As a potential Business or Enterprise customer, your organization may be seeking answers to questions pertaining to best practices and procedures Venngage adheres to. Below is a list of FAQs related to standard vendor assessments.
Question | Answer |
Are background checks conducted on all employees? | Yes, Venngage performs complete background checks on all employees prior to their start date with Venngage. |
Do you have a documented set of information security policies and procedures? | Yes, Venngage internally documents and follows best practices regarding the documentation and revision of security policies and standard operating procedures. |
Are there any user account credentials or login information required for this purpose/user authentication information? | Users of the application will only need to know their own email and password for their account, in addition to the code that is sent as part of any MFA challenge. |
Is there a difference between the Business and Enterprise plans in terms of security? | While our normal authentication system stipulates a single length and complexity of password for all other user types, Enterprise teams are able to customize these settings for only their Enterprise team, including:
|
Are there any pre-requisites required in order to launch the application (i.e., server or database login information, redistributable package files, or other dependencies)?
| No, we are a cloud SaaS solution, there are no dependencies to run the software. |
The only personal information Venngage asks for is your role and organization. These are used solely for product research purposes. | |
Where is Venngage data stored? | All Venngage data and infrastructure is US-based, hosted on AWS US-East-1 servers. |
Are any external cloud solutions used? | Yes, Venngage utilizes Amazon Web Services (AWS), the data is stored in the US (US-East-1 servers). |
Does Venngage offer SaaS solution architecture diagrams? | Yes, solution architecture diagrams are available upon request. Please contact info@venngage.com to request them. |
Is Venngage data backed up? | Yes, backups occur on AWS servers in North Virginia. |
Is backup media stored offsite? | Yes, on AWS servers. |
Are backups encrypted? | Yes |
Is all of our data encrypted in storage / at rest? | Yes |
How do you handle data destruction for our data, old disk drives, and removable media? | We don't store/own any physical data copies. Any data stored on AWS servers can be deleted if requested, we abide by the "right to forget". |
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data? | Secure deletion is handled by AWS, we don't own any onsite/private servers. |
How long is data retained until it is deleted? | In accordance with our Terms of Service, we will keep user data for up to eight years after their last activity. However, if a user requests that we delete their data, we abide by the "right to forget". |
Do non-employees use or have access to Venngage's computers or networks? | No |
Is there a security monitoring system in place? | Yes |
Describe how you will access our data. | The only personal information Venngage asks for is your role and organization, this is used solely for product research purposes. |
Will Venngage employees use their devices to access our systems or process our data? | No |
Will you need to access any tools within our environment to perform the proposed services? | No |
Is access on applications, operating systems, databases, and network devices provisioned according to the principle of least privilege? | Yes |
Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes? | Yes |
Do you restrict, log, and monitor access to your information security management systems? | Yes |
Is there a policy in place that restricts employees from connecting via a public WiFi (e.g., Starbucks)? | Connection to our servers can only be established via secure VPN |
Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data? | Yes |
Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? | Only for Enterprise account plans |
Do you have a SIEM tool for log aggregation and network monitoring? | Yes, Venngage utilizes Amazon CloudWatch. |
Are Venngage mobile devices able to access T2 data? | No |
Do external parties have access to our systems or data? | The only personal information Venngage asks for is your role and organization, this is used solely for product research purposes. |
Is a formal risk assessment performed on third parties? What is the difference between Business and Enterprise plans in terms of security? | Yes, Enterprise has password controls, 2FA. |
How is data transferred between your company and us? | All data is stored on our AWS servers, data is transferred via best practice protocols, TLS 1.2. |
Is all data transfer outside of your network encrypted in transit? | Yes |
Do you prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of our information? | We follow best practices and protocols to prevent any unauthorized access or exfiltration of data. |
Does our data reside in a datacenter? | Yes |
Do you implement network access control? | Yes |
Does Venngage follow procedures to manage threat and vulnerability assessment tools, and the data they collect? | Yes |
Do you have Cyber Insurance Policies? | Yes |
Do you have a documented set of information security policies and procedures? | Yes |