Security FAQ

Updated June 2024

What Is Convertr?

Convertr an API-first data routing and optimization platform. We capture marketing lead information from multiple sources (landing page forms, imports, API requests, and webhooks) and verify, validate and enrich the data before routing the data into a client's marketing system, usually a CRM system.

Convertr is a SaaS platform that is licensed by our direct client. We provide all the tools to improve data security by automating manual processes and reducing the risk of data being mishandled.

How is data stored and secured in the Convertr platform?
How is your internal network secured?
What other protection methods does Convertr have in place?
Can you provide an audit trail?
Does Convertr have any certifications?
What is the Convertr platform uptime?
What assurance documentation can you provide?
Does Convertr have a business continuity plan?
What does the Convertr infrastructure look like?
Controls Summary

How is data stored and secured in the Convertr platform?

The security of our clients’ data is our number one priority. Convertr is fully hosted on AWS (Amazon Web Services) enabling us to leverage their state of the art physical and virtual security. You can read more about AWS’ security measures here.

All data transferred is secured by TLS 1.2.



Location

Our default location for data storage is in Ireland, but can be hosted in any AWS region if required (additional costs may apply). The cluster is limited to this area and no data will flow outside of this region without explicit consent from the client.

Encryption

We encrypt all personal data at rest in the database using AES256 encryption with rotating keys. In addition, each client has its own private database with unique application access. Convertr also uses disk encryption for all AWS services.

How is your internal network secured?

As above, Convertr uses AWS for its infrastructure. We use VPCs and security groups to enforce strict firewall rules, which are tightly audited. We also use AWS WAF for application-level firewalls.

What other protection methods does Convertr have in place?

  • Convertr performs independent third party penetration tests annually
  • Internal vulnerability tests are performed as part of each release and third party dependencies are continuously scanned for vulnerabilities using GitHub Dependabot
  • The Convertr platform is built in line with the Secure by Design, Privacy by Design, Zero Trust and Least Privilege principles
  • All server access is secured using secure keys and access is restricted to senior Convertr staff with all access audited.
  • Convertr uses Guard Duty (an intelligent threat detection tool) to monitor its infrastructure
  • Access to any infrastructure services require multi-factor authentication
  • Every release of the Convertr platform follows the Convertr Secure Development Lifecycle with rigorous manual and automated testing including:
    • Static Application Security Testing (SAST)
    • Software Composition Analysis (SCA)
  • All Convertr staff receive data protection and security training every year
  • All uploads to the platform are scanned for viruses

Can you provide an audit trail?

For example user access logs. Convertr has a thorough audit of activity through the application, both on a system and campaign level. Any actions made to AWS services are audited and monitored using a combination of CloudWatch and GuardDuty.

Does Convertr have any certifications?

Convertr is ISO-27001 certified with our internal control framework aligned to the Cloud Security Alliance Cloud Control Matrix.

What is the Convertr platform uptime?

Convertr platform is always on and we strive towards 100% uptime. Any incidents, maintenance windows or scheduled downtime can be monitored via our Status Page.

What assurance documentation can you provide?

We can provide a number of different documents (subject to Non Disclosure Agreement) including but not limited to:

  • ISO-27001 audit report
  • Penetration testing report
  • Internal Policy documents
  • Vulnerability scanning report

Does Convertr have a business continuity plan?

Convertr has a business continuity plan as part of it’s ISO-27001 certification. In summary, the following processes are in place:



Backups

Convertr takes twice-daily backups (8am & 8pm GMT) of the database. These backups are retained for an agreed amount of time with our client, this tends to be for 30 days. The backups are stored and encrypted in Amazon S3 in a private bucket.

Disk Storage

All Convertr data is stored within AWS and uses EBS volumes. All client critical data is snapshot twice daily and retained for 30 days.

Application and Infrastructure Monitoring

Convertr uses a combination of AWS CloudWatch, New Relic, Sentry, Pingdom, and Guard Duty to monitor the application and infrastructure.

Uninterruptible Power Systems

From AWS: The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.

What does the Convertr infrastructure look like?

As above, Convertr is fully based on AWS and follows best practises as outlined by Amazon Web Services. We make use of RDS (MySQL) for persistent storage which uses multi A-Z for automatic fail-overs.

Our EC2 instances, which the application is spread over, use load balancing and auto-scaling groups to ensure the application is resilient to spikes in traffic and data processing. We run a container system across our cluster of servers to more efficiently manage resources.

Convertr Infrastructure

Controls Summary


Identity and Access Management

  • Multi-Factor Authentication (MFA) - MFA is enforced for all Convertr staff. MFA is a feature available to clients in the Convertr platform
  • Role-Based Access Control (RBAC) - Access is provisioned based on user role
  • Least Privilege - Roles are designed to grant the least amount of privilege to perform the role

Application Security

  • Secure Development Lifecycle (SDLC) - All application changes follow the SDLC which includes secure code reviews and security testing (SCA and SAST)
  • Security by Design - Security is a core requirement for all changes
  • Penetration testing - An annual penetration test is completed against the Converter platform by a CREST certified Third Party
  • Vulnerability scanning - Periodic vulnerability scanning is completed against the platform on a timed basis and after releases
  • Vulnerability Management - All identified vulnerabilities are remediated following risk based prioritisation

Security Monitoring and Logging

  • 24x7 monitoring - A 24x7 Security Operations Centre (SOC) is in place
  • Logging - All technology is design with logging in mind and logs are sent to the SOC for monitoring

Data Security

  • Encryption at rest - All data at rest is encrypted with AES-256
  • Encryption in transit - All data in transit is protected with TLS 1.2

Data Privacy

  • GDPR - Convertr are GDPR compliant. The Convertr platform has integrated Data Subject Access Request capability to enable clients to meet their compliance requirements
  • Data Masking - The Convertr platform has built in data masking capability to ensure confidentiality is maintained
  • Privacy by Design - Data privacy is a core requirement for all changes

Operational Resilience

  • Business Continuity and IT Disaster Recovery - Business continuity and Disaster Recovery plans are in place. Plans are reviewed and tested on a periodic basis
  • Data backups - Backups are automatically taken every 12 hours. Backup recovery is tested on a periodic basis
  • Incident Response Planning - Incident response plans are in place. Plans are reviewed and tested on a periodic basis
  • Internal Audit - An annual internal audit of controls is performed to ensure design and operational effectiveness. Corrective action plans are put in place where deficiencies are identified

Governance

  • Industry Standards - Convertr are ISO27001 certified
  • Security Awareness Training - All Convertr staff undertake mandatory Security Awareness and Data Privacy training. Technical staff receive additional, role specific security training
  • Risk Assessment - Risk Assessment and Management programme is in place across the organisation
  • Third Party Audit - An annual audit of ISO27001 controls is undertaken by a certified third party

Patch Management

  • Security Patching - All core system components are monitored for patch releases. Security patches are applied in line with risk based prioritisation
  • Technology Currency - Technology currency is monitored and kept within risk appetite

Infrastructure Security

  • Key Management - Encryption keys are managed in AWS Key Management System. Keys are rotated on a periodic basis
  • Zero trust - Platform and infrastructure are configured following the zero trust principle
  • Firewalls - Network and Web Application Firewalls are in place. Firewall rules are reviewed periodically
  • Network segregation - Networks and environments are segmented in AWS

We're here to help!


Book a demo with one of our experts to review your current demand generation process, define your objectives and answer any questions.

   London: +44 (0)203 617 7659       Denver: +1 (720) 699 7880   

Talk To An Expert