Security measures

Measures taken by Proxyclick to ensure security of our clients’ data

1. Data center and network security

Physical security

Facilities

Proxyclick servers are hosted at SOC 2 Type II- and ISO 27001-compliant facilities. In addition, the data center facilities are powered by redundant power—each with UPS and backup generators. Application, database, and services are deployed on dedicated bare-metal servers. Proxyclick has, therefore, exclusive use of its servers which allows for enhanced performance and security. Furthermore, hosting providers have no access to customer data.

On-site security

Our data center facilities are secured with a perimeter of multi-level security zones, 24/7 manned security, and CCTV video surveillance. In addition, they're secured via multifactor identification with biometric access control, physical locks, and security breach alarms.

Monitoring

An automatic monitoring system is in place to continuously check the state of the services, sending alerts to the appropriate personnel at Proxyclick when necessary. Physical security, power, and internet connectivity are monitored by the facilities providers.

Network security

Protection

Our network is protected by redundant firewalls, secure HTTPS transport over public networks, regular audits, and Intrusion Detection Systems (IDS) which monitor and/or block malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones that are not accessible from the internet. Data transferred between Proxyclick servers use a private network.

Network vulnerability scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-party penetration tests

In addition to our extensive internal scanning and testing program, penetration tests are performed by selected clients on an ad hoc basis. Proxyclick also employs third-party security experts to perform a broad penetration test across the Proxyclick service offering, annually.

Logical access

Access to the Proxyclick production network is restricted by an explicit need-to-know basis, utilizing least privilege. It is audited and monitored frequently, and controlled by our Management Team. Employees accessing the Proxyclick production servers are required to use multiple factors of authentication.

Security incident response

In case of a system alert, events are escalated to our 24/7 teams. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in transit

Communications between you and Proxyclick servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks. Qualys SSL labs have given our servers an A rating.

Encryption at rest

The hard disks of all servers are encrypted. Databases on the client iPads are also encrypted.

Availability & continuity

Uptime

Proxyclick maintains a publicly available system status webpage which includes real-time information on system performance, scheduled maintenance, service incidents history, and relevant security events.

Redundancy

Proxyclick employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime ensures customer data is actively replicated across geographically distinct data centers.

Disaster recovery

Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished by building a robust technical environment and creating disaster recovery plans that are continuously updated and tested.

2. Application security

Secure development (SDLC)

Security training

Engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Proxyclick security controls.

QA

Our dedicated QA engineers test all software developments using automated and manual tests before roll-out to production.

Separate environments

Testing and staging environments are separated both physically and logically from the production environment.

Patches

Systems are updated and patched on every release. Releases are pushed every 4 weeks at Proxyclick.

Application vulnerabilities

Static code analysis

The source code repositories are continuously scanned for security issues via our integrated static analysis tool.

Security penetration testing

Application security is also part of the annual penetration tests conducted by third-party experts.

Bug bounty program

Proxyclick receives year-round, continuous penetration testing & vulnerability management through a managed private bug bounty program with Intigriti.

Responsible disclosure 

Proxyclick invites security researchers and ethical hackers to test our applications in line with our vulnerability disclosure policy. We will credit contributors in our Hall of Fame! 

3. Product security features

Authentication security

Authentication options

Proxyclick offers two authentication options: username-password or SSO via SAML. Proxyclick is compatible with most SSO portals.

Secure credential storage

When it comes to secure credential storage, Proxyclick follows best practices: Never storing passwords in a human-readable format, and only after a secure, salted, one-way hash.

API security & authentication

The Proxyclick API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using OAuth authentication.

Additional product security features

Access rights & roles

Access to data within Proxyclick is governed by access rights and can be configured to define granular access privileges. Proxyclick has various permission levels for users (e.g. Admin, Reception, Security, Assistants, etc.). Learn more about access rights

Transmission security

All communications with Proxyclick servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and Proxyclick remains secure during transit.

Email signing (DKIM)

Proxyclick offers Domain Keys Identified Email (DKIM) for signing outbound emails.

File scanning

Files uploaded in Proxyclick (e.g. attachment to an invitation email) are automatically scanned for malicious content. The underlying scanning application is updated multiples times, daily, for the latest virus database updates.

Data segregation

Logical segmentation of customer data is enforced at code level.

Data retention

You can automatically delete visits after a given retention period, which allows you to comply more easily with privacy regulations such as the GDPR.

Audit trail

Audit trails include the time of change made to a visit, the user that performed the change, and the content of the change. 

Subprocessors

Proxyclick carefully selects its third-party data subprocessors and reviews them regularly. All such processors are contractually bound by Proxyclick to keep customer data confidential.

4. Compliance certifications, memberships, and external assessments

SOC 2 Type II

Proxyclick is SOC2 Type II Privacy and Security Certified. This certification confirms and showcases the effectiveness of our privacy-related designs and controls. The industry-leading control criteria are based on the AICPA's ISAE 3000 standard and its effectiveness is measured through the NOREA Privacy Control Framework. The full report is available upon request, under NDA. For more information contact support@proxyclick.com.

ISAE 3000 Type I 

Proxyclick is the first visitor management system to receive the ISAE 3000 Type I data privacy certification, which confirms complete documentation of our internal processes and 100+ privacy controls based on an international privacy framework. For more information, contact support@proxyclick.com.

Cloud Security Alliance

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Proxyclick has completed a Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment. The completed questionnaire is available upon request and under NDA. For more information contact support@proxyclick.com.

GDPR

Proxyclick is in full GDPR compliance. Learn more about Proxyclick's commitment to GDPR.

SecurityScorecard

SecurityScorecard is an information security company that collects, attributes, and scores the overall health of enterprise cybersecurity through the identification of exposed vulnerabilities on corporate digital assets discovered on the public internet. Proxyclick's score is 97/100.

Level A

Our API and application endpoints are TLS/SSL-only and score an A rating in Qualys SSL Labs tests. This means communications between you and Proxyclick servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks.

5. Additional security methodologies

Policies

Proxyclick has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to Proxyclick information assets. Furthermore, such policies are audited as part of the SOC 2 certification process.

Background checks

Proxyclick performs background checks on all new employees in accordance with local laws.

Confidentiality Agreements

All newly-hired employees are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements.