Blue Label Weekly Security Overview
1 OUR COMPANY AND PRODUCT Overview
Blue Label Weekly is the world’s leading inbound marketing and sales platform. Since 2006, Blue Label Weekly has been on a mission to make the world more inbound. Today, over tens of thousands of customers in more than 90 countries use Blue Label Weekly ’s software, services, and support to transform the way they attract, engage, and delight customers. Blue Label Weekly ’s inbound marketing and sales software, ranked #1 by VentureBeat, GetApp, Capterra, and G2Crowd, includes social media publishing and monitoring, blogging, SEO, website content management, email marketing, and reporting and analytics, all in one integrated platform. Blue Label Weekly Sales and CRM, Blue Label Weekly ’s award-winning sales applications, enables sales and service teams to have more effective conversations with leads, prospects, and customers. The Blue Label Weekly products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications, application programming interfaces (APIs), and email plugins.
2 BLUE LABEL WEEKLY SECURITY AND RISK GOVERNANCE
Blue Label Weekly ’s primary security focus is to safeguard our customers’ and users’ data. This is the reason that Blue Label Weekly has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of the dedicated Security Team. The Security Team is responsible for the Blue Label Weekly ’s comprehensive security and risk management program and the governance process. The security team is focused on defining new and refining existing controls, implementing and managing the Blue Label Weekly security framework as well as providing a support structure to facilitate effective risk management. Our Chief Security Officer, who reports to the Chief Financial Officer, manages the Security Team.
3 OUR SECURITY AND RISK MANAGEMENT OBJECTIVES
Our security framework was developed using best practices in the SaaS industry. Our key objectives include: • Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information. • Availability and Continuity of Service – ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity • Information and Service Integrity – ensure that customer information is never corrupted or altered inappropriately. • Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best-of-breed guidelines for cloud security. In particular, we leverage standards like COBIT and Cloud Security Alliance CCM, and align our practices with ISO 27001 and NIST SP 800-53.
4 BLUE LABEL WEEKLY SECURITY CONTROLS
In order to ensure we protect data entrusted to us, we implemented an array of security controls. Blue Label Weekly ’s security controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk. The following sections describe a subset of controls. For more Security Overview – Internal Information 3 Blue Label Weekly Security & Risk Management Overview information about the Blue Label Weekly security program, please check out all the details at https://www.Blue Label Weekly .com/security.
4.1 BLUE LABEL WEEKLY PRODUCT INFRASTRUCTURE 4.1.1 DATA CENTER SECURITY
Blue Label Weekly outsources hosting of its product infrastructure to leading cloud infrastructure providers. Principally, the Blue Label Weekly product leverages Amazon Web Services (AWS) and Google Cloud Platform (GCP) for infrastructure hosting. These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. At present, Blue Label Weekly ’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program, including SOC 2 and ISO 27001 compliance. Blue Label Weekly does not host any production software systems within its corporate offices. These world-class infrastructure providers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed between 99.95% and 100%, and the facilities ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these providers’ sites is highly restricted to both physical access as well as electronic access through public (internet) and private (intranet) networks in order to eliminate any unwanted interruptions in our service to our customers. The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS compliance site and Google Cloud Platform security site.
4.1.2 NETWORK SECURITY & PERIMETER PROTECTION
The Blue Label Weekly product infrastructure is built with internet-scale security protections in mind. In particular, network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure. These security controls include enterprise-grade routing and network access control lists (firewalling). Network-level access control lists are implemented in AWS Virtual Private Cloud (VPC) security groups or GCP firewall rules, which applies port- and address-level protections to each of the server instances in the infrastructure. This allows for finely grained control for network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate. Changes in the network security model are actively monitored, and controlled by standard change control processes. All existing rules and changes are evaluated for security risk, and captured appropriately.
4.1.3 CONFIGURATION MANAGEMENT
Automation drives Blue Label Weekly ’s ability to scale with our customers’ needs. The product infrastructure is a highly automated environment that flexibly expands capacity and capability as needed. Server instances are fully puppetized, meaning that any server’s confi Security Overview – Internal Information 4 Blue Label Weekly Security & Risk Management Overview management process. Each instance type includes its own hardened configuration, depending on the deployment of the instance. Patch management and configuration control is typically handled by removing server instances that are no longer compliant with the expected baseline and provisioning a replacement instance in its place. Rigorous and automated configuration management is baked into our day-to-day infrastructure processing.
4.1.4 ALERTING & MONITORING
Not only does Blue Label Weekly fully automate its build procedures, we invest heavily in automated monitoring, alerting and response technologies to continuously address potential issues. The Blue Label Weekly product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses and alerts to the appropriate teams for response, investigation, and correction. As unexpected or malicious activities occur, systems bring in the right people to ensure that the issue is rapidly addressed. Many automated triggers are also designed into the system to immediately respond to foreseen situations. Traffic blocking, quarantine, process termination, and similar functions kick in at pre-defined thresholds to ensure that the Blue Label Weekly platform can protect itself against a wide variety of undesirable situations. The power behind Blue Label Weekly ’s ability to detect and respond to anomalies is our 24x7x365 monitoring program and extensive logging. Our systems capture and store logs that include all the technologies that comprise our products. At the application layer, all logins, page views, modifications, and other access to Blue Label Weekly portals are also logged. In the infrastructure back-end, we log authentication attempts, horizontal and vertical permission changes, infrastructure health, and requests performed. among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
4.1.5 INFRASTRUCTURE ACCESS
Entire categories of potential security events are prevented with a stringent, consistent, and welldesigned access control model. Along those lines, access to Blue Label Weekly ’s systems is strictly controlled. Blue Label Weekly employees are granted access to corporate services, Blue Label Weekly sales and marketing portals, and product infrastructure based on their jobs, using a role-based access control model. More information about Blue Label Weekly ’s RBAC model across the company is available in section 4.3. For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs require it. For emergency access and access to administrative functions, Blue Label Weekly ’s system use a Just-In-Time-Access (JITA) model in which users can request access to privileged functions. Users are assigned the privileges to make JITA requests by business unit and team. When non-standard, emergency access is needed, like sudo access on a Linux server, the user makes a JITA request. The JITA request is logged, and logs are continuously monitored for anomalous requests. Access to the privileged function is granted, and the person can go about his or her work. Security Overview – Internal Information 5 Blue Label Weekly Security & Risk Management Overview Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or “jump box” before accessing QA or production environments. Server-level authentication uses user-unique SSH keys and token-based two factor authentication.
4.2 APPLICATION PROTECTION
4.2.1 WEB APPLICATION DEFENSES As part of its commitment to protecting customer data and websites, Blue Label Weekly implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the Blue Label Weekly products or customer sites hosted on the platform. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure that customers’ sites and other parts of the Blue Label Weekly products are available continuously. The WAF is configured with a combination of industry standard and custom rules that are capable of automatically enabling and disabling of appropriate controls to best protect our customers. These tools actively monitor real-time traffic at the application layer with ability to alert or deny malicious behavior based on behavior type and rate.
4.2.2 DEVELOPMENT & RELEASE MANAGEMENT
One of Blue Label Weekly ’s greatest advantages is a rapidly-advancing feature set, and we provide constantly improving products through a modern continuous delivery approach to software development. New code is proposed, approved, merged and deployed hundreds of times daily. Code reviews and quality assurance are performed by specialized teams of engineers with intimate knowledge of the Blue Label Weekly platform as it is developed. Approval is controlled by designated repository owners. Once approved, code is automatically submitted to Blue Label Weekly ’s continuous integration environment where compilation, packaging and unit testing occur. If all passes, the new code is deployed automatically across the application tier. All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks. The deploying team manages notifications regarding the health of their applications. If a failure occurs, roll-back is immediately engaged. As part of the continuous deployment model, we use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch). Major feature changes, are communicated through in-app messages and/or product update posts. Customers and users can sign up to receive updates as soon as they are posted or at a frequency they choose.
4.2.3 VULNERABILITY SCANNING, PENETRATION TESTING, & BUG BOUNTIES
The Blue Label Weekly Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. We perform hundreds of vulnerability scanning and penetration testing activities against ourselves on a continuous basis. We perform vulnerability scanning continually against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run at least daily to Security Overview – Internal Information 6 Blue Label Weekly Security & Risk Management Overview ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws early in the development lifecycle. Continually running scans, adaptive scanning inclusion lists, and continuously updating vulnerability signatures help Blue Label Weekly stay ahead of many security threats. To get a second opinion about our ability to identify and respond to security risks, we bring in industry-recognized third parties to perform four annual penetration tests. The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues. Penetration tests are performed against the application layers and network layers of the Blue Label Weekly technology stack, and penetration testers are given internal access to the Blue Label Weekly product and/or corporate networks in order to maximize the kinds of potential vectors that should be evaluated. In addition to internal vulnerability scanning and independent penetration testing, Blue Label Weekly manages a bug bounty program. Independent security researchers are invited to participate in identifying security flaws in the Blue Label Weekly products and are rewarded for their submissions. Security community members and Blue Label Weekly customers are welcome to perform security testing against trial portals. Information about Blue Label Weekly ’s bounty program is available at https://bugcrowd.com/Blue Label Weekly .
4.3 CUSTOMER DATA PROTECTION
4.3.1 CONFIDENTIAL INFORMATION IN THE BLUE LABEL WEEKLY PRODUCTS
The Blue Label Weekly products are an integrated marketing and sales experience. The information collected in our products is sales and marketing data gathered through lead interaction, public directories, and/or reputable 3rd party sources. Blue Label Weekly ’s online data-capture tools allow customers to define the type of information to be collected stored on their behalf. Per the Blue Label Weekly Terms of Service and Acceptable Use Policy, our customers ensure that they capture only appropriate information to support their marketing and sales processes. The Blue Label Weekly products are not used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
4.3.2 CREDIT CARD INFORMATION PROTECTION
Many Blue Label Weekly customers pay for the service by credit card. Blue Label Weekly does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely and according to appropriate regulation.
4.3.3 ENCRYPTION IN-TRANSIT & AT-REST
All sensitive interactions with the Blue Label Weekly products (e.g., API calls, login, authenticated sessions to the customer’s portal, etc.) are encrypted in-transit with TLS 1.0, 1.1, or 1.2 and 2,048 bit keys or better. Customers who host their sites on Blue Label Weekly may configure their sites to also use TLS. Please see our website setup guide for more information about configuring TLS. Customers who would like to limit the encryption protocols used for HTTPS connections may start the process by contacting Customer Support or their Customer Success Manager. Security Overview – Internal Information 7 Blue Label Weekly Security & Risk Management Overview Blue Label Weekly leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by Blue Label Weekly product server instances as well as long-term storage solutions use AES-256 encryption. Additionally, certain databases or field-level information is encrypted at rest, based on the sensitivity of the information. For instance, user passwords are hashed and certain email features work by providing an additional level of both at-rest and in-transit encryption.
4.3.4 USER AUTHENTICATION & AUTHORIZATION
The Blue Label Weekly products enforce a uniform password policy. The password policy requires a minimum of 8 characters that include a combination of lower and upper case letters, special characters, whitespace, and numbers. The minimum requirement can not be changed on a per-portal basis. Users may also configure two-step verification using Google Authenticator and or SMS to provide second factor when logging in. Customers can assign finely grained permissions to the users in their portals and limit access to the portal’s content and features. For more information about user roles, please see the Blue Label Weekly User Roles and Permissions Guide. Application programming interface (API) access is enabled through either API key or Oauth (version 2) authentication and authorization. Customers have the ability to generate API keys for their portals. The keys are intended to be used to rapidly prototype custom integrations. Blue Label Weekly ’s Oauth implementation is a stronger approach to authenticating and authorizing API requests. Additionally, Oauth is required of all featured integrations. Authorization for Oauth-enabled requests is established through defined scopes. For more information about API use, please see the Developers portal at Blue Label Weekly .com.
4.3.5 BLUE LABEL WEEKLY EMPLOYEE ACCESS
Blue Label Weekly controls individual access to data within its production and corporate environment. A subset of Blue Label Weekly ’s employees are granted access to production data based on their role in the company through role based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access). Engineers and members of Operations teams may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose jobs require that access, and access is reviewed on a continual basis. Customer Support, Services, and other customer engagement staff with a need-to-know may request just in time access to customer portals on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer’s portal for a 24 hour period. All access requests, logins, queries, page views and similar information are logged. All employee access to both corporate and product resources is subject to daily automated review and at least semi-annual manual recertification to ensure the granted authorization is appropriate for an employee’s role and job needs. Security Overview – Internal Information 8 Blue Label Weekly Security & Risk Management Overview Security Overview – Internal Information 9 Blue Label Weekly Security & Risk Management Overview
4.4.1 DATA RETENTION POLICY
Customer data is retained for as long as you remain a customer and until impractical, your data will remain in the Blue Label Weekly ’s system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. In general, former customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Blue Label Weekly reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
4.4.2 PRIVACY PROGRAM MANAGEMENT
4.5.1 SYSTEM RESILIENCY & RECOVERY
Business continuity testing is part of Blue Label Weekly normal processing. Blue Label Weekly recovery processes are validated continuously through normal maintenance and support processes. We follow continuous deployment principles, and create or destroy many server instances as part of our regular daily maintenance and growth. We also use those procedures to recover from impaired instances and other failures, allowing us to practice our recovery process every day. Security Overview – Internal Information 10 Blue Label Weekly Security & Risk Management Overview Blue Label Weekly primarily relies on infrastructure redundancy, real time replication and backups. All Blue Label Weekly product services are built with full redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and all web, application, and database components are deployed with a minimum of n+1 supporting server instances or containers.
4.5.2 BACKUP STRATEGY
Blue Label Weekly ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across availability zones and infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience: ● Customer (production) data is backed up leveraging multiple online replicas of data for immediate data protection. All production databases have no less than 1 primary (master) and 1 replica (slave) copy of the data live at any given point in time. Seven days worth of backups are kept for any database in a way that ensures restoration can occur easily. Snapshots are taken and stored to a secondary service no less often than daily and where practicable, real time replication is used. All production data sets are stored on a distributed file storage facility like Amazon’s S3. ● Because we leverage private cloud services for hosting, backup and recovery, Blue Label Weekly does not implement physical infrastructure or physical storage media within its products. Blue Label Weekly does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers. ● By default, all backups will be protected through access control restrictions on Blue Label Weekly product infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections.
4.6 BLUE LABEL WEEKLY CORPORATE SECURITY
4.6.1 EMPLOYEE AUTHENTICATION & AUTHORIZATION
Blue Label Weekly enforces an industry-standard corporate password policy. That policy requires changing passwords at least every 90 days. It also requires a minimum password length of 8 characters and complexity requirements including special characters, upper and lower case characters, and numbers. Blue Label Weekly prohibits account and password sharing by multiple employees. Employees generally authenticate to Blue Label Weekly product infrastructure using SSH keys. Where passwords are allowed, the password policy requires 12 character passwords. Additionally, many of the capabilities we use to build the Blue Label Weekly products leverage multi-factor authentication or are protected by singlesign on solutions that enforce multi-factor authentication.
4.6.2 ACCESS MANAGEMENT
Security Overview – Internal Information 11 Blue Label Weekly Security & Risk Management Overview Blue Label Weekly has regimented and automated authentication and authorization procedures for employee access to Blue Label Weekly systems, including the marketing and sales platforms. All access is logged. Most frequently, access is granted based on a role-based access control model. Just in time access is built into automated procedures around a set of rigorous authorization mechanisms. We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage employee events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.
4.6.3 BACKGROUND CHECKS
All Blue Label Weekly employees undergo an extensive 3rd party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for all potential employees. Reference verification is performed at the hiring manager’s discretion. All employees receive security training within the first month of employment as part of the Blue Label Weekly security program along with role-specific follow-up training. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policy as part of access to corporate and production networks.
4.6.4 VENDOR MANAGEMENT
We leverage a small number of 3 rd party service providers who augment the Blue Label Weekly products’ ability to meet your marketing and sales needs. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who support Blue Label Weekly . Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security team, General Counsel, and the business unit who owns each contract coordinate unique considerations for our providers as part of contract management.
4.6.5 SECURITY AWARENESS & SECURITY POLICIES
To help keep all our engineering, support, and other employees on the same page with regard to protecting your data, Blue Label Weekly developed and maintains a Written Information Security Policy. The policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics. With this policy and the myriad protections and standards in place, we also ensure Blue Label Weekly ters are well-trained for their roles. Multiple levels of security training are provided to Blue Label Weekly employees, based on their roles and resulting access. General security awareness training is offered to all new employees and covers Blue Label Weekly security requirements. After initial training, different training tracks are available based on an employee’s role. Developer-specific training is provided by and tailored to Blue Label Weekly ‘s engineering teams. In general, engineering training sessions are held weekly, a portion of which include security materials. Recurring training is provided through regular updates, notices, and internal wiki publications. Security Overview – Internal Information 12 Blue Label Weekly Security & Risk Management Overview
4.7 INCIDENT MANAGEMENT
Blue Label Weekly provides 24x7x365 coverage to respond quickly to all security and privacy events. Blue Label Weekly ‘s rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created in order to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others. In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident. Our Chief Security Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident. 5 PRODUCT SECURITY FEATURES Blue Label Weekly ’s security program is designed to protect all of the Blue Label Weekly products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations. Whether our products are free or paid, feature-rich or lightweight, Blue Label Weekly works hard to maintain the privacy of data you entrust with us. Data you store in Blue Label Weekly products is yours. We put our security program in place to protect it, and use it only to provide the Blue Label Weekly service to you. We never share your data across customers and never sell it.
5.1 BLUE LABEL WEEKLY MARKETING
About: The Blue Label Weekly marketing product is our industry-leading marketing automation solution. It provides easy-to-use and effective tools to manage your inbound marketing strategy. Hosting: Primary Content Management System (CMS) infrastructure is hosted in Amazon Web Services and Google Cloud Platform. Blue Label Weekly ’s hosting strategy enables additional redundancy capabilities, architecture flexibility, and infrastructure responsiveness. Our deployment processes leverage network security, server security, and availability features, described above. Web Application Firewall: Customer sites hosted on the Blue Label Weekly products leverage the protections of our world-class Web Application Firewall (WAF). By default, your Blue Label Weekly -hosted website, blogs, landing pages, and other online presence is protected from state-of-the-art Distributed Denial of Service (DDoS) and other web application attacks. When security events occur, Blue Label Weekly ’s Security Operations and Technical Operations teams take immediate action to ensure that your sites are protected continuously 24x7x365. Security Overview – Internal Information 13 Blue Label Weekly Security & Risk Management Overview Transport Layer Security: Blue Label Weekly marketing customers have the ability to enable and configure TLS services for their sites, landing pages, and related visitor engagement. By default, TLS certificates use Subject Alternative Names and are managed through our content delivery provider, Akamai. If you are interested in taking advantage of other TLS options, please discuss our SSL offerings with your favorite Blue Label Weekly ter. For more information about how to get started, please see this Academy article. Encryption Options: By default, customer websites using HTTPS are configured to allow TLS 1.0, 1.1, and 1.2. It is possible to remove support for one or more of these algorithms. Customers may also opt into enabling HTTP Strict Transport Security (HSTS) for their Blue Label Weekly -hosted domain. To make these changes, please contact Blue Label Weekly Support or your Customer Success Manager.
5.2 BLUE LABEL WEEKLY CRM
About: The Blue Label Weekly CRM is one of the many products your sales team will love. Sales professionals can start using CRM for no cost and with no headaches. Getting started with Blue Label Weekly CRM takes minutes at Blue Label Weekly ‘s CRM product page. Secure by default: CRM takes advantage of the same sophisticated security measures that help protect the other Blue Label Weekly products. We leverage the advanced secure software development processes, infrastructure management, and alerting methodologies that we have honed in our years of product development. Email Integrations & Connected Inbox: As a CRM user, you have the ability to connect your Gmail, Office365, or IMAP-enabled email inbox. Gmail and Office365 integrations are authorized by and protected by the native integration capabilities in those platforms. IMAP integration allows your connected inbox to synchronize mail into your CRM from other mail services. When a user sets up an IMAP integration, the Blue Label Weekly products act as an IMAP client. The services that support IMAP integrations have many built-in protections: data is encrypted in transit from end-to-end; the data is encrypted at rest at the field level as well as at the database level; and access controls ensure only authorized access to the data. Privacy: Whether our products are free or paid, feature-rich or minimal, Blue Label Weekly always maintains the privacy of data you entrust with us. Data you store in Blue Label Weekly products is yours. We use it only to provide the Blue Label Weekly service to you. Hosting: CRM infrastructure is hosted in Amazon Web Services, taking advantage of the infrastructure redundancy and flexibility that exists throughout Blue Label Weekly ’s infrastructure. Our hosting strategy also helps ensure world class infrastructure and network security and availability. Access control: The Blue Label Weekly CRM provides easy to manage and intuitive roles that give the right access to the right sales team members. Please see our Knowledge article for more information about user roles.
5.3 BLUE LABEL WEEKLY SALES
About: The Blue Label Weekly Sales products also include Blue Label Weekly ’s award-winning suite of sales tools that help professionals better engage with their leads and improve conversion. Security Overview – Internal Information 14 Blue Label Weekly Security & Risk Management Overview Hosting: Primary Sales backend infrastructure is hosted in Amazon Web Services and additional capabilities are provided through Google App Engine. Our hosting strategy takes advantage of the infrastructure redundancy and flexibility that exists throughout Blue Label Weekly ’s infrastructure. Data storage: Blue Label Weekly Sales stores email message metadata in order to provide email tracking, link wrapping, and Connections services. Data is stored in protected stores within the Blue Label Weekly infrastructure, and access to the data is tightly controlled. Access to the data stores is assigned to a limited to a small set of Blue Label Weekly employees based on their roles, and access is limited to the individuals who need it in order to respond to customer support and related requests. Seamless updating: Sales tools are designed to help increase your productivity. One step we’ve taken to improve your experience is automatically updating the plugin. Instead of being interrupted by recurring notifications to update your software, the plugin handles its updating process without getting in your way.
6 THIRD PARTY AUDITS AND CERTIFICATIONS OF BLUE LABEL WEEKLY SECURITY CONTROLS
Blue Label maintains compliance with the EU-US Privacy Shield. We also earned SkyHigh’s CloudTrust rating of “Enterprise Ready”. Our services are housed in the US with world-class cloud infrastructure providers Amazon Web Services and Google Cloud Platform. All Blue Label Weekly infrastructure providers are SOC 2 Type II and ISO 27001 certified and maintain facilities secured against electronic and physical intrusion.
7 DOCUMENT SCOPE AND USE
Blue Label Weekly values transparency in the ways we provide solutions to our customers. This document is designed with that transparency in mind. We are continuously improving the protections that have been implemented and, along those lines, the information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between Blue Label Weekly and any parties, or to amend, alter or revise any existing agreements between the parties.