Overview of Syndigo’s Technical and Organizational Security Measures
Syndigo’s relationship with its customers is built on trust. We believe that our early investment and commitment to privacy and security have built the foundation for becoming the largest global SaaS-based content management solution for digital product information.
1. Certifications and Assessments
Our systems are built on a solid foundation of data security and privacy and compliance to help all our customers meet their compliance requirements, including data protection requirements.Syndigo has received a SOC 2 Type II attestation for its web-based Content Experience Hub (CXH) application and for its Riversand Product Information Management (PIM)/Master Data Management (MDM) Platform. Riversand has also received a SOC 2 Type 1 attestation and an ISO 27001 Certification. This demonstrates that both solutions maintain a high level of information security.
CXH has also been audited by the globally recognized security and privacy consulting and auditing firm VeraSafe against the guidelines of the NIST Cybersecurity Framework and the standards of the Privacy Shield Framework (click here to see Syndigo’s Privacy Shield certification). Syndigo has engagements with multiple third parties to audit and ensure compliance of its systems via Security Operations Center (SOC) monitoring, SOC 2 Type II audits, and risk assessments.
Copies of the most recent SOC 2 Type 2 reports for Syndigo and Riversand, the ISO 27001 certification for Riversand, and the final report of VeraSafe’s Privacy Program Assessment for the CXH application are available for Syndigo’s customers upon request at firstname.lastname@example.org (please copy your Customer Success or Sales contacts on the email). Please note that to receive this documentation we will require you to sign a Non-Disclosure Agreement.
2. Privacy by Design and By Default
Our products are designed to enable our customers to comply with the privacy by design and by default principles and derived obligations.
Syndigo’s products adhere to the data minimization principle. We strive to limit the scope of personal data used, requested, and processed to the minimum. For example, CXH is designed to only process its users’ names, email addresses, job titles, and company information, as these are strictly necessary to enable login to the customer’s company platform. Users can also be added using only their names or nicknames without surnames. The customers’ account admins are responsible for all the content and users added and Syndigo does not monitor user events actively.
Limited Data Retention
Syndigo’s policy is to only keep personal data associated with a customer account in the system for twenty-one calendar days from the cancellation of the customer account. After that period, Syndigo deletes such data.
There’s only one situation where we retain the personal data of our customers. Syndigo retains the contact information of one customer contact per customer account to assure compliance with regulatory, tax, and Intellectual Property-related obligations. In these cases, Syndigo only keeps the contact’s first name, last name, the company the contact works at, email address, and phone number.
3. Incident Management
We maintain adequate policies, procedures, and controls to prevent and detect the accidental, unauthorized or unlawful destruction, alteration, damage, loss, disclosure of, and access to data, or compromise to the availability or integrity of data, including personal data. Syndigo has implemented an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents internally and to customers.
Syndigo has implemented security measures to protect data, including personal data, during storage and in transit. Customer data is encrypted when in transit between our customer’s software application and our services using a minimum of Transport Layer Security (TLS) v1.2. The databases storing customer data are encrypted at rest using the Advanced Encryption Standard (AES). We use cryptographic controls and approved algorithms are used for information protection within the systems. Cryptographic keys are managed throughout their lifecycle (e.g., ownership, generation, storage, distribution, periodic rotation, and revocation) in accordance with established key management procedures.
Furthermore, our products are built on highly secured technology. We leverage the inherent extra layers of security, encryption, protection, compliance provided by our technology partners.
5. Software and System Patching
Syndigo has patching processes and procedures that address:
- the timely application of ongoing patching and testing of patches before implementing to a production system;
- evaluation of the patches and their applicability to the environment of the Syndigo products;
- evaluation of the risk to operations to determine if (i) immediate implementation is needed (i.e., patching or implementing a workaround) or (ii) if implementation may be delayed or deemed unnecessary at the time; and
- application of emergency or critical patches in response to any ongoing security threats to quickly mitigate issues in affected systems.
6. Disaster Recovery and Backups
Syndigo takes appropriate measures to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. Syndigo has implemented and regularly updates a written disaster recovery and emergency mode operations plan for the purpose of restoring or recovering any loss of data and systems necessary to make data available in a timely manner.
Syndigo performs regular backups of customer data, which are hosted on Azure’s data center infrastructure. Customer data is backed up and is retained redundantly across multiple availability zones. Backups are encrypted in transit with TLS1.2+ and at rest using Advanced Encryption Standard (AES-256).
7. Regularly Testing, Assessing and Evaluating the Effectiveness of Technical and Organizational Measures
Syndigo maintains the security of its systems and information by adopting vulnerability management (including patch management) policies and procedures to reduce risks resulting from the exploitation of technical vulnerabilities.
Syndigo performs periodic vulnerability scans in the production environment.
Syndigo’s information security team performs manual penetration testing when the environment changes significantly, or yearly, whichever comes first. In addition to the penetration tests performed internally by Syndigo’s information security team, annual external third-party penetration tests are performed by VeraSafe.
8. User Identification and Authorization
We maintain appropriate access control procedures to ensure authorized user access and to prevent unauthorized access to, or theft or loss of personal data, from information systems, including networks, applications, and operating systems. Our policies establish the access control requirements for requesting and provisioning user access for accounts and services. The policies require that access be denied by default, following the least privilege principle, and be granted only upon business need. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to each customer.
Each customer is assigned a unique identity. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to a customer.
Access to the Azure Console which contains the information resources supporting the CXH Platform is restricted to authorized personnel via multi-factor authentication (MFA).
9. Physical Security
Syndigo relies on Microsoft Azure Shared Responsibility Model for physical and environmental security in the cloud. Generally speaking, the security of the cloud (data centers and access to the cloud provider) lies with Azure, whereas what is on the cloud (our software and applications) is on Syndigo. Syndigo has implemented policies for all Syndigo personnel to take positive action to provide physical security.
10. Event Logging
Logging solutions are enabled on all CXH production systems. The methods and alerting procedures change depending on specific risks associated with different systems. A general baseline is applied to all systems and built upon depending on system usage. Access to audit logs is restricted to defined system administrators and the Information Security (IS) personnel. Access to the audit logs is monitored and users are given a unique account.
Syndigo also employs tools from vendors including, but not limited to, antivirus, web application firewalls (WAF), switching, and cloud providers as well as system logs to maintain and procure all necessary logs.
11. System and Default Configuration
Syndigo’s policy is to conduct a risk analysis when there is a need to connect to a third-party location. The risk analysis considers the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of Syndigo systems.
Antivirus software is installed on all Syndigo personal computers and servers. Virus update patterns are updated daily on Syndigo servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date.
Syndigo conducts monitoring and review of configurations of its own and third-party for security flaws.
12. Internal IT Security Governance and Management
Syndigo has established an Information Security Team made up of key personnel whose responsibility is to identify areas of concern within Syndigo and act as the first line of defense in enhancing the appropriate security posture.
13. Separation of Environments
We have implemented segregated environments for development, testing, and production, as a means to support segregation of duties and prevent unauthorized changes to production. Syndigo maintains logical and physical separation between the Development, QA, and Production networks.
14. Data Subject Rights
Some of our services include self-service deletion features, and Syndigo will provide assistance to our customers to ensure they can process data subject rights requests obligations to data subjects, including requests for data portability and erasure.
15. Vendor Management
Syndigo follows a strict vendor management policy and procedure whenever it engages a vendor that will be processing customer data. Prior to leveraging the services of a vendor we ensure that our relationship with a vendor processing personal data on our behalf is governed by a written contract that includes data protection obligations offering the required level of protection for personal data. We also ensure that the vendors have sufficient technical and organizational measures to ensure data processing will meet the requirements of the GDPR, CCPA and other data protection laws and regulations.
As part of the due diligence process, we perform a security audit of our vendors, which includes periodic review of relevant information security certifications such as SOC 2 audit reports, ISO 27001 certifications, completion of security questionnaires and review of supporting documentation to ensure that the data is secured.
To continually strengthen our data privacy and security posture, we invest heavily in ongoing security and privacy awareness training for all our staff.
Syndigo maintains training programs, including the Information Security Training Program, to promote awareness of information security requirements. The Information Security Training is completed by all personnel upon hire and on a monthly basis thereafter. Training completion is documented through the signing of the Employee Handbook and Information Security Policy. It also guides employees and contingent staff on the processes and channels available to report possible violations or to ask questions. It ensures that all employees and contractors are knowledgeable about information security risks and understand their responsibilities and obligations with respect to the processing of personal data.
Additionally, at least once (1) a year, Syndigo employees and contingent staff with access to personal data must complete additional security and privacy training on security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Syndigo’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Training completion is documented in a third-party Learning Management System (LMS).