Introduction
Completely eliminating the need for the manual instrumentation (tagging/coding) of website events, Convizit delivers a data stream of every user action in every webpage, already named and enriched with rich event properties, into any destination system (e.g., analytics, CDP and marketing platforms).
As a company focused on processing data on behalf of others, Convizit has made security a top priority. From end to end, Convizit handles data with the utmost dedication and integrity. This document presents many of the specifics of how your data is comprehensively protected and secured.
Securing Data at Every Phase
Convizit collects, processes, stores and delivers user activity data from websites and web applications. This data transverses three distinct phases:
- Raw data is collected on the client side (within web browsers).
- Data is routed and transformed within Convizit’s infrastructure.
- Final processed data is sent to your enabled integrations (destination systems).
Data Collection
Upon page load, Convizit’s small code snippet asynchronously downloads Convizit’s complete tracking script into the visitor’s browser via Amazon Web Services’ Content Distribution Network (CDN).
Once running, the tracking script intelligently captures raw visitor interaction data, using standard browser API event listeners and DOM analysis. The tracking script sends this raw data to Convizit’s back-end servers for processing, enrichment, structuring and delivery into enabled integrations (destinations).
The tracking script creates first-party cookies in the visitor’s browser and/or uses the web storage API (local storage) in order to identify anonymous visitors across sessions (there is a seamless automatic fallback between these options according to their availability). There is an option to disable the use of cookies.
Securing Data in Transit
All data in transit is always secured with TLS 1.2+ (using the HTTPS protocol). This occurs at three stages in Convizit’s solution:
- Convizit’s client-side tracking script sends data captured in the browser to Convizit’s back-end servers for processing.
- Convizit’s back-end servers send processed user behavior data into your choice of integrations (e.g., analytics platform, customer data platform, data warehouse) over secure TLS connections using each integration’s own SDK or secure API.
- Convizit provides a web-based application to view and/or modify certain customer data stored on its servers. During the use of this application, customer data is transmitted bidirectionally between the user’s browser and Convizit’s servers.
Securing Data within Convizit’s Infrastructure
Convizit’s public-facing servers receive all traffic through public load balancers managed by Amazon Web Services (AWS) and are protected by Amazon Web Application Firewall and Amazon GuardDuty.
Data routed within Convizit’s infrastructure occurs within an Amazon Virtual Private Cloud (VPC). All data is transferred within private subnets that are inaccessible from the public Internet. The data is routed through several back-end services and data stores.
Access for administrators is performed through Convizit’s secure VPN servers. Aside from administrator access, only instances inside the VPC are able to access one another. Administrator access is protected by multi-factor authentication, strong password policies and a complete audit trail for all administrator actions.
Convizit provides a web-based application that allows users (authorized by Convizit and/or its customers) to view and manage customer projects (a customer project consists of the settings that define how Convizit captures the website’s data, along with a small sample of captured data). The functionality of this application requires that data is transmitted bidirectionally between the user’s browser and Convizit’s servers. These data transmissions are secured with TLS 1.2+ (using the HTTPS protocol).
User access to the Convizit web application is granted via individual accounts protected by a username and password. Each such user account is assigned one of five access levels to each specific project to which the account has access. These are the five different levels of user permissions in the system:
- Master Admin – Convizit administrators and other authorized Convizit employees with admin access to all projects
- Owner – Admin-level access to one or more projects, plus the ability to change the Owner of a project to a new Owner
- Admin – Access to one or more projects, including the ability to view sample customer data, edit data capture settings, and change project settings (except to change the Owner of a project)
- Editor – Access to one or more projects, including the ability to edit data capture settings, without access to project settings
- Viewer – View-only access to one or more projects
Securing Data at Rest
Customer data is securely stored in one or more of Convizit’s data stores (within the secure VPC) and is not accessible from the public Internet. All data at rest is encrypted using 256-bit Advanced Encryption Standard (AES-256-GCM) keys that are not exportable. Keys are managed for strict access control and lifetime policies by Amazon KMS.
Convizit is a multi-tenant system. All data is logically partitioned by customer identifiers of the data source, while access to it is controlled using least-privilege principles through IAM roles and permissions.
Customer data is retained for a default of 60 days (may be changed upon customer request). You can elect to have your entire dataset deleted at any time upon request (although this will limit the functionality of Convizit’s services). You may also elect to have data related to a specific user deleted at any time, upon request.
Convizit’s data is hosted in the AWS Ireland region and all data and services are replicated across multiple availability zones to avoid outages and prevent data loss. All customer data is backed up on a daily basis, in order to minimize the possibility of data loss or service disruption.
Customer metadata, such as login information to Convizit’s administration tools, is encrypted and hashed using industry standards.
Secure SDLC and Continuous Monitoring
Convizit’s system is designed according to Amazon’s well-architected framework and is reviewed on an ongoing basis by AWS Solution Architects in order to meet industry standards and security best practices.
Convizit develops and deploys software according to the Secure Software Development Lifecycle (Secure SDLC). The company performs risk assessments and thread modeling during the design phase, static code analysis of Convizit’s code and open-source dependencies during the development, security testing and code review prior to deployment and automatic security assessment, configuration management, monitoring and post-deployment auditing.
Convizit validates configuration management and compliance through AWS Config, auditing through AWS Cloudtrail, thread prevention through AWS Guard Duty and security monitoring and alerting through AWS Security Hub. Any security incident is automatically alerted, reviewed and resolved by Convizit’s security response team.
Data Privacy
Convizit is dedicated to ensuring compliance with all applicable company policies and regulatory requirements as regards the capture of private customer data.
To ensure that no personally identifiable information (PII) or other regulated data is collected, Convizit combines automatic exclusion of certain types of website content with manual mechanisms that allows customers (website/application owners) to exclude portions of their website/application from being captured by Convizit:
- Automatic PII capture prevention – By default, Convizit does not capture the content of text boxes or address fields. Captured texts are analyzed to detect patterns indicative of PII and they are excluded automatically.
- Simple UI exclusion methods – Convizit provides two UI-based methods to prevent the capture of specific on-page elements. One is based on CSS selectors, while the other relies on Convizit’s heuristic identification of element groups. Both of these options are accessible in Convizit’s web-based application.
- Manual exclusion method – You can add a
convizit-ignore="true"
parameter to the HTML tag of any element, or group of nested elements. Convizit will not capture any visitor activity data related to ignore-tagged elements.
Commitment to Privacy and Security Compliance
Convizit’s Privacy Notice reflects the company’s data collection and processing practices, onward transfer, data subject rights, data security measures and retention.
The company institutes DPAs with its processors to ensure compliance with GDPR by such processors, and is in the process of designating a representative in the European Union.
The company has implemented internal policies relating to various privacy and data protection matters, such as information security, data breach, access requests, business continuity, data retention, employee privacy awareness training and access control, and is making ongoing efforts to implement and maintain appropriate technical and organizational measures to keep personal data secure. The company has “records of processing” as required under GDPR.
Convizit complies with CIS AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices v1.0.0 through AWS Security Hub, and performs compliance management through AWS Config.
Questions?
When it comes to security, Convizit’s focus never wavers, and the company’s entire team is dedicated to comprehensive data security and privacy, while delivering its best-in-class solution. Please address any security-related questions to info@convizit.com.