*We've since moved on from being hosted on AWS to GCP!
Every strong relationship is based on a foundation of trust, and when it comes to data, trust is knowing that anyone handling your data is keeping it secure. We sat down with two of our Copper security experts, Isaac (CISSP, Director of Operations) and Kelly (Chief Technology Officer), to get every detail on how we’re keeping data safe.
Read on, or watch the webinar recording:
What is data security?
Data security is a hot topic today, but what does it really mean and how do SaaS companies like Copper think about it?
Because security is a key priority for Copper, we take a top-down approach. This means that security initiatives are led and championed by our management team, then systematically percolated down to operations staff. Effectively managing security risk means putting in the right governance, the right technology as well as supporting processes and ongoing training.
We’re constantly evaluating our overall security using clear InfoSec policies, training, and third-party penetration and vulnerability scanning. Through the monitoring of critical systems and following up after service incidents, we’re always improving and strengthening our technological detection measures to identify attacks and observe system performance. We’ve also developed and documented a response and recovery plan that activates as soon as evidence of a possible incident occurs.
Copper has three main focuses when it comes to security. We’re going to walk you through each of these in detail in this blog post. We believe a good defensive posture is based on:
- Prevention - understanding the threat (for example, a hacker) relative to organizational vulnerability
- Detection - establishing mechanisms to detect an imminent or actual breach
- Response - establishing a capability that immediately deals with incidents to minimize the loss of any data
We’ve implemented measures to make certain Copper will be accessible and available when you need it.
Secure data centers
We only trust the best of the best to host your data, so all compute and data servers are hosted on Amazon Web Services (AWS) ISO 27001 certified data centers. These are US-based centers using multiple availability zones.
We designed our CRM to use scalable and reliable architecture models. This decreases the chance for a system failure that prevents customers from accessing their data. We use many identical servers that provide automatic failover to another healthy system and/or data center location.
If there is an unusual loss of data, some of our databases can be restored from a specific point in time in one minute increments. We and our vendors make regular backups to encryption-enabled AWS S3 buckets that are usually kept for 10 days.
In the unlikely event of extended service outages caused by factors beyond our control (e.g., natural disasters or third-party service interruptions), Copper has a plan in place with multiple backups to make sure your CRM access isn’t interrupted.
How we protect your data
Data protection is kept front and center for Copper at all times as we continue to innovate on our CRM software.
Data security training
Copper provides Security Awareness Training for all employees and requires that they review and sign the Employee Code of Conduct that outlines the guidelines for network security and data protection.
We participate in third-party vulnerability scanning and penetration tests to identify, track, and remediate any application vulnerabilities.
Encryption enhances the security of a message or file by scrambling the content. Copper encrypts your data both in transit and at rest, so it’s safe no matter what.
User access management
Employee and vendor access to all customer data is tightly regulated and restricted to a need-to-know basis using role-based access controls.
Copper’s internal instance requires two-factor authentication for any admin access to prevent the wrong person from accidentally accessing data.
Regular data access reviews
Our employee access to resources is regularly evaluated and terminated promptly to make sure we’re always up to date with role changes and employment termination.
Your internal security controls
We’ve built functionality into Copper that allows you to maintain data integrity internally. With team permissions and visibility, you determine which departments and teams see what data and correspondence inside your CRM.
With read-only fields, Copper admins are able to specify which fields can’t be edited by non-admin users, so your data is always consistent and reliable. Required fields also allow admins to capture critical data points for business operations.
Copper’s data policies and procedures are externally validated (so you can take more than just our word for it).
SOC 2-Attested Service Provider
System and Organization Controls (SOC) is a series of third-party audits and reports run on a service provider. As a SOC 2 Attested Service Provider, our policies and procedures have been validated by an independent CPA auditing firm that has reviewed our controls around security, availability, and confidentiality to ensure they match or exceed industry-best practices.
The General Data Protection Regulation (GDPR) is a new set of laws that regulate how you access and process the personal data of EU citizens. GDPR affects any company doing business with EU citizens, regardless of their physical location. Copper is GDPR-compliant and has established security controls and secured DPAs from all vendors who touch contact data. Learn more about how we got there.
Copper is TrustArc (formerly TRUSTe) Certified. These privacy certifications outline practices for companies to establish and maintain privacy. They are a Privacy Shield partner.
The EU-U.S. Privacy Shield Framework was designed to align companies on both sides of the Atlantic along common data protection requirements when transferring personal data. Copper worked with TrustArc to audit our policies and procedures, as well as certify our compliance with this framework.
And that’s all, folks! If you have any questions surrounding data security that weren’t addressed here, don’t hesitate to either reach out—or if you’ve been working with a partner, contact them directly.
Thanks for tuning in!