As a potential Business or Enterprise customer, your organization may be seeking answers to questions pertaining to best practices and procedures Venngage adheres to. Below is a list of FAQs related to standard vendor assessments.

Question

Answer

Are background checks conducted on all employees?

Yes, Venngage performs complete background checks on all employees prior to their start date with Venngage.

Do you have a documented set of information security policies and procedures?

Yes, Venngage internally documents and follows best practices regarding the documentation and revision of security policies and standard operating procedures.

Are there any user account credentials or login information required for this purpose/user authentication information?

Users of the application will only need to know their own email and password for their account, in addition to the code that is sent as part of any MFA challenge.


Is there a difference between the Business and Enterprise plans in terms of security?

While our normal authentication system stipulates a single length and complexity of password for all other user types, Enterprise teams are able to customize these settings for only their Enterprise team, including:

  • Adding Multi-Factor Authentication using emailed and/or SMS codes. The length and complexity of these codes can be set.

  • Setting different minimum/maximum password lengths.

  • Setting different required characters for passwords - upper and lowercase, special characters, and numbers.

  • Choice of cryptographic hash, including SHA-256, MD5, HMAC SHA-256, PBKDF2 with SHA-256, and Bcrypt. All options are salted.

  • Ability to reject any of the last # of reused passwords, the number being customizable.

  • Locking of accounts after failed authentication (the number of failed attempts and the time period to check are both customizable).

  • Ad-hoc locking of accounts, as needed (i.e., account suspected to be compromised, we can lock a user for the tenant).

Are there any pre-requisites required in order to launch the application (i.e., server or database login information, redistributable package files, or other dependencies)?

No, we are a cloud SaaS solution, there are no dependencies to run the software.

What data does Venngage collect and how?

The only personal information Venngage asks for is your role and organization. These are used solely for product research purposes.

All financial information is collected and stored by Stripe, and Venngage is PCIe compliant in our handling of this data.

Venngage tracks user actions on our site (Mixpanel/Intercom) in order to better inform us when it comes to making product decisions, and for marketing communications purposes.

Any other information collected is provided by the user, whatever they include in their designs etc., any sensitive/private information in their designs is put there at their own risk.

Venngage IS able to access user created designs (and therefore the data in them). However, we only ever access these designs when support is requested with our support team.

Venngage does not sell to any third parties. The data is only accessible by Venngage, and not even everyone at Venngage has administrative access.

Where is Venngage data stored?

All Venngage data and infrastructure is US-based, hosted on AWS US-East-1 servers.

Are any external cloud solutions used?

Yes, Venngage utilizes Amazon Web Services (AWS), the data is stored in the US (US-East-1 servers).

Venngage also utilizes Stripe as our payment gateway, which stores users' financial information.

No other third-party service has access to user data.

Does Venngage offer SaaS solution architecture diagrams?

Yes, solution architecture diagrams are available upon request. Please contact info@venngage.com to request them.

Is Venngage data backed up?

Yes, backups occur on AWS servers in North Virginia.

Is backup media stored offsite?

Yes, on AWS servers.

Are backups encrypted?

Yes

Is all of our data encrypted in storage / at rest?

Yes

How do you handle data destruction for our data, old disk drives, and removable media?

We don't store/own any physical data copies. Any data stored on AWS servers can be deleted if requested, we abide by the "right to forget".

Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data?

Secure deletion is handled by AWS, we don't own any onsite/private servers.

How long is data retained until it is deleted?

In accordance with our Terms of Service, we will keep user data for up to eight years after their last activity. However, if a user requests that we delete their data, we abide by the "right to forget".

Do non-employees use or have access to Venngage's computers or networks?

No

Is there a security monitoring system in place?

Yes

Describe how you will access our data.

The only personal information Venngage asks for is your role and organization, this is used solely for product research purposes.

All financial information is collected and stored by Stripe, and Venngage is PCIe compliant in our handling of this data.

Venngage tracks user actions on our site (Mixpanel/Intercom) in order to better inform us when it comes to making product decisions, and for marketing communications purposes.

Any other information collected is provided by the user, whatever they include in their designs etc., any sensitive/private information in their designs is put there at their own risk.

Venngage IS able to access user created designs (and therefore the data in them). However, we only ever access these designs when support is requested with our support team.

Venngage does not sell to any third parties. The data is only accessible by Venngage, and not even everyone at Venngage has administrative access.

Will Venngage employees use their devices to access our systems or process our data?

No

Will you need to access any tools within our environment to perform the proposed services?

No

Is access on applications, operating systems, databases, and network devices provisioned according to the principle of least privilege?

Yes

Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?

Yes

Do you restrict, log, and monitor access to your information security management systems?

Yes

Is there a policy in place that restricts employees from connecting via a public WiFi (e.g., Starbucks)?

Connection to our servers can only be established via secure VPN

Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data?

Yes

Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement?

Only for Enterprise account plans

Do you have a SIEM tool for log aggregation and network monitoring?

Yes, Venngage utilizes Amazon CloudWatch.

Are Venngage mobile devices able to access T2 data?

No

Do external parties have access to our systems or data?

The only personal information Venngage asks for is your role and organization, this is used solely for product research purposes.

All financial information is collected and stored by Stripe, and Venngage is PCIe compliant in our handling of this data.

Venngage tracks user actions on our site (Mixpanel/Intercom) in order to better inform us when it comes to making product decisions, and for marketing communications purposes.

Any other information collected is provided by the user, whatever they include in their designs etc., any sensitive/private information in their designs is put there at their own risk.

Venngage IS able to access user created designs (and therefore the data in them). However, we only ever access these designs when support is requested with our support team.

Venngage does not sell to any third parties. The data is only accessible by Venngage, and not even everyone at Venngage has administrative access.

Is a formal risk assessment performed on third parties? What is the difference between Business and Enterprise plans in terms of security?

Yes, Enterprise has password controls, 2FA.

How is data transferred between your company and us?

All data is stored on our AWS servers, data is transferred via best practice protocols, TLS 1.2.

Is all data transfer outside of your network encrypted in transit?

Yes

Do you prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of our information?

We follow best practices and protocols to prevent any unauthorized access or exfiltration of data.

Does our data reside in a datacenter?

Yes

Do you implement network access control?

Yes

Does Venngage follow procedures to manage threat and vulnerability assessment tools, and the data they collect?

Yes

Do you have Cyber Insurance Policies?

Yes

Do you have a documented set of information security policies and procedures?

Yes




Did this answer your question?