Security Policy2018-05-25T21:05:52+00:00

Security Policy

End-to-end Security

Nuvro is hosted entirely on Amazon Web Services (AWS), providing end-to-end security and privacy features built in. Our team takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.

Data Center Security

AWS maintains an impressive list of reports, certifications, and third-party assessments to ensure complete and ongoing state-of-the-art data center security. They have many years of experience in designing, constructing, and operating large-scale data centers.

AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.

It is safe to say Amazon is much better at physical security than we are capable of being, so we leave it to them.

Application Security

All Nuvro web application communications are encrypted over 256-bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.

Nuvro maintains ongoing Level 1 PCI compliance, abiding by stringent industry standards for storing, processing and transmitting credit card information online.

Nuvro actively monitors ongoing security, performance and availability 24/7/365. We run automated security testing on an ongoing basis. We also contract a third party for penetration testing.

Regarding privacy, we are members of the Privacy Shield framework and you can view our full privacy policy here: https://nuvro.com/privacy

Infrastructure Security

Nuvro's infrastructure is hosted in a fully redundant, secured VPN environment, with access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses, and other security features.

Security Policy

Nuvro employs strict security standards and measures throughout the entire organization. Every team member is trained and kept up to date on the latest security protocols. We regularly undergo testing, training, and auditing of our practices and policies.

  1. Purpose, Scope, and Organization

This policy defines behavioral, process, technical, and governance controls pertaining to security at Nuvro that all personnel are required to implement to ensure the confidentiality, integrity, and availability of the Nuvro service and data (“Policy”). All personnel must review and be familiar with the rules and actions set forth below.

This Policy defines security requirements for:

  • all Nuvro employees, contractors, consultants and any other third parties providing services to Nuvro (“personnel”),
  • management of systems, both hardware and software and regardless of locale, used to create, maintain, store, access, process or transmit information on behalf of Nuvro, including all systems owned by Nuvro, connected to any network controlled by Nuvro, or used in service of Nuvro’s business, including systems owned third party service providers, and
  • circumstances in which Nuvro has a legal, contractual, or fiduciary duty to protect data or resources in its custody.

In the event of a conflict, the more restrictive measures apply.

1.1. Governance and Evolution

This Policy was created in close collaboration with and approved by Nuvro executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.

1.2. Security Team

The Nuvro security team oversees the implementation of this Policy, including

  • procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources,
  • all aspects of service development and operation related to security, privacy, access, reliability, and survivability,
  • ongoing risk assessment, vulnerability management, incident response, and
  • security-related human resources controls and personnel training.

1.3. Risk Management Framework

Our Risk Management Framework incorporates the following:

  • Identification of relevant, potential threats.
  • A scheme for assessing the strength of implemented controls.
  • A scheme for assessing current risks and evaluating their severity.
  • A scheme for responding to risks.
  1. Personnel and Office Environment

Nuvro is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly in the context of its established employment culture of openness, trust, maturity, and integrity.

This section outlines expected personnel behaviors affecting security and the acceptable use of computer systems at Nuvro. These rules are in place to protect our personnel and Nuvro itself, in that inappropriate use may expose customers and partners to risks including malware, viruses, compromise of networked systems and services, and legal issues.

2.1. Work Behaviors

The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.

Training

All employees and contractors must attend the Nuvro security training program, to inform all users of the requirements of this Policy.

Unrecognized Persons and Visitors

It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to Nuvro offices must be registered as such or accompanied by a Nuvro employee.

Clean Desk

Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.

Unattended Devices

Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.

Use of Corporate Assets

Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners during normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only Nuvro-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access Nuvro data. Nuvro-managed hardware and software includes those either owned by Nuvro or owned by Nuvro personnel but enrolled in a Nuvro device management system. Only software that has been approved for corporate use by Nuvro may be installed on corporate equipment. All personnel must read and understand the list of prohibited activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit written consent by the Nuvro security team.

No Backups, Use of Cloud Storage

Personnel may not configure work devices to make backups of device data. Instead, personnel are expected to operate primarily “in the cloud” and treat local storage on computing devices as ephemeral. Making a practice of keeping important work artifacts replicated into company-approved secure cloud storage (e.g. Google Docs) ensures that even in the event of a corporate device being lost, stolen, or damaged, such work artifacts will be immediately recoverable on a replacement device.

Prohibited Activities

The following activities are prohibited. Under certain conditions and with the explicit written consent of the security team, personnel may be exempted from certain of these restrictions during their legitimate job responsibilities (e.g. planned penetration testing, systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

The list below is by no means exhaustive but attempts to provide a framework for activities which fall into the category of unacceptable use.

  • Under no circumstances are personnel of Nuvro authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Nuvro-owned resources.
  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Nuvro.
  • Violating or attempting to violate the terms of use or license agreement of any software product used by Nuvro is strictly prohibited.
  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Nuvro or the end user does not have an active license is strictly prohibited.
  • Exporting software, technical information, encryption software or technology may result in a violation of international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.
  • Revealing your account password to others or allowing use of your account by others. This includes colleagues, as well as family and other household members when work is being done at home.
  • Making fraudulent offers of products, items, or services originating from any Nuvro account.
  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties and then only to the extent the warranties are consistent with Nuvro’s authorized warranties.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
  • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious or unlawful purposes.
  • Except by or under the direct supervision of the security team, port scanning or security scanning, or other such software designed to exploit or find computer, software, or network vulnerabilities.
  • Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
  • Circumventing user authentication or security of any host, network or account or attempting to break into an information resource or to bypass a security feature. This includes running password-cracking programs or sniffer programs and attempting to circumvent file or other resource permissions.
  • Attempting to interfere with or deny service to any other user.
  • Providing information about, or lists of, Nuvro personnel to parties outside Nuvro.
  • Installation of software which installs or includes any form of malware, spyware, or adware as defined by the security team.
  • Crashing an information system. Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of the action by that user may be viewed as a deliberate act.
  • Attempts to subvert technologies used to effect system configuration of company-managed devices (e.g. MDM) or personal devices voluntarily used for company purposes (e.g. mobile Work Profiles).

2.2. Personnel Systems Configuration, Ownership, and Privacy

Centralized System Configuration

Personnel devices and their software configuration may be managed remotely by members of the security team via configuration-enforcement technology. Such technology may be used for purposes including auditing/installing/removing software applications or system services, managing network configuration, enforcing password policy, encrypting disks, copying data files to/from employee devices, and any other allowed interaction to ensure that employee devices comply with this Policy.

Retention of Ownership

All software programs, data, and documentation generated or provided by personnel while providing services to Nuvro or for the benefit of Nuvro are the property of Nuvro unless otherwise covered by a contractual agreement.

Personnel Privacy

While Nuvro’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Nuvro. Due to the need to protect Nuvro’s network, management does not intend to guarantee the privacy of personnel’s personal information stored on any network device belonging to Nuvro. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use such as general web browsing or personal email. If there is any uncertainty, personnel should consult the security team or their manager.

Personnel should structure all electronic communication with recognition of the fact that the content could be monitored and that any electronic communication could be forwarded, intercepted, printed, or stored by others.

Nuvro reserves the right, at its discretion, to review personnel’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as corporate policies.

Nuvro reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. For security and network maintenance purposes, authorized individuals within Nuvro may monitor equipment, systems and network traffic at any time.

2.3. Human Resources Practices

Background Checks

Background checks are conducted on all employees prior to their start date. The consequences of problematic background check results may range from a limitation of security privileges, to revocation of employment offer, to termination.

Training

The security team maintains a company-wide security awareness program delivered to all personnel at least annually. The program covers security awareness, policies, processes, and training to ensure that personnel are sufficiently informed to meet their obligations. Those most responsible for maintaining security at Nuvro, including the security team itself as well as key engineering/operations staff, undergo more technical continuing education.

Separation

In the case of personnel termination or resignation, the security team coordinates with human resources to implement a standardized separation process to ensure that all accounts, credentials, and access of outgoing employees are reliably disabled.

2.4. Physical Office Environment

All doors shall remain locked at all times under normal business conditions. The security team may provide approval to unlock doors for short periods of time in order to accommodate extenuating physical access needs.

2.5. Office Network

Internet access shall be provided to devices via wired ethernet and WPA2 wifi. Networking switches and routers shall be placed in a locked networking closet with only the security team having access. Nuvro executives and the security team may grant access to the networking closet to individuals on a case-by-case and as-needed basis. A network firewall that blocks all WAN-sourced traffic shall be put in place. WAN-accessible network services shall not be hosted within the office environment.

  1. Personnel Identity and Access Management

3.1. User Accounts and Authentication

Each individual having access to any Nuvro-controlled system does so via a G Suite user account denoting their system identity. Such user accounts are required to have a unique username, strong password of at least 8 characters, and two-factor authentication (2FA) mechanism.

Logging into Nuvro Systems

Logins by personnel may originate only from Nuvro-managed devices. Authentication is performed by Google’s account management system, details of which can be found at https://gsuite.google.com/security. Nuvro leverages G Suite’s facilities of detecting malicious authentication attempts. Repeated failed attempts to authenticate may result in the offending user account being locked or revoked.

Logging into Third Party Systems

Whenever available, third-party systems must be configured to delegate authentication to Nuvro’s G Suite account authentication system (described above) thereby consolidating authentication controls into a single user account system that is centrally managed by the security team.

Revocation and Auditing of User Accounts

User accounts are revoked (that is, disabled but not deleted) immediately upon personnel separation. As a further precaution, all user accounts are audited at least quarterly, and any inactive user accounts are revoked.

3.2. Access Management

Nuvro adheres to the principle of least privilege, and every action attempted by a user account is subject to access control checks.

Web Browsers and Extensions

Nuvro may require use of a specified web browser(s) for normal business use and for access to corporate data such as email. For certain specified roles such as software development and web design, job activities beyond those mentioned above necessitate the use of a variety of browsers, and these roles may do so as needed for those activities.

Any browser that is allowed to access corporate data such as email is subject to a whitelist-based restriction on the which browser extensions can be installed.

Administrative Access

Access to administrative operations is strictly limited to security team members and further restricted still as a function of tenure and the principle of least privilege.

Regular Review

Access control policies are reviewed regularly with the goal of reducing or refining access whenever possible. Changes in job function by personnel trigger an access review as well.

3.3. Termination

Upon termination of personnel, whether voluntary or involuntary, the security team will follow Nuvro’s personnel exit procedure, which includes revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other corporate equipment and property prior to the final day of employment.

  1. Provenance of Technology

4.1. Software Development

Nuvro stores source code and configuration files in private GitHub repositories. The security and development teams conduct code reviews and execute a static code analysis tools on every code commit. Reviewers shall check for compliance with Nuvro’s conventions and style, potential bugs, potential performance issues, and that the commit is bounded to only its intended purpose.

Security reviews shall be conducted on every code commit to security-sensitive modules. Such modules include those that pertain directly to authentication, authorization, access control, auditing, and encryption.

All major pieces of incorporated open source software libraries and tools shall be reviewed for robustness, stability, performance, security, and maintainability.

The security and development teams shall establish and adhere to a formal software release process.

4.2. Configuration and Change Management

The Nuvro security and development teams shall document the configuration of all adopted systems and services, whether hosted by Nuvro or are third party hosted. Industry best practices and vendor-specific guidance shall be identified and incorporated into system configurations. All configurations shall be reviewed on at least an annual basis. Any changes to configurations must be approved by appointed individuals and documented in a timely fashion.

System configurations must address the following controls in a risk-based fashion and in accordance with the remainder of this policy:

  • data-at-rest protection encryption
  • data-in-transit protection of confidentiality, authenticity, and integrity for incoming and outgoing data
  • data and file integrity
  • malware detection and resolution
  • capturing event logs
  • authentication of administrative users
  • access control enforcement
  • removal or disabling of unnecessary software and configurations
  • allocation of sufficient hardware resources to support loads that are expected at least twelve months into the future.

4.3. Third-Party Services

For every third-party service that Nuvro adopts, the security team shall review the service and vendor, on an annual basis, to gain assurance that their security posture is consistent with Nuvro’s for the type and sensitivity of data the service will store.

  1. Data Classification and Processing

5.1. Data Classification

Nuvro maintains the following classes and processing rules of customer data. For each data class, the Nuvro security and development teams must provision and dedicate specific information systems in AWS to store and process data of that class, and only data of that class, unless otherwise explicitly stated throughout Section 5. For all classes of customer data, the corresponding systems may store, and process data items needed to keep each customer’s data properly segmented, such as Nuvro customer identifiers.

Customer User Account Data – This is data pertaining to login accounts for the Nuvro.com customer web interface, used by Nuvro customer agents. This data shall be encrypted-at-rest so as to protect the data in the event of unauthorized access attempts. User account credentials shall be hashed in such a manner that the plaintext passwords cannot be recovered.

Customer Contact Data – This is contact data about Nuvro customers and customer agents.

Customer Preferences Data – This is data pertaining to the customer-specific preferences and configurations of the Nuvro service made by customer agents.

Customer Recorded Data – This is data that the Nuvro service collects during session recording. The Nuvro security and development teams must provision specific systems within AWS to store and process this class of data. This data shall be encrypted-at-rest so as to protect the data in the event of unauthorized access attempts.

Customer Event Transaction Metadata – This is metadata about transactions conducted on all other classes of customer data. This includes customer organization and user identifiers, standard syslog data pertaining to customer users, and instances of Customer Contact Data and Customer Preferences Data. This class does not include Customer Recorded Data.

Customer Contact Data, Customer Preferences Data, and Customer Event Transaction Metadata may be stored and processed in systems hosted in environments other than AWS, as approved by the security team.

5.2. Nuvro Employee Access to Customer Data

Nuvro employees may access Customer Data only under the following conditions.

  • From managed devices.
  • For the purpose of incident response, customer support, or feature testing.
  • For the no longer than is needed to fulfill the purpose of access.
  • In an auditable manner.

5.3. Customer Access

Nuvro provides web user interfaces (UIs), application programming interfaces (APIs), and data export facilities to provide customers access to their data.

5.4. Exceptional Cases

The security team in conjunction with executive management may approve emergency exceptions to any of the above rules, in response to security incidents, service outages, or significant changes to the Nuvro operating environment, when it is deemed that such exceptions will benefit and protect the security and mission of Nuvro, Nuvro customers, and visitors of Nuvro customers’ websites.

  1. Vulnerability and Incident Management

6.1. Vulnerability Detection and Response

The Nuvro security and development teams shall use all of the following measures to detect vulnerabilities that may arise in Nuvro’s information systems.

  • Cross-checking vulnerability databases with all systems and software packages that support critical Nuvro services.
  • Automated source code scanners on every code commit.
  • Code reviews on every security-sensitive code commit.
  • Vulnerability scanning on Nuvro services.

The Nuvro security team shall evaluate the severity of every detected vulnerability in terms of the likelihood and potential impact of an exploit and shall develop mitigation strategies and schedules accordingly. Suitable mitigations include complete remediation or implementing compensating controls.

6.2. Incident Detection and Response

The Nuvro security team shall use all of the following measures to detect security incidents.

  • Monitor logs to detect potentially malicious or unauthorized activity.
  • Conduct reviews on the causes of any service outages.
  • Respond to notices of potential incidents from employees, contractors, or external parties.

The Nuvro security team shall make a determination of whether every indicator is representative of an actual security incident. The severity, scope, and root cause of every incident shall be evaluated, and every incident shall be resolved in a manner and timeframe commensurate with the severity and scope.

In the event that a data breach affecting a customer has been detected, Nuvro will maintain communication with the customer about the severity, scope, root cause, and resolution of the breach.

  1. Business Continuity and Disaster Recovery

Nuvro services hosted in AWS shall be configured in such a manner so as to withstand long-term outages to an availability zone. Controls such as automated replication or automated data recovery processes may be used to achieve this desired level of availability.