Start a conversation

FAQ on Security & GDPR Policy

In this article, we are trying to answer all the Security & GDPR related questions.

List of all questions:

Question 1: Provide a brief overview of how CustomerSuccessBox interacts with third-party systems. Describe how your platform accesses data from our systems and how data is stored and/or used by the service.

Question 2 :Do you have a privacy policy? If so, please provide a copy. If not, please describe your organization's policies and procedures with respect to protecting customer data in the collection, use, retention, disclosure and disposal of data.

Question 3: Are you compliant with any privacy frameworks (Safe Harbor, Privacy Shield, GDPR, etc.)? If so, please provide a copy of or link to your certification, participation status, etc.

Question 4: Is there a person or group in your company whose primary responsibility is information security? If so, please provide the name and title of an individual to serve as a point of contact for security-related questions.

Question 5: Do you have a SOC 2 report, ISO 27001 certification, or other compliance documents? If so, please provide a copy

Question 6: Do you use any third parties in providing this service? If so, please list them here and describe how each service interacts with customer data.

Question 7: What procedures does your organization have in place to determine whether a third party should have access to your customers' data?

Question 8: Please describe the physical location(s) of customer data processed and stored by your system.

Question 9: If your organization owns the data center facility housing your infrastructure, please describe your physical security controls."

Question 10: How does your platform connect to our systems (e.g., via service account, customer user connects platform via OAuth)? Please describe how authentication credentials or tokens are protected within the boundaries of your system (if encryption is used, please describe in detail)

Question 11: Is data that is collected by your platform encrypted at rest? In transit? Please describe the encryption algorithm/protocol used for each.

Question 12: What controls are in place to protect your production network?

Question 13: Please describe data access points (e.g., access to database tables, administrative permissions within the application, etc.) and how access to interfaces for these data access points is restricted.

Question 14: How is access to production infrastructure (databases, server operating systems, network devices, etc.) managed?

Question 15: Is there a process for your users to request and provision access to production infrastructure? Is there a process for your users to request and provision privileged access within the platform?

Question 16: Are access privileges reviewed on a periodic basis?

Question 17: What steps has your organization taken to prevent the introduction of malicious software to employee workstations and production servers?

Question 18: How often are employees required to complete security awareness training? Please describe the nature of the training.

Question 19: Please provide a brief overview of your security incident response process, including procedures for capturing, documenting, and remediating incidents, as well as communication strategies for breaches of customer data.

Question 20: Has your organization experienced a breach within the last year?

Question 21: Please describe your SDLC controls. Are duties between developers and server admins segregated? If a DevOps model is employed, how does your organization maintain accountability with respect to the change management process?

Question 22: Do platform changes require explicit approval? From whom? How is approval documented?

Question 23: Are platform changes tested prior to release? How is testing documented?


Question 1: Provide a brief overview of how CustomerSuccessBox interacts with third-party systems. Describe how your platform accesses data from our systems and how data is stored and/or used by the service.


Answer: Refer to What are the different ways to get data into CustomerSuccessBox section in Sending and Managing data in CustomerSuccessBox support article


For learning how our platform accesses data and stores it, refer to clause 10. Systems Development and Maintenance in our Information Security Policy document


We have a designated Information Security Manager who can provide you with any specific internal security policy document on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 2: Do you have a privacy policy? If so, please provide a copy. If not, please describe your organization's policies and procedures with respect to protecting customer data in the collection, use, retention, disclosure and disposal of data.


Answer: Yes, you can access it through the Privacy Policy page on our website.

Question 3: Are you compliant with any privacy frameworks (Safe Harbor, Privacy Shield, GDPR, etc.)? If so, please provide a copy of or link to your certification, participation status, etc. 


Answer: Yes, we are GDPR compliant. You can access the Data Processor Agreement and GDPR for review.

Question 4: Is there a person or group in your company whose primary responsibility is information security? If so, please provide the name and title of an individual to serve as a point of contact for security-related questions. 

Answer:  We have an Information Security Forum headed by CEO and Founder, and consisting of an Information Security Manager, Product Head and Chief Technology Officer.

Our designated Information Security Manager is Mr Sumit Malik who can be contacted on sumit@customersuccessbox.com for any security-related queries or reports


To learn more, you can request for Information Security Organization structure on a need-to-know basis against a non-disclosure agreement.

Question 5: Do you have a SOC 2 report, ISO 27001 certification, or other compliance documents? If so, please provide a copy

Answer:  We have an ISO 27001:2013 certification recommended by the British Standards Institute.

Question 6: Do you use any third parties in providing this service? If so, please list them here and describe how each service interacts with customer data.

Answer: Our infrastructure is hosted on Amazon Web Services (AWS). We have no sub-processors, and we don’t outsource data processing to any third-party.

Question 7: What procedures does your organization have in place to determine whether a third party should have access to your customers' data?

Answer:  We have an internal third-party policy by which we determine if a third-party can be granted access to our customer’s data. 


We have a designated Information Security Manager who can provide you with any specific internal security policy document on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 8: Please describe the physical location(s) of customer data processed and stored by your system.

Answer:  We host on Amazon Web Services (AWS) at US-West region, specifically Northern California (AWS data centres).

Question 9: If your organization owns the data center facility housing your infrastructure, please describe your physical security controls."

Answer:  We are 100% cloud-hosted on Amazon Web Services (AWS). Learn more about AWS data center controls.

Question 10: How does your platform connect to our systems (e.g., via service account, customer user connects platform via OAuth)? Please describe how authentication credentials or tokens are protected within the boundaries of your system (if encryption is used, please describe in detail)

Answer:  We prefer OAuth to connect wherever third-party application provides the mechanism. 

Other mechanisms to connect include API key and Tokens for which the scope is controlled by the customer himself. Authentication Credential and Token(s) are only taken as customer input from the CustomerSuccessBox interface and is never exposed back to any user. Particularly, any kind of token or key is stored in encrypted format using AES-256 cryptographic algorithm.

Question 11: Is data that is collected by your platform encrypted at rest? In transit? Please describe the encryption algorithm/protocol used for each.

Answer:  We encrypt data at rest using AES-256 cryptographic algorithm.

We leverage HTTPS to secure our communication in transit over TLS 1.2 standards.

Question 12: What controls are in place to protect your production network?

Answer:  We have a Network Security Policy in place. In a nutshell, we have a Web Application Firewall sitting in front of a Virtual Private Network.

Network Diagram and Network Security Policy can be shared on a need-to-know-basis on you signing a Non-disclosure agreement with us.

Question 13: Please describe data access points (e.g., access to database tables, administrative permissions within the application, etc.) and how access to interfaces for these data access points is restricted.

Answer: The available data access points for our customers is HTTP Server API and CustomerSuccessBox interface. CustomerSuccessBox interface is password-protected, and our customer’s team access and privileges can be self-managed through Team Management and Profiles.  HTTP Server API requires a Secret Key for authorization which is only available to our customer’s Administrators

We have an internal Access Control Policy which we can provide to you on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 14: How is access to production infrastructure (databases, server operating systems, network devices, etc.) managed?

Answer:  Production access is available to Chief Technology Officer and Infrastructure Head. Access to any developer is authorized by CEO/CTO on a need-to-access basis with a pre-defined privileges and access expiry. Logs are maintained and proactively monitored for all accesses.

We have an internal Access Control Policy which we can provide to you on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 15: Is there a process for your users to request and provision access to production infrastructure? Is there a process for your users to request and provision privileged access within the platform?

Answer:  Production access is available to Chief Technology Officer and Infrastructure Head. Access to any developer is authorized by CEO/CTO on a need-to-access basis with a pre-defined privileges and access expiry. Logs are maintained and proactively monitored for all accesses.

We have an internal Access Control Policy which we can provide to you on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 16: Are access privileges reviewed on a periodic basis?

Answer:  Yes, bi-annually by CTO

Question 17: What steps has your organization taken to prevent the introduction of malicious software to employee workstations and production servers?

Answer:  We have laid down the controls against malware in our internal Acceptable Usage Policy which we can provide to you on a need-to-know basis on you signing a Non-disclosure agreement with us.

In a nutshell, the policy states that anti-malware and anti-virus software must be installed on all workstations with auto scan and updates enabled. In addition to it, we get a third-party to perform an annual VAPT and malware testing against our environment.

Question 18: How often are employees required to complete security awareness training? Please describe the nature of the training.

Answer:  We train all our new employees on security as a part of their onboarding. 

We promote self-awareness for security and have made a list of recommended readings that is available to all our employees. We conduct ad-hoc security quizzes to identify and resolve any security awareness issues. 

Mandatory security awareness training is conducted annually for all employees.  

Question 19:Please provide a brief overview of your security incident response process, including procedures for capturing, documenting, and remediating incidents, as well as communication strategies for breaches of customer data.

Answer:  We have an internal Incident Management Policy and Procedure which sets the guidelines. 

Our focus is to:

  1. Restore normal operations at the earliest

  2. Ensure the minimal adverse impact on customers and users

  3. Ensure the best levels of service quality and availability

  4. Minimize loss of information

  5. Adequate reporting of Incident, categorization and prioritization, the root cause analysis and implementation of adequate controls to reduce incidents.

  6. Communicate proactively to our customers on a need-to-know basis

We can provide the internal policy and procedure docs for Incident Management on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 20: Has your organization experienced a breach within the last year?

Answer:  No

Question 21: Please describe your SDLC controls. Are duties between developers and server admins segregated? If a DevOps model is employed, how does your organization maintain accountability with respect to the change management process?

Answer:  Duties between Developers, System Admins and Infrastructure Admins are segregated. 

Every change is logged and must pass the necessary change of approvals with multiple checks and balances. A push to the production environment can only be done by the Chief Technology Officer

We can provide the internal policy and procedure documentation for SDLC on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 22: Do platform changes require explicit approval? From whom? How is approval documented?

Answer:  Every change is logged and must pass the necessary change of approvals with multiple checks and balances. 

A push to the production environment can only be done by the Chief Technology Officer.

We can provide the internal policy and procedure documentation for SDLC on a need-to-know basis on you signing a Non-disclosure agreement with us.

Question 23: Are platform changes tested prior to release? How is testing documented?

Answer:  QA process is covered in our SDLC policy document.

We have a dedicated QA who works closely with Product to list test cases right at the onset. 

Once development is finished, QA runs functional, integration, and acceptance testing on the basis of the identified test cases. No production release can be prepared or pushed without explicit QA approval.


If you have any question, please write to support@customersuccessbox.com

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Anu Dudhat

  2. Posted
  3. Updated

Comments