vPromotion Security and PII
      Back to home
      1. vCreative Knowledge Base
      2. vPromotions
      3. vPromotion Security and PII

      vCreative System Security

      The following is a brief overview of security and other controls implemented by vCreative to protect the confidentiality, integrity, and availability of vCreative systems and data. While not an exhaustive listing, it provides the most relevant controls that are applicable to protecting our customers’ data within the vCreative suite of applications. 

      Logical Access / Access Administration 

      1. Users are required to use their unique username and password to gain access. ○ Help Desk monitors failed login attempts and intervenes when needed. 
      2. User permissions are role based. Role based permissions match user data access and system capabilities with position in the company.
        ○ vCreative Help Desk team and the customer’s local administrator assign user permissions. 
      3. All actions a user performs on the data in vCreative products are logged. Audit trails contain user, IP address, date and timestamp for each action. 
      4. Users can be removed from the system and denied access instantly via the Firm Admin tool available to local administrators. 
      5. vCreative personnel with administrative privileges utilize multi-factor authentication (MFA) when accessing the underlying infrastructure. MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism such as Google Authenticator. 
      6. vCreative employee access is removed promptly upon termination. 

      Customer Data Protections 

      1. Customer databases are protected within the AWS virtual private cloud. 
      2. Databases can only be accessed by customers through the vCreative product application interfaces. 
      3. Direct access to databases is limited to authorized vCreative users, who must have been authenticated and connected through our AWS Virtual Private cloud. 

      Network Protections 

      1. Access for customers to vCreative applications and API’s is encrypted via secure transport protocols. (HTTPS) 
      2. Network traffic internal to vCreative’s AWS VPC is further restricted through the use of AWS Security Groups and AWS Network ACLs (Access Control Lists)
        ○ This allows us to lock access to our database servers to not only use the correct key pair, but it will also require that the connection attempt is coming from within our VPC, within AWS. 

      System Resiliency and Data Backups 

      • The system performs hourly full-database backups. This is done using a Cron script running on the Task Server that utilizes the AWS RDS CLI to perform the backups. Once a day, an automated backup is copied over to another AWS region (US West). 
      • The system is currently designed to avoid a single point of failure by running two application servers and at least one database replica, in addition to the database master. The application servers are spun up in different Availability Zones in their Region, based on current application traffic and RDS is set up for Multi-AZ availability. 
      • AWS RDS is configured to automatically perform a full daily backup of the database servers. ● Full backups are kept for 14 days. Hourly backups are retained for 24 hours. ● A test restoration from backup is performed on a quarterly basis. 
      • Data is never physically deleted from the database. All the deletes are “soft deletes”. ● It is not currently possible for a customer to back up their own data. 

      Vulnerability Management 

      • Amazon Web Services patches the Systems and Applications on an as needed basis. For more information, refer to AMI security policies.