Enterprise grade security

Service Organization Control 2 (SOC 2) is a component of the Service Organization Control reporting platform of the American Institute of CPAs (AICPA). SOC 2 is a technical auditing process and certification that measures security and availability. It serves as an assurance to customers that their data is being managed in a controlled and audited environment.

When a business is SOC 2 compliant, it signifies the implementation of proper security systems to ensure security, availability, processing integrity, confidentiality, and privacy of customer data.

SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.

There are two types of SOC 2 audits:

Type I: The report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.

Type II: The report details the operational effectiveness of a vendor’s systems, and includes a historical element that shows how controls were managed by a business over a minimum of six months.

Instapage became SOC 2 Type I compliant in November 2019, and as of May 2020 we are now Type II compliant as well.

Instapage has a documented Information Security Risk Management Policy ensuring a systematic approach for measuring, managing, and reporting information security related risks within our environment. Any identified risks to our environment will be inventoried, managed in a central location, and remediated appropriately based on severity level. Additionally, Instapage has implemented a process to perform third-party risk assessments on our vendors who store and/or transport our data.

Instapage takes the privacy of our clients and clients’ visitors seriously to build and maintain trust with all our customers. In the light of the European Court of Justice ruling from July 16th 2020, no longer recognizing the Privacy Shield Framework as a valid mechanism to comply with EU data protection requirements for personal data transferring from EU to the US, please note:

Instapage is still following the ISO 27001 and NIST 800-53 best practices and is SOC 2 Type II certified. We remain CCPA and GDPR compliant and are committed to follow best data privacy practices according to these regulations' principles. In doing so, we have implemented an Information Security Program to ensure the confidentiality, integrity, and availability of data — all to ensure we increase our efforts to continually affirm our compliance with both the GDPR and CCPA laws.

Moreover, Instapage has a Data Privacy and Protection Program as well as a formal Data Handling Training guide. Our employees and contractors undergo training during employee onboarding and awareness training is performed annually.

Additionally, as mentioned here, we have adequate safeguards to transfer personal data in non-EEA countries and we have reasonable security controls in place to secure the data.

Instapage has implemented a formal Information Security Program which includes Architecture, Charter, Policies, and Processes. Our Information Security Policy and Processes are aligned to ISO 27001/2 and NIST 800-53 frameworks and are reviewed and updated annually – or in the instance of a major business change. The policies include the following: Information Security Program Governance Policy; Security Architecture Policy; Security Operations Policy; People Security; Third Parties Policy; Physical Security Policy; Business Continuity Policy; and Compliance Security. Processes are performed within our environment to support the policies listed above.

Our Compliance Security Policies identify several levels of data sensitivity and classification that are safeguarded by our best of industry infrastructure and security controls. Amazon Web Services (AWS) and Google Cloud Platform (GCP) are certified with the most critical and relevant industry, compliance and regulatory certifications that are integrated across our cloud hosted infrastructure. Instapage has implemented a process for inventorying asset management that is managed within each location/office using formal documented management process. Each asset has an assigned owner who is responsible for that asset and is maintained in accordance with the classification restriction. Additionally, all assets are returned to Instapage once the assigned owner leaves the company or no longer has a use for the asset.

Instapage is Privacy Shield certified within both the U.S./EU Privacy Shield Framework and the U.S./Swiss Privacy Shield Framework.

You can check on our active participation through Privacy Shield Framework’s website here: https://www.privacyshield.gov/participant?id=a2zt0000000PKpfAAG&status=Active

These Privacy Shield certifications are critical to protecting data that is shared between the U.S., European Union, and Swiss networks. With these frameworks in place, Instapage shows that it is committed to protecting personal data. These protections were developed by the U.S. Department of Commerce in consultation with the European Commission and Swiss Government, as well as with industry stakeholders, to provide companies a way to legally comply with data protection requirements that are developed by participating governments.

For more details, please read our privacy policy: https://instapage.com/privacy-policy

Personal data is systematically destroyed, erased and/or anonymized at the end of the contract where personal data is no longer needed or upon client request. Instapage performs onboarding and offboarding processes of employees and contractors. The offboarding of employees and contractors is enacted within 24 hours followed by the return of provisioned materials. This mitigates the risk of privileged and sensitive information being disclosed.

Employees receive information security training and awareness during onboarding as well as annually. This training maps to our functional human resources and information security policies and is incorporated in our employees’ work habits and routines. Two-factor authentication is required by employees where applicable. Employees and contractors are bound to maintain confidentiality of all data pursuant to non-disclosure agreements (NDA) as well as our code of ethics.

Employees are issued electronic key cards or access codes for entry into our facilities. Additionally, our facilities include a security guard as well as CCTV monitoring, and are logged for 90 days and regularly reviewed. A process has been established for logging visitors who enter and exit our facility. Additionally, visitors are escorted by an Instapage employee. Our cloud hosted facilities have perimeter fencing, vehicle access barriers and security alarms which act as a preventative and detective security measure.

Instapage has documented Identity Management Policy and Processes to identify, authenticate, and authorize identities to Instapage’s systems and applications. Access is provided on a need to know basis and conforms to the concept of least privileged. Access logs are reviewed quarterly and individuals are properly removed if needed. VPN is required for all remote employees.

We currently use configuration change management of Operating System (OS) patching and updating with end point antivirus protection. We are currently working to enhance, improve and scale out our application security across all endpoints to prevent, deter and mitigate any application layer threats. Our current SDLC uses a framework that is based on Agile methodologies. The framework is comprised of a set of well-known mature processes, tools, and technologies. This allows us to create high quality and secure code by following a consistent, repeatable, and automated process. Our SDLC is currently undergoing a thorough review as part of an ongoing effort to continuously improve the quality and security of our software.

Instapage has a documented Information Security Incident Management Program that identifies, manages, responds, and resolves incidents in a timely manner. The Information Security Incident Management Program includes identified roles and responsibilities, and proactive capabilities within its processes, which has been integrated within our Vulnerability Management Program to identify potential incidents caused by vulnerabilities.

Instapage has a management approved Business Continuity Policy and Processes to ensure the availability of business services and processes at Instapage. A formal Business Continuity and Disaster Recovery Program has been developed.

Instapage has a formal Security Operations Workstation Management Program which implements formal and secure processes to manage the operational activities associated with workstations within the environment. This is done by ensuring that only approved and authorized workstations are allowed to connect to Instapage’s network and all access to workstation will conform to the Identity Management Program. Additionally, our Mobile Device Management Policy will implement formal and secure processes to manage the operational activities associated with mobile devices within the environment. Identification Access Management is enforced with password complexity, encrypted session management, and two-factor authentication where applicable.

Instapage has a Security Architecture Management Policy which ensures appropriate preventative and detective network safeguards are in place. This includes, but is not limited to the following: encryption in transit as well as at rest using TLS 1.2 encryption type, network intrusion detection and prevention, browser session encryption and validation, host-based anti-virus with real-time signature updates, and full disk encryption. We also perform quarterly vulnerability assessments and annual penetration tests. Identified vulnerabilities are appropriate remediated based on their criticality (i.e., critical, high, medium, or low).

Instapage has implemented a Vulnerability Management Program to identify, prioritize, manage, and report on the threats and vulnerabilities of Instapage using a risk-based approach. All employees and contractors are responsible for reporting all discovered security vulnerabilities and are appropriate remediated based on their criticality.