Conviva is a trusted source of measurement data for streaming multimedia and we strive to keep all data we access, store and process secure. We have divided our security measures into the following categories in order to best summarize the comprehensiveness of our security policies and practices: (1) Cloud Security & Third Parties, (2) Product Security, (3) Corporate Security, and (4) Privacy & Compliance.
Cloud Security & Third Parties
We carefully select our third-party vendors and sub-processors to ensure that we only work with parties who can securely handle the data we process. Specifically, as it relates to any personal data that we collect or that you as a customer provide to us for the purpose of providing you services (“Services”), we hold all our sub-processors to the same data management, security, and privacy practices and standards to which we hold ourselves. This means that we diligently review each party’s technical, administrative and physical security measures before contracting with them to ensure end-to-end consistency with respect to our customer data flows and processing. In addition, if any of our vendors or sub-processors transfer personal data outside the EU, we ensure that the necessary transfer mechanisms are in place to be GDPR compliant.
A key component to our handling of data revolves around hosting and data storage. We leverage Amazon Web Services (“AWS”), Google Cloud Platform and Equinix to host our Services. Our service statistics and metadata are processed and stored in the United States. Our customers can feel confident that our primary third-party vendors securely store our data and are SOC compliant. For example, AWS and Google Cloud Platform are SOC-1, SOC-2 and SOC-3 compliant1. Equinix is SOC-1 and SOC-2 compliant2.
When it comes to the processing of our Customers’ personal data, a list of our current sub-processors can be found at https://www.conviva.com/conviva-subprocessors/.
We maintain an information security program that extensively examines all aspects of Conviva’s platform and its connected devices and products. This section elaborates upon the measures we have developed for your secure access of our Services and how security is maintained from within the product.
We follow the secure software development lifecycle (“SDLC”) practices for the development of our Services. Our developers are trained in secure coding conventions and are kept apprised of the latest secure coding techniques. Code is regularly peer reviewed before being committed to the master code branch. We conduct application penetration testing against our Services on an annual basis using reputable third-party penetration testing service providers. We also perform vulnerability scanning and any needed remediation on a quarterly basis and during major software upgrades.
Network and Systems Security
We implement industry best practices in the design and configuration of our network, and we utilize industry leading network equipment to provide a secure and reliable network platform. Network access to Conviva’s SaaS Services are only made available using HTTPS to ensure data is transported securely.
The Conviva network is segmented to fully isolate production, staging, quality assurance, development and corporate networks. In addition, access to all Conviva network devices, firewalls and servers for administration require VPN access with multi-factor authentication.
Any new servers we deploy to production are hardened by disabling all unneeded and potentially insecure services, removing default passwords, and applying Conviva’s custom configuration settings to each server before production use. We also scan our network and systems for vulnerabilities, and perform any needed remediation, on a quarterly basis and during major software upgrades.
We monitor service availability for externally accessible Conviva platform services. In addition, Conviva employs a variety of open source and enterprise monitoring services and in-house developed monitoring solutions for monitoring Conviva’s end-to-end infrastructure and application services.
Logging and Alerting
Conviva’s Information Security team collects, processes and stores production logs in a centralized tamper-proof log management system. Logs are retained for at least twelve months. Log analysis is automated to the extent practical to detect security issues and anomalies and is configured to provide alerts for purposes of incident management.
Business Continuity and Disaster Recovery
Our third-party hosted servers use a combination of uninterruptible power supplies and generators to maintain power in the event of an outage.
We maintain distributed systems to avoid potential single points of failure. We maintain our equipment in accordance with industry standards and will remove any unreliable and/or outdated equipment. Single points of failure are avoided wherever possible in the Conviva architecture, and standby systems are maintained where needed to replace failed systems. Likewise, failed software components are debugged and replaced whenever failures occur.
Our compute platform is a distributed system with multiple copies of data in disparate regions. Thus, the system can tolerate multiple failures of nodes within a single region without losing data. Non-functioning nodes are assessed and replaced as needed to maintain system and data integrity. Should data be lost in a given region, it can be restored from other regions. This process is regularly tested and used as needed to maintain data integrity across the regions.
Disaster Recovery Plan
Our disaster recovery plan incorporates local failover of resources in our primary operating environment with geographic failover to other operating locations across multiple geographies in the world. Conviva retains a full backup copy of production data in a remote, distant location separate from the primary operating location where our Services are processed. Full backups are saved to this remote location and transactions are saved daily. We test our backups regularly to ensure they can be successfully restored.
Endpoint Security and Monitoring
Our user systems are configured to run a host of monitoring, configuration management and anti-virus tools that help detect suspicious code, unsafe configurations and user behavior. Our IT Team monitors workstation alerts and ensures these issues are resolved in a timely manner.
Customer data security and protection at Conviva involves data encryption, data access administrative controls, and data retention and destruction.
Data Encryption and Protection
Firewalls, routers and switches Access Control Lists are used to protect network ingress. Administrative access is performed over SSH using private keys, and/or SSL for web portals using passwords where required.
Encryption is used to transmit data from client devices to Conviva. Any sensitive client information stored in the database, including Conviva and external system passwords, is encrypted or hashed where possible.
Administrator accounts are granted only to those who need that level of access to manage that specific Customer’s account and revoked upon that employee’s departure or change of responsibilities.
Usernames, passwords, roles, and access-based permissions are used throughout Conviva’s systems to ensure only authorized individuals have access to the appropriate systems and data that is specific to that individual’s role. Private keys are used as required.
We maintain logs of access to all systems and data and we will assess any potential security breaches and notify customers appropriately. Post-mortems will be conducted to determine if any remediation is required post breach, and then such remediation will be carried out as expeditiously as possible.
System and application level logs are maintained for attempted, failed, and successful access to Conviva’s systems.
We maintain a set of information security policies, procedures and guidelines for all our Conviva employees and contractors to follow to ensure the security of Conviva’s Services, platform and data. These procedures, policies and guidelines are living documents that are regularly reviewed and updated as needed by Conviva’s Information Security and Legal teams to accommodate changes in technology and the law and new forms of intrusion. A key focus of our security policies also includes an Incident Response Plan to provide a well-defined, organized approach for handling any threat to computers and data, as well as taking appropriate action when the source of the intrusion or incident occurring at a third-party site is traced back to Conviva. This plan identifies and describes the roles and responsibilities of the Incident Response Team so that Conviva team members can act quickly upon learning of any threats.
Our Human Resources Department also conducts background checks which include criminal, education, and employment verification checks for all our employees and directly-hired contractors. Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, malware prevention, physical security, data privacy, account management, and incident reporting. Compliance training is administered annually to ensure that all staff remain up-to-date on the latest security protocols. Employees are also cross-trained to ensure that no employee is the single point of knowledge in the event of any system interruptions. Upon an employee’s or contractor’s termination with Conviva, that person’s access to Conviva’s systems is immediately disabled.
Privacy & Compliance
As a sub-processor, we understand the importance of protecting data while rendering Services. In terms of personal data or personally identifiable information, our customers may pass us or instruct us to collect and process IP addresses, Viewer ID numbers, device ID numbers, and geolocation information in order for us to provide our Services. We can hash or anonymize the personal information. For example, when it comes to IP addresses, we can hash it by anonymously converting it to an instance ID number which is randomly generated and cannot be related back to the IP address. Thereafter, we delete the IP address and any customer identifiable information processed from it will be further deleted per our Data Retention policy. With regards to our customer’s employees, we will collect website login credentials including name, email address and passwords to enable the customer personnel with access to Conviva’s Pulse system to view data metrics related to our Services.
Personal Data Retention Period
In the course of providing our Services, we collect and process certain data which may be considered personal data or personally identifiable information (“Personal Data”) under applicable data privacy laws. We retain such Personal Data for prescribed time periods as instructed by our customers and consistent with applicable data privacy laws.
Ability to Change or Delete Information and Exercise other Rights
Consistent with applicable data privacy laws, our customers may request access to, or that we amend, delete or stop collecting, the Personal Data of their employees and/or end users. These requests may be submitted by means of a support form found in the help drop-down menu of our customer web portal known as Pulse. We will respond to properly submitted requests within 30 days, unless we tell you that we need additional time to respond. We may require additional information to verify the requestor’s identity in order for us to respond to the request. In certain circumstances we may not be able to stop processing Personal Data, and, if that is the case, we will provide an explanation. In the event we are asked to delete and stop collecting Personal Data, certain capabilities of our Services may be impacted. Any questions or requests for assistance with the above should be directed to our customer support team at firstname.lastname@example.org.
If we hold an individual’s Personal Data and it was collected and/or processed in connection with our Services to a customer, then such individual will need to contact the customer directly to exercise his or her rights with respect to the Personal Data under applicable data privacy laws. In accordance with such laws, we will respond to such requests only at the direction of our customers.
If you have general questions about the security of Conviva’s Services or regarding anything discussed above, please contact us at:
989 East Hillsdale Boulevard, Suite 400
Foster City, CA 94404
If you are in the European Union, you may contact Conviva’s EU-based representative at:
2-7 Clerkenwell Green, London, EC1R 0DE, UK
United Kingdom Attention: General Manager
1Additional information on AWS’ security can be accessed at the following links:
Google Cloud Platform security: https://cloud.google.com/security/compliance/#/
2Additional information on Equinix’s security can be accessed at