Enterprise grade security

Service Organization Control 2 (SOC 2) is a component of the Service Organization Control reporting platform of the American Institute of CPAs (AICPA). SOC 2 is a technical auditing process and certification that measures security and availability. It serves as an assurance to customers that their data is being managed in a controlled and audited environment.

When a business is SOC 2 compliant, it signifies the implementation of proper security systems to ensure security, availability, processing integrity, confidentiality, and privacy of customer data.

SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.

There are two types of SOC 2 audits:

Type I: The report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.

Type II: The report details the operational effectiveness of a vendor’s systems, and includes a historical element that shows how controls were managed by a business over a minimum of six months.

Instapage became SOC 2 Type I compliant in November 2019, and as of May 2020 we are now Type II compliant as well.

Instapage has a documented Information Security Risk Management Policy ensuring a systematic approach for measuring, managing, and reporting information security related risks within our environment. Any identified risks to our environment will be inventoried, managed in a central location, and remediated appropriately based on severity level. Additionally, Instapage has implemented a process to perform third-party risk assessments on our vendors who store and/or transport our data.

Instapage takes the privacy of our clients and clients’ visitors seriously to build and maintain trust with all our customers. Instapage participates in the EU-U.S. Data Privacy Framework program to comply with EU data protection requirements for personal data transferring from EU to the US.

Instapage is follows the ISO 27001 and NIST 800-53 best practices and is SOC 2 Type II certified. We are CCPA and GDPR compliant and are committed to following best data privacy practices according to these regulations' principles. In doing so, we have implemented an Information Security Program to ensure the confidentiality, integrity, and availability of data — all to ensure we increase our efforts to continually affirm our compliance with both the GDPR and CCPA laws.

Moreover, Instapage has a Data Privacy and Protection Program as well as a formal Data Handling Training guide. Our employees and contractors undergo training during employee onboarding. The awareness training is performed annually.

Instapage has implemented a formal Information Security Program which includes Architecture, Charter, Policies, and Processes. Our Information Security Policy and Processes are aligned to ISO 27001/2 and NIST 800-53 frameworks and are reviewed and updated annually – or in the instance of a major business change. The policies include the following: Information Security Program Governance Policy; Security Architecture Policy; Security Operations Policy; People Security; Third Parties Policy; Physical Security Policy; Business Continuity Policy; and Compliance Security. Processes are performed within our environment to support the policies listed above.

Our Compliance Security Policies identify several levels of data sensitivity and classification that are safeguarded by our best of industry infrastructure and security controls. Amazon Web Services (AWS) and Google Cloud Platform (GCP) are certified with the most critical and relevant industry, compliance and regulatory certifications that are integrated across our cloud hosted infrastructure. Instapage has implemented a process for inventorying asset management that is managed within each location/office using formal documented management process. Each asset has an assigned owner who is responsible for that asset and is maintained in accordance with the classification restriction. Additionally, all assets are returned to Instapage once the assigned owner leaves the company or no longer has a use for the asset.

Personal data is systematically destroyed, erased and/or anonymized at the end of the contract where personal data is no longer needed or upon client request. Instapage performs onboarding and offboarding processes of employees and contractors. The offboarding of employees and contractors isconstrued in a way to mitigate the risk of privileged and sensitive information being disclosed.

Employees receive information security training and awareness during onboarding as well as annually. This training maps to our functional human resources and information security policies and is incorporated into our employees’ work habits and routines. Two-factor authentication is required by employees where applicable. Employees and contractors are bound to maintain the confidentiality of all data pursuant to non-disclosure agreements (NDA) as well as our corporate Code of Conduc.

Employees are issued electronic key cards or access codes for entry into our facilities. Additionally, our facilities include a security guard as well as CCTV monitoring. A process has been established for logging visitors who enter and exit our facility. Additionally, visitors are escorted by an Instapage personnel. Our cloud-hosted facilities have perimeter fencing, vehicle access barriers, and security alarms, which act as a preventative and detective security measure.

Instapage has documented Identity Management Policy and Processes to identify, authenticate, and authorize identities to Instapage’s systems and applications. Access is provided on a need-to-know basis and conforms to the concept of least privileged. Access logs are reviewed quarterly, and individuals are properly removed if needed. VPN is required for all remote employees.

We currently use configuration change management of Operating System (OS) patching and updating with end-point antivirus protection. We are currently working to enhance, improve and scale out our application security across all endpoints to prevent, deter and mitigate any application layer threats. Our current SDLC uses a framework that is based on Agile methodologies. The framework is comprised of a set of well-known mature processes, tools, and technologies. This allows us to create high-quality and secure code by following a consistent, repeatable, and automated process. Our SDLC is currently undergoing a thorough review as part of an ongoing effort to continuously improve the quality and security of our software.

Instapage has a documented Information Security Incident Management Program that identifies, manages, responds to, and resolves incidents in a timely manner. The Information Security Incident Management Program includes identified roles and responsibilities, and proactive capabilities within its processes, which have been integrated into our Vulnerability Management Program to identify potential incidents caused by vulnerabilities.

Instapage has a management-approved Business Continuity Policy and Processes to ensure the availability of business services and processes at Instapage. A formal Business Continuity and Disaster Recovery Program has been developed.

Instapage has a formal device management program which implements formal and secure processes to manage the operational activities associated with devices within the environment. This is done by ensuring that only approved and authorized devices are allowed to connect to Instapage’s network and that all access to device will conform to the Identity management program. Additionally, our Mobile Device Management Policy will implement formal and secure processes to manage the operational activities associated with mobile devices within the environment. Identification access management is enforced with password complexity, encrypted session management, and two-factor authentication where applicable.

Instapage has a Security Architecture Management Policy which ensures appropriate preventative and detective network safeguards are in place. This includes, but is not limited to the following: encryption in transit as well as at rest, network intrusion detection and prevention, browser session encryption and validation, host-based anti-virus with real-time signature updates, and full disk encryption. We also perform quarterly vulnerability assessments and annual penetration tests. Identified vulnerabilities are appropriately remediated based on their criticality (i.e., critical, high, medium, or low).

Instapage has implemented a Vulnerability Management Program to identify, prioritize, manage, and report on the threats and vulnerabilities of Instapage using a risk-based approach. All employees and contractors are responsible for reporting all discovered security vulnerabilities and are appropriately remediated based on their criticality.