This article provides an overview on security information pertaining to the internal controls at Constant Contact and the services that Lead Gen & CRM provides to customers. This article is meant for Lead Gen & CRM direct customers, agency partners, and potential prospects. Agency partners should use the information contained in this document to answer basic security questions their customers may have.
- Information Obsolescence
- Standards, Regulatory Measures, and Compliance
- General Data Protection Regulation Compliance
- Data Protection
- Information Security Management System
- Lead Gen & CRM Information Security Policy
- Internal Organization
- Human Resources
- Physical and Environmental Security
- Data Backup and Monitoring
- Access Control
- Systems Development and Maintenance
- Business Continuity and Disaster Recovery
- Vulnerability Assessment and Management
Constant Contact gives the information contained in this article in good faith only and without any warranties or representations as to the accuracy or completeness of the information.
Constant Contact expressly excludes all warranties, conditions, and other terms implied by law; and all liability for losses arising from customer, partner, or third-party reliance on the information contained in this article. This does not affect Constant Contact's liability for fraud or fraudulent misrepresentation, or any other liability, which cannot be excluded or limited under applicable law.
The information in this article is subject to change at any time, and Constant Contact will use reasonable endeavors to update this information on a regular basis.
The following table contains terms used with data protection at Constant Contact.
Approved Scanning Vendors.
This data includes the Primary Account Number, Cardholder Name, Service Code, and Expiration Date.
Information received from clients in any form for processing in production by Constant Contact. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
Information collected and used by Constant Contact in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
The Health Insurance Portability and Accountability Act. As Lead Gen & CRM does not store or process health records, Constant Contact is not required to be HIPAA-compliant. Constant Contact does not have plans to be compliant with HIPAA.
Payment Card Industry—Data Security Standard.
Any information relating to an identified or identifiable natural person (otherwise known as a data subject). Natural persons are those who can be identified—directly or indirectly—in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Personally Identifiable Information.
Information is restricted to management-approved internal access and protected from external access. Unauthorized access could influence Constant Contact's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.
A compliance framework around the transfer of data from the EU to US. The EU-US Privacy Shield is a replacement for the Safe Harbor.
Qualified Security Assessor.
The International Safe Harbor Privacy Principles or Safe Harbor Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information.
This data includes the Full Magnetic Strip Data, CAV2/CVC2/CVV2/CID, and PIN/PIN Block.
Site reliability engineering (SRE) is a discipline that incorporates aspects of software engineering and applies that to IT operations problems. The main goals are to create ultra-scalable and highly reliable software systems. engineering (SRE) is a discipline that incorporates aspects of software engineering and applies that to IT operations problems. The main goals are to create ultra-scalable and highly reliable software systems.
Information is not confidential and can be made public without any implications for Constant Contact. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
Standards, Regulatory Measures, and Compliance
Constant Contact is regulated by the United States Securities and Exchange Commission and goes through yearly audits by a registered third-party auditor to ensure compliance.
In regards to Payment Card Industry-Data Security Standards (PCI-DSS), Constant Contact utilizes Authorize.net's own PCI-compliant payment processing services to accept, store, and process all Cardholder Data and all Sensitive Authentication Data. The only portion of Cardholder Data or Sensitive Authentication Data which is stored on Constant Contact's servers are as follows:
- Expiration dates
- Address information
- Cardholder names
Upon pending completion of Constant Contact's qualified security assessor (QSA)-issued audit of PCI-compliant security controls, Constant Contact will provide attestation of compliance, scope, and the PCI Responsibility Matrix from the in-house QSA and Compliance Team. However, Constant Contact will not release the full PCI-DSS Report on compliance, as it will contain proprietary and commercially sensitive details of Constant Contact security processes. Proof of Constant Contact's payment processing service provider’s own PCI compliance is described in detail at Authorize.net’s Security Compliance documentation.
Constant Contact is not Health Insurance Portability and Accountability Act (HIPAA)-compliant. This standard is required when processing personally identifiable information relating to consumer health information. As a norm, Lead Gen & CRM does not store this type of data. As Constant Contact is not in the industry regulated by HIPAA standards, Constant Contact does not need compliance to operate.
General Data Protection Regulation Compliance
The European Union General Data Protection Regulation (GDPR) is a law which expands on original European Union data laws (the Data Protection Directive of 1995). The law was enacted 27 April 2016, and implemented 25 May 2018. As such, Constant Contact has updated terms, privacy policies, and infrastructure to be in full compliance with the GDPR.
Constant Contact's policy on the classification and safe handling of data is a defined Information Classification Policy that identifies all customer data as confidential. It also addresses the marking and handling requirements of documentation.
All sensitive data shared between the application, extranet, tracking endpoints, and servers is transferred using Transport Security Layer (TLS) protocols with up-to-date ciphers utilizing (a minimum of) 256-bit RSA encryption keys. Credentials are stored in an encrypted on-disk format to prevent the data from being compromised in the event that a data theft or data breach incident occurs.
The duty to observe all policies and procedures is described in Constant Contact's employment offer letters, and is a mandatory condition of employment at Constant Contact. Constant Contact clients' Personally Identifiable Information (PII) is labelled accordingly as Client Confidential Data, and these confidentiality obligations are explicitly set out in Constant Contact employee offer letters. These confidentiality obligations are a mandatory condition of employment and are also enforceable post-termination.
Procedures are in place to ensure the reliability of employed staff. The competence of Constant Contact employees is a key element of the controlled environment. Constant Contact is committed to the continual training and development of its employees. This commitment to competence is expressed in Constant Contact's personnel policies and related human resource programs. Specific indicators of the commitment to employee development include recruiting and hiring policies, investment in training and development, and performance monitoring.
Constant Contact's commitment to competence begins with recruiting, which is the joint responsibility of the Human Resources Department and the business unit or department managers. Hiring decisions are based on various factors: educational background, prior relevant experience, past accomplishments, and evidence of integrity and ethical behavior. As with all Constant Contact policies, breach of data protection is a disciplinary offense that can result in terminations. Constant Contact employees are kept up-to-date on security issues in the industry, as well as specific threats to the company.
Constant Contact's information technology (IT) team manages and tracks all company-issued devices and equipment. Upon employment, workstations are issued. Constant Contact has a documented asset management policy, which is strictly followed.
Information Security Management System
Constant Contact conducts risk assessments with regards to confidentiality, integrity, and availability. As part of the Constant Contact Security Framework, the impact resulting from loss of confidentiality, integrity, and availability of assets is assessed as part of the organization’s Risk Management procedures.
Constant Contact considers the availability of the customer solution from the perspective of network and hardware uptime and the availability of services to be of the highest importance. Constant Contact's hosting providers—Google Cloud Platform (GCP) and Amazon Web Services (AWS)—each provide particularly strong controls, processes, and configurations aimed to ensure maximum possible uptime.
Constant Contact's Information Security Management System (ISMS) uses a risk-based approach to implementing and monitoring security controls where requirements are deemed necessary. The Framework is continually extended and improved upon via policies, controls, user education. The general steps that are repeated and followed are as follows: PLAN, DO, CHECK, ACT.
Constant Contact is not certified under the ISO 27001 framework and thus cannot provide proof of certification. That said, Constant Contact places utmost importance upon ensuring the security of its own data and extending the same protection as a service to customers. Every aspect of Constant Contact's web application architecture, product design, security mechanisms, and internal processes have been established in accordance with ISO/IEC 27001 specifications.
Lead Gen & CRM is hosted almost entirely within the Google Cloud Platform and utilizes their Virtual Private Cloud network. The only interfacing networks are Constant Contact offices over a secure virtual private network (VPN), which is strictly controlled. Constant Contact hosts the entirety of its server architecture within Google Cloud Platform data centers and utilizes additional services with Amazon Web Services:
- Google has earned ISO 27001 certifications for the systems, applications, people, technology, processes, and data centers serving Google Cloud Platform.
- Amazon Web Services ISO 27001 certification increases total in-scope services to 33.
Constant Contact Information Security Policy
Constant Contact has a documented Security Policy—and related policies—to keep infrastructure secure. These policies typically are not available to customers since the documents are classified as proprietary according to the Constant Contact Information Classification Policy. The Constant Contact Information Security Policy is reviewed, at a minimum, annually (or sooner as a significant changes occur) to ensure its continuing accuracy, adequacy, and effectiveness. In order to ensure that customer data remains secure, Constant Contact addresses the following critical security areas: physical security, network infrastructure, and security operations.
Constant Contact prohibits sharing of policies and procedural documentation with current or potential customers. All Constant Contact policies are considered to be proprietary information according to Constant Contact's Information Classification Policy. As such, information contained in these documents is considered proprietary. Sharing them could jeopardize the security of customers and infrastructure.
Security for network infrastructure is ensured through proper implementation of industry security standards (authentication, authorization, high-grade encryption, multiple security controls, firewalls, packet filters, intrusion detection/prevention systems, continuous monitoring and auditing). Constant Contact's operational security consists of business processes and policies which follow security best practices in order to limit access to confidential information and maintain strong security over time.
Constant Contact's site reliability engineering (SRE) and system security actively supports information security within Constant Contact through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of its—and everyone else’s—information security responsibilities.
Constant Contact has assigned responsibility for information security to the Information Security Team. The Information Security Team has collectively reviewed and approved the ISMS, which demonstrates the commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. The Information Security Team coordinates with Constant Contact's Legal Team to ensure compliance with all local, state, and federal laws and regulations that affect Constant Contact. The Security and Legal teams regularly meet to discuss new regulations that could impact information security either on a customer or an enterprise-wide level. Additionally, Constant Contact performs regular internal audits upon operations and security controls, processes, and policies. The results of these audits are not available to external parties.
In regards to independent review, Constant Contact's approach to managing information security and its implementation (such as control objectives, controls, policies, rules, processes, and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur. The Constant Contact ISMS is audited internally annually, and a team is responsible for risk assessments pertaining to information security.
Constant Contact performs risk assessments on its suppliers and third parties. Third-party suppliers who are identified as having an impact on the security of Constant Contact's service delivery are assessed. Those vendors or suppliers that are deemed to have a sufficiently high level of risk have formal risk assessments performed on an annual basis to help lower the risk level of the vendor. These assessments are considered as confidential according to the Information Classification Policy and cannot be shared with customers.
New hire security processes—such as background screening, user account creation, and initial security awareness training—are controlled by formal processes established by the Constant Contact ISMS. In the same fashion, formal off-boarding processes are documented and followed. Termination activities, including exit interviews, revocation of system privileges, disabling of accounts, and recovery of corporate-owned assets are controlled by formal processes established by the ISMS. Access lists for internal critical systems are reviewed periodically.
Constant Contact has implemented security awareness processes and procedures, which include at least bi-annual security awareness bulletin and mandatory security awareness training. Constant Contact understands the importance of how one employee can be targeted in an attack, and that message resonates across the company.
Changes and updates to security policy are communicated to all employees through company-wide emails, intranet bulletins, and through biannual security training. New employees are briefed on the Constant Contact Security Policy during employee orientation, and each employee signs a security acknowledgement form. Each employee is also bound by strict confidentiality obligations, which are embodied within a confidentiality agreement.
Constant Contact information technology (IT) technicians are available on a 24/7 basis to handle any critical system failures that may arise within its IT infrastructure. In order to meet its business needs and ensure the continuity of services, Constant Contact IT technicians are certified in various areas of expertise.
Physical and Environmental Security
Physical security measures are in place at Constant Contact data centers and offices. The physical security of Constant Contact's architecture is ensured via its ISO 27001-compliant hosting providers, Google and Amazon. As Constant Contact is hosted entirely within Google, Constant Contact does not deal with external storage. Constant Contact does follow best practices for data integrity and safety, including a robust backup schedule, tested restores, and off-site backups to an entirely different platform. The off-site backups are encrypted and stored within.
Constant Contact does not use a mainframe. However, as mentioned above, Constant Contact uses several distributions of Linux within the application infrastructure. Constant Contact uses several types of datastores, depending on purpose. These include a mix of MariaDB, MySQL, MongoDB, Redis, and some one-off datastores for internal projects, with the majority being dedicated instances of each. Constant Contact does not host its own nameservers. Constant Contact's domain name system (DNS) is hosted by the Google Cloud Platform. For internal DNS, Constant Contact does have some bind servers used by non-production traffic. Most of the email is sent via various third-party services.
Data Backup and Monitoring
The backup policy at Constant Contact requires full backups of customer data daily, with incremental backups being performed each hour. Constant Contact's data retention period for backups of customer data is seven days. Constant Contact replicates these backups to an off-site location in compliance with its own disaster recovery policy. Constant Contact cares about its customers' data, and has placed high availability (HA) mechanisms in place to reduce the need for recovery. Constant Contact makes a best effort attempt to retain customer data. However, Constant Contact does not provide any direct guarantee against loss of customer data.
Constant Contact's backup procedures follow the basic rules of the CIA triad: confidentiality, integrity and availability. They are verified for integrity, are encrypted, are securely transferred, and are stored both at on-site and off-site locations. These backups are then verified through reanimation testing.
Constant Contact utilizes open source technologies, such as Zabbix and OpenVAS, to monitor the availability of its services, obtain web application performance metrics, and perform regular vulnerability scans against its critical infrastructure. Constant Contact also reinforces these processes by regularly performing penetration tests against its own architecture. Constant Contact's monitoring and associated alerting processes are regularly tested to ensure that Constant Contact Network Operations Center (NOC) staff is notified immediately upon the occurrence of any operations anomaly or service interruption.
Constant Contact maintains an internal access control policy. The access control policy defines procedures for the creation of new Lead Gen & CRM user accounts and addition of initial privileges and rights, as well as the change and removal of Lead Gen & CRM user privileges and termination of Lead Gen & CRM user accounts. Constant Contact access control policies are based on the principles of least privilege and the segregation of duties. Segregation is enforced through role-based access control policies and technical controls. Virtual local area networks (VLANs) are also used to provide logical segregation of servers, laptops, and departments.
In addition, Constant Contact has clearly defined information security responsibilities, which are documented in the Constant Contact Information Security Policy. These responsibilities for specific information security procedures are clearly defined and documented in the ISMS.
As to remote access, Constant Contact permits employees to work remotely in order to facilitate the work-life balance of its employees. Constant Contact allows remote employee access through virtual private network (VPN) authentication, which is secured via Internet Protocol Security (IPSec). A policy is in place to maintain security throughout the remote access provisioning process and to manage security concerns while interfacing with the Constant Contact demilitarized network (DMZ).
Systems Development and Maintenance
Constant Contact infrastructure and development deployments, including source code changes, are peer-reviewed, tested by Quality Assurance (QA) team, and audited before every testing and production release. This is done for consistency and to test potential known vulnerabilities and threats to ensure product stability by using a series of automated and manual tests.
Constant Contact thoroughly tests the content it releases. Using behavior and test-driven development, Constant Contact's dedicated QA team runs simulations on isolated instances of the application to ensure no customer data is accidentally corrupted or contaminated. Once testing has been completed and passed, the QA Manager allows the deployment to be merged into the master build, which gets released as the current live instance which clients will see.
Business Continuity and Disaster Recovery
Constant Contact's business continuity management process for recovery in case of incidents or system failures involves ensuring that supporting network infrastructure and customer services quickly resume normal operations after any service interruption event. Constant Contact's business continuity efforts are consistent and reflect industry best practices.
Additionally, documented disaster recovery policy is in place for all facets of the business. These policy and plans will be implemented into the employee security and training programs for 2018.
Elements of the Constant Contact Business Continuity and Disaster Recovery Plan are tested in a staggered fashion in order to minimize the potential of impact on customer service delivery. Testing is performed according to a formal schedule.
Vulnerability Assessment and Management
Constant Contact's Vulnerability Assessment team performs internal audits using a combination of both open source and proprietary industry standard level tools—such as OpenVAS and Nessus—to assess the Constant Contact platform's external network footprints. Constant Contact prohibits unauthorized vulnerability assessments or penetration tests performed on Constant Contact services, be it internally or externally.