LEGAL DOCS
Terms of Service
Privacy Policy
Information Security & Compliance
GDPR & CCPA
Data Subject Rights
Data Processing Addendum
Data Subject Access Request Form
Cookie Policy
List of Sub-processors

Information Security & Compliance

Here at Sessionboard, we strive to have an industry-leading information security & compliance program. In order to achieve that, along with the technical controls, we are also committed to ensuring that our employees have the required knowledge and training.

Compliance

General Data Protection Regulation (GDPR)

European Economic Area-origin personal data is processed and stored on the basis of the Standard Contractual Clauses, as amended by the Commission of the European Union, and we employ appropriate, and industry standard, technical, contractual, and organizational supplementary measures. Please visit our Privacy Policy for more information.

California Consumer Privacy Act (CCPA)

Sessionboard has updated the necessary internal procedures and processes to comply with CCPA. Please visit our Privacy Policy for more information.

Third-Party Sub-Processors
Sessionboard uses a variety of third-party sub-processors to provide various features of our platform. All third parties are subject to a thorough security, compliance, and privacy assessment prior to contracting and approval. If approved, an annual assessment is required to ensure compliance.

Cookies Page
When you visit Sessionboard's website, we and our service providers collect certain data using tracking technologies like cookies and web beacons. Please visit our Cookie Page for more information.

Infrastructure & Development

Data Centers
The Sessionboard product is based on logical architectures, with primary data centers run by Amazon Web Services (AWS) located in the continental United States and Ireland (EU).

Sessionboard does not own the hardware located in these data centers. Instead, both AWS and GCP are responsible for the security of the underlying cloud infrastructure (IaaS / PaaS), while Sessionboard is responsible for controls and configurations beginning at the operating system layer.

Platform
A multi-tenant, cloud-based application, the Sessionboard platform is engineered for high
scalability, reliability, security, and performance. All elements of the platform are tested regularly.

Encryption
Data in transit is encrypted using TLS 1.2, while data at rest is encrypted using AES-256. Access to databases is also encrypted asymmetrically.

Each Sessionboard customer’s data is hosted within a multi-tenant environment and logically segregated using a unique key.

Network Security
Sessionboard divides its platform into separate network groups to better protect data. Network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure.

Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate with each other. Intrusion Detection / Intrusion Prevention (IDS/IPS) solutions are deployed, with near real-time alerts in place that indicate and alert for any suspicious or uncommon activity.

Secure Development & Change Management
Sessionboard has a formalized development and change management process in place, which requires identification and recording of significant changes, assessment of risk and the potential effect of such modifications, approval of proposed changes, and testing of changes to verify operational functionality. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, including employee and user entity notifications must be performed.

The Sessionboard secure development methodology includes project planning, design, testing, implementation, maintenance, and disposal or decommissioning. Changes to infrastructure and software are developed and tested in a separate development or test environment before release to production. Additionally, to ensure reviews and approvals are required, controls are in place before code is pushed to the production environment.

Access to the source code management tool is restricted to those with a business need for access. On a quarterly basis, access to the source code management tool is reviewed to ensure accuracy.

As part of the development process, static code analysis is also performed.

Organizational

➔ Data classification and business impact assessment
➔ Selection, documentation, and implementation of security controls
➔ Assessment of security controls
➔ User access authorization and provisioning
➔ Removal of user access
➔ Monitoring of security controls
➔ Security management

Personnel
As part of the onboarding process, where applicable, all new Sessionboard personnel (e.g., employees, contractors, interns, etc.) are required to sign an NDA and pass a background check.

An information security & compliance onboarding presentation is reviewed with all personnel upon hire to explain processes, controls, and expectations. Web-based information security & compliance training is also assigned as part of onboarding, and on an annual basis. Every quarter, phishing campaigns are conducted using a third-party solution to ensure that personnel are aware of social engineering risks and how to identify them.

Additionally, at least annually and upon hire, all personnel are required to review and acknowledge applicable policies and procedures based on job role and function, as well as complete information security and privacy web-based training modules.

Access Management
To minimize the risk of data exposure, Sessionboard adheres to the principle of role-based least privilege access. Privileged access requests must be submitted using our internal ticketing system and include a business justification and manager’s approval.

Every quarter, privileged access is reviewed to ensure accuracy. When personnel are moved between roles or terminate their relationship with Sessionboard, a formal offboarding process is initiated, with physical and logical access removed within 24-hours.

Incident Management
Sessionboard established policies and procedures for responding quickly to all security and privacy events. Our approach is we first determine the exposure of the information and determine the source of the security or privacy issue. We will communicate promptly by using in-product messaging, email, and our status page to affected customers. We will also provide periodic updates as needed to ensure the appropriate resolution of any incident.

Any concerns or incidents can be reported to:
support@sessionboard.com

Monitoring, Logging & Alerting
Sessionboard invests in automated monitoring, alerting, and response systems to address potential issues continuously. Our systems will alert applicable internal stakeholders regarding error rates, unexpected activity, memory issues, etc.

Our system captures and stores logs from the application level, such as logins (success and failed), page visits, actions, modifications, and more. Logs are protected from changes.

Endpoint Protection
Our endpoint workstations are protected using commercial enterprise-grade antivirus/malware protection with centralized logging and monitoring. All assets are subject to full-disk encryption using Filevault, are password-protected, and auto-lock when idle, requiring re-authentication to unlock.

Endpoints are managed using agent-based services, which allow the ability to add/remove applications, deploy/change configurations, web-filtering, removable storage restrictions, as well as to remotely wipe/lock the asset.

Risk Assessment
Sessionboard regularly reviews the risks that may threaten the achievement of its service commitments and system requirements. This is done through regular meetings with appropriate personnel responsible for the processes, procedures, and controls.

Additionally, reviewing and acting upon any security event logs, performing vulnerability assessments, and conducting a formal annual information security risk assessment in conjunction with the company-wide risk assessment.

Independent third parties are engaged annually to conduct application-level (to mobile, web, and APIs) and infrastructure-level penetration tests (black, grey, and white-box). Results of these assessments are shared with the applicable internal staff, and if needed, an actionable plan of remediation is discussed and executed according to requirements outlined in policy.

Last Modified: July 1, 2023