Insider Security

More than 1000 top enterprise brands trust Insider with their data. As a 100% GDPR compliant company, data privacy and security lie at the core of our technology and our culture. We build in top notch security features and run in-depth audits on an ongoing basis to ensure all data and interactions of our customers are fully secure. Building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies.

Authentication Security

Password Management

Insider strictly enforces a set of password requirements to ensure security standards are met:

  • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
  • Multiple logins with the wrong username or password will result in a security notification. Temporary password reset link will be sent to the user’s pre-registered email address if the user clicks the forgot password link. If need be, your account is disabled manually.
  • End-user account passwords stored on Insider servers are hashed with a random salt.

Two-factor authentication (2FA)

You can activate 2-factor authentication (2FA) for your account to secure it further. Please contact your account manager to activate 2FA. Once you enable SFA, no one will be able to access your account without verifying the action through SMS, Google Authenticator or the Authy app, even if they have your password.

Secure Credential Storage

Credentials are stored in encrypted form and are not in human-readable format. They are one-way-hashed.

API Security & Authentication

By default, Insider’s services are served over SSL. Highly sensitive services which require an authentication are only served over HTTPS. As this is a forced action you will not be allowed to use HTTP for these types of services.

Session Management

Session Timeout

Sessions are set to expire upon 30 minutes of inactivity, continuous sessions will timeout after 1 day.

Sign Out

When sign out occurs, all session cookies from the client are deleted and the session identifier is invalidated.

Additional Product Security Features

Access Privileges & Roles

Insider provides granular access rights which can be configured to set permission levels for different users such as manage users, collaborate, edit and read.

IP Restrictions

Insider can be configured to restrict IP addresses to prevent or limit access to specific users or agents.

IP restrictions are only available for Enterprise Support accounts. Please contact your account manager to enable this feature.

Network and Transmission Controls

SSL/TLS

Insider utilizes industry-standard communication encryption technologies to ensure all communications are secured. Therefore, all end-user communications with Insider are secured with encryption. Insider uses Transport Layer Security (TLS) for regular updates and configurations.

Network Security

Protection

Insider updates its network architecture continuously. Redundant firewalls, secure HTTPS transport over public networks and the latest router technologies are in place to ensure maximum protection. Insider runs in-depth audits on an ongoing basis internally and via 3rd party security consultancies.

Architecture

DMZ is used to add an additional layer of security to the architecture of our local area network. With DMZ, services have different subnets (databases, cache layer or application servers) according to their sensitivity levels. Each zone has specific monitoring and access controls.

DDoS Mitigation

Insider partners with Distributed Denial of Service (DDoS) scrubbing providers to mitigate DDoS attacks. Insider works with 3rd party security consultancies to simulate DDoS attacks. We also use Cloudflare to prevent DDoS and other security attacks.

Access Logs

Insider has comprehensive activity monitoring system that stores logs at all account levels for sign-in/sign-out to user accounts, creating users, setting user permissions and password changes, and creating, deleting, updating, starting and/or pausing scenarios/personalizations.

You can get in touch with your account manager to access your detailed Insider log history to view all content changes on your scenarios/personalizations.

Data Confidentiality and Job Controls

Internal Access to Data

Your visitor and account data stored on Insider’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. If need be, employees need to use very strong passwords or two-factor authentication to access Insider’s servers.

Job Controls

On top of having strict rules and regulations for accessing data on our servers, Insider employees are required to sign confidentiality agreements before they are allowed to access our servers. Once a year, all of our engineers are required to participate in secure code trainings covering OWASP top 10 security flaws, common attack cases and Insider’s security controls.

Security Awareness

Policies

Insider has a comprehensive set of security policies which are made available to employees and contractors.

Training

Upon onboarding, all Insider employees have to complete a Security Awareness Training. The training is repeated once a year. Engineers also receive a secure coding training once a year.

Besides in-depth security tests run by third-party consultancies we partner with, our engineers who are responsible for our security measures regularly test our code base. The team is trained to detect potential security vulnerabilities that may occur.

Employee Vetting

Background Checks

Under our zero-trust policy, your visitor and account data stored on Insider’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. All employee access to our servers is logged and audited. In case of an abuse, Insider employees are subject to disciplinary action, including but not limited to termination. Since April 2012, Insider employees are required to complete a background check prior to employments.

Confidentiality Agreements

All new employees go through security screening during our hiring process and they are required to sign confidentiality and non-disclosure agreements.

Security in Engineering

Product Security Overview

We run in-depth 3rd party security vulnerability assessments using end-to-end, unit and integration tests and have deployment controls in place (i.e. blue-green deployment, change management etc).

Code Assessments

We build in top-notch security features and run in-depth audits on an ongoing basis to ensure all data and interactions of our customers are fully secure. Building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. Our engineers conduct peer coding and reviews to ensure the highest quality. Our automated code tests are designed to detect and fix common vulnerabilities. We conduct manual tests on sensitive areas of our code base and run periodic security scans semiannually.

Availability Controls

Disaster Recovery, Failover and DR

Insider was built with disaster recovery in mind. We use Amazon Web Services (AWS), a well-known cloud service provider. To mitigate service interruption risks in case of a disaster, we replicate sensitive data and keep them in multiple data centers. Our infrastructure and data are stored across 3 AWS availability zones. In case of a disaster or fail, services will not be interrupted.

We perform, daily, weekly and monthly backups of data. For highly sensitive data we run hourly backups. Headquartered in Singapore, we have 16 offices around the world, providing localized services and support in case of a disaster to ensure business continuity.

Incident Response

Insider has an Incident Response team to quickly and systematically respond in case of a security incident. You can write to us at security@useinsider.com.

Segregation Controls

Data Segregation

Each customer account has a unique code snippet (javascript client) for Insider. This way your data is logically separated from other customers. If you have multiple domains, by enabling the multi-domain feature, you can use the same JS to provide services. However, you cannot use the same JS on other domains if you do not activate the multi-domain feature and integrate all domains with Insider.

Every customer’s data is solely used for that customer and only accessed to provide support to that customer. We never share or sell customer data to 3rd parties. Our policy around data protection is clearly outlined in the Service Agreement and Data Protection Agreement (DPA).

User Roles

Insider provides user permission levels for specified roles to help you manage users easily. User roles include managing users, collaborate, edit and read. If you invite multiple people to work on the same scenario/personalization, Insider gives you the flexibility to grant different levels of permission to each user.

Physical Security

Insider services and data are hosted in Amazon Web Services (AWS) facilities (eu-west 1) in Ireland.

Access to data centers is strictly limited to authorized personnel with verified biometric identity. AWS data centers are physically protected by security guards, video monitoring and other on-premise security measures.

All Insider servers are within our virtual private cloud (VPC). We have network access control lists (ACLs) in place to prevent unauthorized requests.

We keep testing and staging environments physically separate from the production environment. Service Data is not used in the development or test environments.

Additional Terms

If you have any questions regarding Insider’s security measures, please write to us at security@useinsider.com or contact your account manager. Our security measures are subject to change, as building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. We may update this page from time to time to reflect changes. Therefore, please check this page often. The use of Insider services is subject to the terms, conditions, and disclaimers in our Terms of Service.

Insider Security

Previous Policy

Insider Security

Next Policy