstrates that both solutions maintain a high level of information security.

Syndigo platform has also been audited by the globally recognized security and privacy consulting and auditing firm VeraSafe against principles of the Data Privacy Framework. Syndigo has certified its adherence to the Data Privacy Framework Principles with respect to the personal data processing in the context of its product content management system, the PIM/MDM Platform, and its Sales and HR activities. You can view our certification here (search for Syndigo LLC).

Syndigo has engagements with multiple third parties to audit and ensure compliance of its systems via Security Operations Center (SOC) monitoring , SOC 2 Type II audits, and risk assessments.

Copies of the most recent SOC 2 Type II reports for our solutions and the ISO 27001 certification for Riversand Technologies India Pvt Ltd are available for Syndigo’s customers/prospects: just request them from your Customer Success Manager or Sales Representative. Please note that to receive this documentation we may require you to sign a Non-Disclosure Agreement.

2. Privacy by Design and By Default

Data Minimization: Syndigo’s products adhere to the data minimization principle. We strive to limit the scope of personal data used, requested, and processed to the minimum. For example, Syndigo’s product content management system is designed to only process its end-users’ names, usernames, IP addresses, email addresses, application role, job titles, and company information, as these are strictly necessary to enable login to the customer’s company platform. Users can also be added using only their names or nicknames without surnames. The customers’ account admins are responsible for all the content and users that are added and Syndigo does not actively monitor user events. Syndigo’s Enhanced Content also collects and aggregates a limited amount of information about the visitors of websites where Enhanced Content is used regarding their site behavior. With respect to the PIM/MDM Platform: we only process first and last name, application role, email address and company name. Learn more about the data collected by reading our product privacy notices available here.

Limited Data Retention: Syndigo’s policy is to only keep personal data associated with a customer account in the system for thirty calendar days from the cancellation of the customer account. After that period, Syndigo deletes such data.

There’s only one situation where we retain the personal data of our customers. Syndigo retains the contact information of one customer contact per customer account to assure compliance with regulatory, tax, and Intellectual Property-related obligations. In these cases, Syndigo only keeps the contact’s first name, last name, the company the contact works at, email address, and phone number.

3. Incident Management

We maintain adequate policies, procedures, and controls to prevent and detect the accidental, unauthorized or unlawful destruction, alteration, damage, loss, disclosure of, and access to data, or compromise to the availability or integrity of data, including personal data. Syndigo has implemented an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents internally and to customers.

4. Encryption

Syndigo has implemented security measures to protect data, including personal data, during storage and in transit. Customer data is encrypted when in transit between our customer’s software application and our services using a minimum of Transport Layer Security (TLS) v1.2. The databases storing customer data are encrypted at rest using the Advanced Encryption Standard (AES). We use cryptographic controls and approved algorithms are used for information protection within the systems. Cryptographic keys are managed throughout their lifecycle (e.g., ownership, generation, storage, distribution, periodic rotation, and revocation) in accordance with established key management procedures.

Furthermore, our products are built on highly secured technology. We leverage the inherent extra layers of security, encryption, protection, compliance provided by our technology partners.

5. Software and System Patching

Syndigo has patching processes and procedures that address:

  • The timely application of ongoing patches and the testing of patches before implementation in a production system.
  • Evaluation of patches and their applicability to the environment of Syndigo products.
  • Evaluation of the risk to operations to determine if (i) immediate implementation is needed (i.e., patching or implementing a workaround) or (ii) if implementation may be delayed or deemed unnecessary at the time.
  • Application of emergency or critical patches in response to any ongoing security threats to quickly mitigate issues in affected systems.
  • Implementation of compensating controls to address vulnerabilities when patching is not feasible or poses a high risk.

6. Disaster Recovery and Backups

Syndigo takes appropriate measures to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. Syndigo has implemented and regularly updates a written disaster recovery and emergency mode operations plan for the purpose of restoring or recovering any loss of data and systems necessary to make data available in a timely manner.

Syndigo performs regular backups of customer data, which are primarily hosted on Azure’s data center infrastructure. Customer data is backed up and is retained redundantly across multiple availability zones. Backups are encrypted in transit with TLS1.2+ and at rest using Advanced Encryption Standard (AES-256).

7. Regularly Testing, Assessing & Evaluating the Effectiveness of Technical & Organizational Measures

Syndigo maintains the security of its systems and information by adopting vulnerability management (including patch management) policies and procedures to reduce risks resulting from the exploitation of technical vulnerabilities.

Syndigo performs periodic vulnerability scans in the production environment.

Syndigo’s information security team performs manual penetration testing when the environment changes significantly, or yearly, whichever comes first. In addition to the penetration tests performed internally by Syndigo’s information security team, annual external third-party penetration tests are performed by VeraSafe. Syndigo partners with a top-tier security provider to manage a bug bounty program.

8. User Identification and Authorization

Syndigo maintains appropriate access control procedures to ensure authorized user access and to prevent unauthorized access to, theft or loss of personal data, from information systems, including networks, applications, and operating systems. Our policies establish the access control requirements for requesting and provisioning user access for accounts and services. The policies require that access be denied by default, following the least privilege principle, and be granted only upon business need. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to each customer.

Each customer is assigned a unique identity. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to a customer.

Access to the Azure Console which contains the information resources supporting the Syndigo platform is restricted to authorized personnel via multi-factor authentication (MFA).

9. Physical Security

Logging solutions are enabled on production Syndigo platform systems. The methods and alerting procedures change depending on specific risks associated with different systems. Access to audit logs is restricted to defined system administrators and the Information Security (IS) personnel. Access to the audit logs is monitored and users are given a unique account.

Syndigo also employs tools from vendors including, but not limited to, antivirus, web application firewalls (WAF), switching, and cloud providers as well as system logs to maintain and procure all necessary logs.

10. Event Logging

Logging solutions are enabled on production Syndigo platform systems. The methods and alerting procedures change depending on specific risks associated with different systems. Access to audit logs is restricted to defined system administrators and the Information Security (IS) personnel. Access to the audit logs is monitored and users are given a unique account.

Syndigo also employs tools from vendors including, but not limited to, antivirus, web application firewalls (WAF), switching, and cloud providers as well as system logs to maintain and procure all necessary logs.

11. System and Default Configuration

Syndigo’s policy is to conduct a risk analysis when there is a need to connect to a third-party location. The risk analysis considers the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of Syndigo systems.

Antivirus software is installed on all Syndigo personal computers and servers. Virus update patterns are updated automatically and transparently on Syndigo servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff who are responsible for keeping all virus patterns up to date.

Syndigo conducts monitoring and review of configurations of its own and third-party for security flaws.

12. Internal IT Security Governance and Management

Syndigo has established an Information Security Team made up of key personnel whose responsibility is to identify areas of concern within Syndigo and act as the first line of defense in enhancing the appropriate security posture.

13. Separation of Environments

We have implemented segregated environments for development, testing, and production, as a means to support segregation of duties and prevent unauthorized changes to production. Syndigo maintains logical and physical separation between the Development, QA, and Production networks.

14. Data Subject Rights

Some of our services include self-service deletion features, and Syndigo will provide assistance to our customers to ensure they can process data subject rights requests from data subjects, including requests for data rectification and erasure.

15. Vendor Management

Syndigo follows a strict vendor management policy and procedure whenever it engages a vendor that will be processing customer data. Prior to leveraging the services of a vendor we ensure that our relationship with a vendor processing personal data on our behalf is governed by a written contract that includes data protection obligations offering the required level of protection for personal data. We also ensure that the vendors have sufficient technical and organizational measures to ensure data processing will meet the requirements of the GDPR, CCPA and other data protection laws and regulations.

As part of the due diligence process, we perform a security audit of our vendors, which includes periodic review of relevant information security certifications such as SOC 2 audit reports, ISO 27001 certifications, completion of security questionnaires and review of supporting documentation to ensure that the data is secured.

16. Training

To continually strengthen our data privacy and security posture, we invest heavily in ongoing security and privacy awareness training for all our staff.

Syndigo maintains training programs, including the Information Security Training Program, to promote awareness of information security requirements. The Information Security Training is completed by all personnel upon hire and on a monthly basis thereafter. Training completion is documented through the signing of the Employee Handbook and Information Security Policy. It also guides employees and contingent staff on the processes and channels available to report possible violations or to ask questions. It ensures that all employees and contractors are knowledgeable about information security risks and understand their responsibilities and obligations with respect to the processing of personal data.

Additionally, at least once (1) a year, Syndigo employees and contingent staff with access to personal data must complete additional security and privacy training on security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Syndigo’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Training completion is documented in a third-party Learning Management System (LMS).