Overview of Syndigo’s Technical and Organizational Security Measures

1. Certifications and Assessments

Our systems are built on a solid foundation of data security and privacy and compliance to help all our customers meet their compliance requirements, including data protection requirements.

Syndigo has received a third-party SOC 2 Type II attestation for its web-based Content Experience Hub (CXH) application, which demonstrates that the application maintains a high level of information security. CXH has also been audited by the globally recognized security and privacy consulting and auditing firm VeraSafe against the guidelines of the NIST Cybersecurity Framework and the standards of the Privacy Shield Framework (click here to see Syndigo’s Privacy Shield certification). Syndigo has also engaged Critical Insight, Mueller CPA, and Halock to audit and ensure compliance of its systems via SOC monitoring, SOC 2 Type 2 audits, and risk assessments respectively.

Copies of the most recent Syndigo’s SOC 2 report for the CXH Platform and the final report of VeraSafe’s Privacy Program Assessment for the CXH application are available for Syndigo’s customers upon request at privacy@syndigo.com and execution of a Non-Disclosure Agreement.

2. Privacy by Design and By Default

Our products are designed to enable our customers comply with the privacy by design and by default principles and derived obligations.

Data Minimization

Syndigo’s products adhere to the data minimization principle. We strive to limit the scope of personal data used, requested, and processed to the minimum. For example, CXH is designed to only process its users’ names, email address, job titles and company information, as these are strictly necessary to enable login to the customer’s company platform. Users can also be added using only their names or nicknames without surnames. The customers’ account admins are responsible for all the content and uses added and Syndigo does not monitor user events actively.

Limited Data Retention

Syndigo’s policy to only keep personal data associated with a client account in the system for twenty-one calendar days from the cancellation of the client account. After that period, Syndigo deletes such data.

There’s only one situation where we retain personal data of our customers. Syndigo retains the contact information of one client contact per client account to assure compliance with regulatory, tax and Intellectual Property-related obligations. In these cases, Syndigo only keeps the contact’s first name, last name, the company the contact works at, email and phone number.

3. Incident Management

We maintain adequate policies, procedures, and controls to prevent and detect the accidental, unauthorized or unlawful destruction, alteration, damage, loss, disclosure of, and access to data, or compromise to the availability or integrity of data, including personal data. Syndigo has implemented an incident management framework includes defined processes, roles, communications, responsibilities and procedures for detection, escalation, and response to incidents internally and to customers.

4. Encryption

Syndigo has implemented security measures to protect data, including personal data, during storage and in transit. Customer data is encrypted when in transit using between our customer’s software application and our services using a minimum of Transport Layer Security (TLS) v1.2. The databases storing customer data are encrypted at rest using the Advanced Encryption Standard (AES). We use cryptographic controls and approved algorithms are used for information protection within the systems. Cryptographic keys are managed throughout their lifecycle (e.g., ownership, generation, storage, distribution, periodic rotation, and revocation) in accordance with established key management procedures.

Furthermore, our products are built on highly secured technology. We leverage the inherent extra layers of security, encryption, protection, compliance provided by our technology partners.

5. Software and System Patching

Syndigo has patching process and procedures that address:

1.  the timely application of ongoing patching and testing of patches before implementing to a production system;
2. evaluation of the patches and their applicability to the environment of the Syndigo products;
3. evaluation of the risk to operations to determine if (i) immediate implementation is needed (i.e., patching or implementing a workaround) or (ii) if implementation may be delayed or deemed unnecessary at the time; and
4. application of emergency or critical patches in response to any ongoing security threats to quickly mitigate issues in affected systems.

6. Disaster Recovery and Backups

Syndigo takes appropriate measures to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. Syndigo has implemented and regularly updates a written disaster recovery and emergency mode operations plan for the purpose of restoring or recovering any loss of data and systems necessary to make data available in a timely manner.

Syndigo performs regular backups of customer data, which are hosted on Azure’s data center infrastructure. Customer data is backed up is retained redundantly across multiple availability zones. Backups are encrypted in transit and at rest using Advanced Encryption Standard (AES-256).

7. Regularly Testing, Assessing and Evaluating the Effectiveness of Technical and Organizational Measures

Syndigo maintains the security of its systems and information by adopting vulnerability management (including patch management) policies and procedures to reduce risks resulting from exploitation of technical vulnerabilities.

Syndigo performs monthly vulnerability scans in the production environment.

Syndigo’s information security team performs manual penetration testing when the environment changes significantly, or yearly, whichever comes first. In addition to the penetration tests performed internally by Syndigo’s information security team, annual third-party penetration tests are performed by VeraSafe.

8. User Identification and Authorization

We maintain appropriate access control procedures to ensure authorized user access and to prevent unauthorized access to, or theft or loss of personal data, from information systems, including networks, applications, and operating systems. Our policies establish the access control requirements for requesting and provisioning user access for accounts and services. The policies require that access be denied by default, following the least privilege principle, and be granted only upon business need. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to each customer.

Each customer is assigned a unique identity. Appropriate password hashing algorithms are in place to ensure that the authentication credential data stored is protected and is unique to a customer.

Access to the Azure Console which contains the information resources supporting the CXH Platform is restricted to authorized personnel via multi-factor authentication (MFA).

9. Physical Security

Syndigo relies on Microsoft Azure Shared Responsibility Model for physical and environmental security in the cloud. Generally speaking, the security of the cloud (datacenters and access to the cloud provider) lies with Azure, whereas what is on the cloud (our software and applications) is on Syndigo. Syndigo has implemented policies for all Syndigo personnel to take positive action to provide physical security.

10. Event Logging

Logging solutions are enabled on all CXH production systems. The methods and alerting procedures change depending on specific risks associated with different systems. A general baseline is applied to all systems and built upon dependent on system usage. Access to audit logs is restricted to defined system administrators and the IS personnel. Access to the audit logs is monitored and users are given a unique account.

Syndigo also employs tools from vendors including, but not limited to, antivirus, web application firewalls (WAF), switching, and cloud providers as well as system logs to maintain and procure all necessary logs.

11. System and Default Configuration

Syndigo’s policy is to conduct a risk analysis when there is a need to connect to a third-party location. The risk analysis considers the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of Syndigo systems.

Antivirus software is installed on all Syndigo personal computers and servers. Virus update patterns are updated daily on Syndigo servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date.

Syndigo conducts monitoring and review of configurations of its own and third-party for security flaws.

12. Internal IT Security Governance and Management

Syndigo has established an Information Security Team made up of key personnel whose responsibility is to identify areas of concern within Syndigo and act as the first line of defense in enhancing the appropriate security posture.

13. Separation of Environments

We have implemented segregated environments for development, testing, and production, as a means to support segregation of duties and prevent unauthorized changes to production. Syndigo maintains logical and physical separation between the Development, QA, UAT, and Production networks.

14. Data Subject Rights

Some of our services include self-service deletion features, and Syndigo will provide assistance to our customers to ensure they can process data subject rights requests obligations to data subjects, including requests for data portability and erasure.

15. Vendor Management

Syndigo follows a strict vendor management policy and procedure whenever it engages a vendor that will be processing customer. Prior to leveraging the services of a vendor we ensure that our relationship with a vendor processing personal data on our behalf is governed by a written contract that includes data protection obligations offering the required level of protection for personal data. We also ensure that the vendors have sufficient technical and organizational measures to ensure data processing will meet the requirements of the GDPR, CCPA and other data protection laws and regulations.

As part of the due diligence process, we perform a security audit of our vendors, which includes periodic review of relevant information security certifications such as SOC 2 audit reports, ISO 27001 certifications, completion of security questionnaires and review of supporting documentation to ensure that the data is secured.

16. Training

To continually strengthen our data privacy and security posture, we invest heavily in ongoing security and privacy awareness training for all our staff.

Syndigo maintains training programs, including the Information Security Training Program, to promote awareness of information security requirements. The Information Security Training is completed by all personnel upon hire and continuously thereafter. Training completion is documented through signing of the Employee Handbook and Information Security Policy. It also guides employees and contingent staff on the processes and channels available to report possible violations or to ask questions. It ensures that all employees and contractors are knowledgeable about information security risks and understand their responsibilities and obligations with respect to the processing of personal data.

Additionally, at least once (1) a year, Syndigo employees and contingent staff with access to personal data must complete additional security and privacy training security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Syndigo’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Training completion is documented in a third-party LMS.