Insider Security

More than 1000 top enterprise brands trust Insider with their data. As a 100% GDPR compliant company, data privacy and security lie at the core of our technology and our culture. We build in top notch security features and run in-depth audits on an ongoing basis to ensure all data and interactions of our customers are fully secure. Building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies.

Authentication Security

Password Management

Insider strictly enforces a set of password requirements to ensure security standards are met:

Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
Multiple logins with the wrong username or password will result in a security notification. Temporary password reset link will be sent to the user’s pre-registered email address if the user clicks the forgot password link. If need be, your account is disabled manually.
End-user account passwords stored on Insider servers are hashed with a random salt.

Two-factor authentication (2FA)

You can activate 2-factor authentication (2FA) for your account to secure it further. Please contact your account manager to activate 2FA. Once you enable SFA, no one will be able to access your account without verifying the action through SMS, Google Authenticator or the Authy app, even if they have your password.

Secure Credential Storage

Credentials are stored in encrypted form and are not in human-readable format. They are one-way-hashed.

API Security & Authentication

By default, Insider’s services are served over SSL. Highly sensitive services which require an authentication are only served over HTTPS. As this is a forced action you will not be allowed to use HTTP for these types of services.

Session Management

Session Timeout

Sessions are set to expire upon 30 minutes of inactivity, continuous sessions will timeout after 1 day.

Sign Out

When sign out occurs, all session cookies from the client are deleted and the session identifier is invalidated.

Additional Product Security Features

Access Privileges & Roles

Insider provides granular access rights which can be configured to set permission levels for different users such as manage users, collaborate, edit and read.

IP Restrictions

Insider can be configured to restrict IP addresses to prevent or limit access to specific users or agents.

IP restrictions are only available for Enterprise Support accounts. Please contact your account manager to enable this feature.

Network and Transmission Controls

SSL/TLS

Insider utilizes industry-standard communication encryption technologies to ensure all communications are secured. Therefore, all end-user communications with Insider are secured with encryption. Insider uses Transport Layer Security (TLS) for regular updates and configurations.

Network Security

Protection

Insider updates its network architecture continuously. Redundant firewalls, secure HTTPS transport over public networks and the latest router technologies are in place to ensure maximum protection. Insider runs in-depth audits on an ongoing basis internally and via 3rd party security consultancies.

Architecture

DMZ is used to add an additional layer of security to the architecture of our local area network. With DMZ, services have different subnets (databases, cache layer or application servers) according to their sensitivity levels. Each zone has specific monitoring and access controls.

DDoS Mitigation

Insider partners with Distributed Denial of Service (DDoS) scrubbing providers to mitigate DDoS attacks. Insider works with 3rd party security consultancies to simulate DDoS attacks. We also use Cloudflare to prevent DDoS and other security attacks.

Access Logs

Insider has comprehensive activity monitoring system that stores logs at all account levels for sign-in/sign-out to user accounts, creating users, setting user permissions and password changes, and creating, deleting, updating, starting and/or pausing scenarios/personalizations.

You can get in touch with your account manager to access your detailed Insider log history to view all content changes on your scenarios/personalizations.

Data Confidentiality and Job Controls

Internal Access to Data

Your visitor and account data stored on Insider’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. If need be, employees need to use very strong passwords or two-factor authentication to access Insider’s servers.

Job Controls

On top of having strict rules and regulations for accessing data on our servers, Insider employees are required to sign confidentiality agreements before they are allowed to access our servers. Once a year, all of our engineers are required to participate in secure code trainings covering OWASP top 10 security flaws, common attack cases and Insider’s security controls.

Security Awareness

Policies

Insider has a comprehensive set of security policies which are made available to employees and contractors.

Training

Upon onboarding, all Insider employees have to complete a Security Awareness Training. The training is repeated once a year. Engineers also receive a secure coding training once a year.

Besides in-depth security tests run by third-party consultancies we partner with, our engineers who are responsible for our security measures regularly test our code base. The team is trained to detect potential security vulnerabilities that may occur.

Employee Vetting

Background Checks

Under our zero-trust policy, your visitor and account data stored on Insider’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. All employee access to our servers is logged and audited. In case of an abuse, Insider employees are subject to disciplinary action, including but not limited to termination. Since April 2012, Insider employees are required to complete a background check prior to employments.

Confidentiality Agreements

All new employees go through security screening during our hiring process and they are required to sign confidentiality and non-disclosure agreements.

Security in Engineering

Product Security Overview

We run in-depth 3rd party security vulnerability assessments using end-to-end, unit and integration tests and have deployment controls in place (i.e. blue-green deployment, change management etc).

Code Assessments

We build in top-notch security features and run in-depth audits on an ongoing basis to ensure all data and interactions of our customers are fully secure. Building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. Our engineers conduct peer coding and reviews to ensure the highest quality. Our automated code tests are designed to detect and fix common vulnerabilities. We conduct manual tests on sensitive areas of our code base and run periodic security scans semiannually.

Availability Controls

Disaster Recovery, Failover and DR

Insider was built with disaster recovery in mind. We use Amazon Web Services (AWS), a well-known cloud service provider. To mitigate service interruption risks in case of a disaster, we replicate sensitive data and keep them in multiple data centers. Our infrastructure and data are stored across 3 AWS availability zones. In case of a disaster or fail, services will not be interrupted.

We perform, daily, weekly and monthly backups of data. For highly sensitive data we run hourly backups. Headquartered in Singapore, we have 16 offices around the world, providing localized services and support in case of a disaster to ensure business continuity.

Incident Response

Insider has an Incident Response team to quickly and systematically respond in case of a security incident. You can write to us at security@useinsider.com.

Segregation Controls

Data Segregation

Each customer account has a unique code snippet (javascript client) for Insider. This way your data is logically separated from other customers. If you have multiple domains, by enabling the multi-domain feature, you can use the same JS to provide services. However, you cannot use the same JS on other domains if you do not activate the multi-domain feature and integrate all domains with Insider.

Every customer’s data is solely used for that customer and only accessed to provide support to that customer. We never share or sell customer data to 3rd parties. Our policy around data protection is clearly outlined in the Service Agreement and Data Protection Agreement (DPA).

User Roles

Insider provides user permission levels for specified roles to help you manage users easily. User roles include managing users, collaborate, edit and read. If you invite multiple people to work on the same scenario/personalization, Insider gives you the flexibility to grant different levels of permission to each user.

Physical Security

Insider services and data are hosted in Amazon Web Services (AWS) facilities (eu-west 1) in Ireland.

Access to data centers is strictly limited to authorized personnel with verified biometric identity. AWS data centers are physically protected by security guards, video monitoring and other on-premise security measures.

All Insider servers are within our virtual private cloud (VPC). We have network access control lists (ACLs) in place to prevent unauthorized requests.

We keep testing and staging environments physically separate from the production environment. Service Data is not used in the development or test environments.

Additional Terms

If you have any questions regarding Insider’s security measures, please write to us at security@useinsider.com or contact your account manager. Our security measures are subject to change, as building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. We may update this page from time to time to reflect changes. Therefore, please check this page often. The use of Insider services is subject to the terms, conditions, and disclaimers in our Terms of Service.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	11 months	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

Cookie	Duration	Description
__hstc	11 months	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	1 year	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-81205217-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
hubspotutk	11 months	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	11 months	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	11 months	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
ins-c	1 day	No description
ins-storage-version	1 year	No description
insdrPushCookieStatus	1 day	This cookie is set by the provider Insider. This cookie is used for web push recieving.
RUL	1 year	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.