Measures taken by Proxyclick to ensure security of our clients’ data
Facilities
Proxyclick servers are hosted in facilities that comply with ISO 27001 standards. In addition, the data center facilities are powered by redundant power—each with UPS and backup generators. Application, database, and services are deployed on dedicated bare-metal servers. Proxyclick has, therefore, exclusive use of its servers which allows for enhanced performance and security. Furthermore, hosting providers have no access to customer data.
On-site security
Our data center facilities are secured with a perimeter of multi-level security zones, 24/7 manned security, and CCTV video surveillance. In addition, they're secured via multifactor identification with biometric access control, physical locks, and security breach alarms.
Monitoring
An automatic monitoring system is in place to continuously check the state of the services, sending alerts to the appropriate personnel at Proxyclick when necessary. Physical security, power, and internet connectivity are monitored by the facilities providers.
Protection
Our network is protected by redundant firewalls, secure HTTPS transport over public networks, regular audits, and Intrusion Detection Systems (IDS) which monitor and/or block malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones that are not accessible from the internet. Data transferred between Proxyclick servers use a private network.
Network vulnerability scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-party penetration tests
In addition to our extensive internal scanning and testing program, penetration tests are performed by selected clients on an ad hoc basis. Proxyclick also employs third-party security experts to perform a broad penetration test across the Proxyclick service offering, annually.
Logical access
Access to the Proxyclick production network is restricted by an explicit need-to-know basis, utilizing least privilege. It is audited and monitored frequently, and controlled by our Management Team. Employees accessing the Proxyclick production servers are required to use multiple factors of authentication.
Security incident response
In case of a system alert, events are escalated to our 24/7 teams. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in transit
Communications between you and Proxyclick servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks. Qualys SSL labs have given our servers an A rating.
Encryption at rest
The hard disks of all servers are encrypted. Databases on the client iPads are also encrypted.
Uptime
Proxyclick maintains a publicly available system status webpage which includes real-time information on system performance, scheduled maintenance, service incidents history, and relevant security events.
Redundancy
Proxyclick employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime ensures customer data is actively replicated across geographically distinct data centers.
Disaster recovery
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished by building a robust technical environment and creating disaster recovery plans that are continuously updated and tested.
Security training
Engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Proxyclick security controls.
QA
Our dedicated QA engineers test all software developments using automated and manual tests before roll-out to production.
Separate environments
Testing and staging environments are separated both physically and logically from the production environment.
Patches
Systems are updated and patched on every release. Releases are pushed every 4 weeks at Proxyclick.
Security penetration testing
Application security is also part of the annual penetration tests conducted by third-party experts.
Bug bounty program
Proxyclick receives year-round, continuous penetration testing & vulnerability management through a managed private bug bounty program with Intigriti.
Responsible disclosure
Proxyclick invites security researchers and ethical hackers to test our applications in line with our vulnerability disclosure policy. We will credit contributors in our Hall of Fame!
Authentication options
Proxyclick offers two authentication options: username-password or SSO via SAML. Proxyclick is compatible with most SSO portals.
Secure credential storage
When it comes to secure credential storage, Proxyclick follows best practices: Never storing passwords in a human-readable format, and only after a secure, salted, one-way hash.
API security & authentication
The Proxyclick API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using OAuth authentication.
Access rights & roles
Access to data within Proxyclick is governed by access rights and can be configured to define granular access privileges. Proxyclick has various permission levels for users (e.g. Admin, Reception, Security, Assistants, etc.). Learn more about access rights
Transmission security
All communications with Proxyclick servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and Proxyclick remains secure during transit.
Email signing (DKIM)
Proxyclick offers Domain Keys Identified Email (DKIM) for signing outbound emails.
File scanning
Files uploaded in Proxyclick (e.g. attachment to an invitation email) are automatically scanned for malicious content. The underlying scanning application is updated multiples times, daily, for the latest virus database updates.
Data segregation
Logical segmentation of customer data is enforced at code level.
Data retention
You can automatically delete visits after a given retention period, which allows you to comply more easily with privacy regulations such as the GDPR.
Audit trail
Audit trails include the time of change made to a visit, the user that performed the change, and the content of the change.
ISAE 3000 Type I
Proxyclick is the first visitor management system to receive the ISAE 3000 Type I data privacy certification, which confirms complete documentation of our internal processes and 100+ privacy controls based on an international privacy framework. For more information, contact support@proxyclick.com.
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Proxyclick has completed a Consensus Assessment Initiative (CAI) Questionnaire, based on the results of our due diligence self-assessment. The completed questionnaire is available upon request and under NDA. For more information contact support@proxyclick.com.
GDPR
Proxyclick is in full GDPR compliance. Learn more about Proxyclick's commitment to GDPR.
SecurityScorecard
SecurityScorecard is an information security company that collects, attributes, and scores the overall health of enterprise cybersecurity through the identification of exposed vulnerabilities on corporate digital assets discovered on the public internet. Proxyclick's score is 97/100.
Level A
Our API and application endpoints are TLS/SSL-only and score an A rating in Qualys SSL Labs tests. This means communications between you and Proxyclick servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks.
Policies
Proxyclick has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to Proxyclick information assets. Furthermore, such policies are audited as part of the SOC 2 certification process.
Background checks
Proxyclick performs background checks on all new employees in accordance with local laws.
Confidentiality Agreements
All newly-hired employees are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements.