Constant Contact® Information Security Policy
Updated: June 2019
Constant Contact takes the security of customer data seriously. Constant Contact has implemented internal policies and controls to try to ensure that customer data is not lost, accidentally destroyed, misused or disclosed, and is only accessed by Constant Contact employees in the performance of their duties. Where Constant Contact engages third parties to process customer data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are required to implement appropriate technical and administrative measures to ensure the data is secure.
Constant Contact will maintain data security by protecting the confidentiality, integrity and availability of the customer data as follows:
- Confidentiality means that only people who are authorized to use the data can access it.
- Integrity means that data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorized users should be able to access and use the data if they need it for authorized purposes in a timely and reliable manner. Customer data should therefore be stored in approved data stores and made available to authorized users only.
How is data security managed
The security of Constant Contact is modelled on a ‘defense in depth’ approach on multiple levels, including Physical, Network, Host, Software, and User Account Security. Constant Contact maintains internal security policies and standards in support of its ongoing operations. Access to resources is granted only to those who reasonably require access, based on their responsibilities. Security processes include:
Physical access to Constant Contact hosting environment is restricted to specific individuals and uses multiple levels of security, including:
- Constant Contact servers and infrastructure are located in a physically secure data center. Access to the data center is limited to authorized personnel. Badge access or biometric authentication (hand scanners and fingerprint IDs) are required in order to access the facilities.
- Constant Contact servers are isolated and secured within the data center in areas dedicated to Constant Contact equipment only. These areas are not shared with third parties.
- Access to the data center and systems are regularly reviewed to ensure authorization.
- 7x24 Security guards perform random checks of the data center to ensure physical security controls have not been compromised.
- Access to Constant Contact services is via standard HTTP and HTTPS connections.
- Constant Contact hosting environment is protected from the public Internet via multiple next generation firewalls, monitored with an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
- All of your account, credit card, and subscriber information and content is encrypted via industry-standard Secure Sockets Layer (SSL) connections over HTTPS.
- Constant Contact performs industry-standard security hardening efforts on all systems. In accordance with our security and change management policies, unused services are disabled and software updates are applied on a regular basis.
- Constant Contact regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Constant Contact environment, they are thoroughly tested and deployed in a timely manner.
- All Constant Contact hosts and services are routinely monitored for integrity and availability. Operations staff review all alerts generated by monitoring systems and respond promptly.
- Constant Contact servers are monitored 24x7 for malicious activity.
- Administrative access to Constant Contact infrastructure is limited strictly to authorized users with multi factor authentication. Individual usernames and passwords are required for all machine and data access.
- Strong password guidelines are in place, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.
- All internally developed code is subject to a strict Quality Assurance program, including extensive testing of functionality and business logic. Strong change control processes are in place to ensure that all code deployed to the production environment has been appropriately reviewed.
- We train our engineers in secure coding and architectural design patterns like the ones outlined in the OWASP Top 10, SANS critical security controls, and the NIST frameworks.
- As part of Constant Contact’s ongoing PCI compliance, Constant Contact regularly undergoes security reviews, including external and internal scanning for vulnerabilities on an ongoing basis by a third party vendor. All vulnerabilities discovered are reviewed by internal security and addressed according to severity.
- Constant Contact has a documented Cybersecurity Incident Response Plan, a 24x7 Command Monitoring Center, a Cybersecurity Incident Commander and an industry leading incident response third party on retainer.
- The Plan undergoes annual table top testing and is updated as necessary.
- The Chief Privacy Officer / Data Protection Officer will be informed of any reasonably suspected Customer Data breach and will act as required by the GDPR and other laws as necessary.
- Constant Contact employment offers are contingent upon successful completion of criminal background and reference checks where allowed by law.
- Upon commencing employment, all Constant Contact employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to Constant Contact’s commitment to security and confidentiality.
- Constant Contact’s information security awareness and training program requires employees complete annual security refresher training.
- Constant Contact patch installation is prioritized based on the severity of the patch with respect to the impact on the hosting services.
- Constant Contact systems are routinely updated per vendor recommendations and industry standards.
- Patch levels on managed systems are monitored and enforced by third party software.
- Constant Contact uses up to date virus scanning software for detecting currently known malware.
- Malware definitions are updated daily and installed as required.
- vOperations teams monitor the Constant Contact hosting environment 24x7 for malware infections.