Information security policy

1. Assigned Security Responsibility:

ContentStudio has appointed a designated security official and a dedicated security team. This team is tasked with the development, implementation, and ongoing maintenance of ContentStudio's Security Practices.

2. Personnel Practices:

• All employees of ContentStudio are required to adhere strictly to internal policies concerning the confidential treatment of Customer Content.

• They undergo security and privacy training as part of their initial onboarding process and continue to receive this training on an annual basis. This training is tailored to be relevant and substantial enough to match their specific roles within the company.

• Additionally, all employees must read and sign off on information security policies that emphasize the confidentiality, integrity, availability, and resilience of the systems and services utilized in delivering ContentStudio Services.

• ContentStudio enforces strict controls to limit employee access to Customer Content, ensuring such access is granted only to authorized users, thereby preventing any unauthorized access to sensitive information.

• The company also performs appropriate pre-employment screenings that align with the sensitivity of the roles, which may include criminal background checks for particularly sensitive positions, where permitted by law.

3. Compliance and Testing:

• ContentStudio is committed to undergoing annual Service Organization Control (SOC) 2 Type II and Type III audits, which are conducted by an independent third-party auditor. The latest audit report is available upon request to existing Enterprise customers or prospective Enterprise customers under a confidentiality agreement specific to ContentStudio.

• In terms of payment processing, ContentStudio utilizes third-party vendors that comply with the Payment Card Industry Data Security Standard (PCI DSS). Importantly, ContentStudio does not store, transmit, or directly process your credit card information; instead, it maintains anonymous tokens that represent the processed transactions.

• The company also secures a Cloud App Security Assessment (CASA) from Google annually to ensure the application manages data securely and can adequately delete user data upon request.

• Moreover, both the web and mobile platforms of ContentStudio undergo rigorous annual penetration testing conducted by independent third parties to identify and rectify potential vulnerabilities.

4. Access Controls:

• ContentStudio maintains robust access control policies that encompass procedures for onboarding, offboarding, and transitions between different roles within the company.

• These policies include regular access reviews, the limitation and control of administrator privileges, and mechanisms to prevent inactive sessions from posing a security risk.

• The organization also practices segregation of duties to minimize conflicts of interest and potential security risks.

• An accurate and current inventory of all computer and user accounts is maintained to support effective access management.

• The principle of "least privilege" and the "need to know" basis are enforced to minimize the risk of data exposure.

• ContentStudio also implements controls to restrict the number of concurrent login sessions and login attempts to mitigate the risk of unauthorized access.

• Comprehensive password policies are in place, requiring a defined minimum complexity for passwords, mandatory password changes following the initial login, and routine changes at predetermined intervals with limitations on password reuse.

5. Multi-Factor Authentication (MFA):

• Access to systems used by ContentStudio employees and contract personnel is secured through multi-factor authentication, requiring not just a password but also a second form of verification to confirm their identity.

• This heightened security measure is also made available to ContentStudio's customers and their authorized users to enhance the security of their accounts.

6. Single Sign-On (SSO):

• To streamline and secure access to its systems, ContentStudio has implemented single sign-on technology across the company.

• This capability is also extended to Enterprise customers, enabling them to benefit from enhanced and centralized access control for their accounts.

7. Data Encryption:

• ContentStudio supports the latest secure cipher suites and protocols to encrypt all data in transit. Currently, ContentStudio supports TLS 1.2 and TLS 1.3 for its main website and all pages that handle credit card information.

• Data encryption at rest is applied where appropriate, taking into account the nature of the content and the associated risks. While much of the information processed by ContentStudio is accessible from social networks or other sources, certain data, such as scheduled and approval-pending messages are encrypted for additional protection.

• The organization closely monitors the evolving cryptographic landscape to ensure that ContentStudio Services adapt to new cryptographic weaknesses as they are identified, while maintaining compatibility with older client systems.

8. Logging and Intrusion Detection:

• ContentStudio's systems, including firewalls, routers, network switches, and operating systems, are configured to log information to secure servers that facilitate security reviews and analyses.

• The company maintains a centralized logging environment within its production facilities, which gathers data related to security, monitoring, availability, and access, along with other metrics pertinent to the ContentStudio Services. These logs are scrutinized for security-related events using automated monitoring software, overseen by the security team.

• Proactive monitoring for unauthorized intrusions is performed using both network-based and host-based intrusion detection systems, supplemented by Web Application Firewalls.

9. Network Protection:

• As part of its network security measures, ContentStudio has deployed firewalls and has configured its data center provider to block ports that are not required for the delivery of the ContentStudio Services.

10. Host Management:

• ContentStudio conducts automated vulnerability scans on its production hosts and applies commercially reasonable efforts to remediate any identified risks that pose a material threat to its operating environment.

• Additionally, the organization enforces screen lockouts and utilizes full disk encryption on company laptops to safeguard against unauthorized access.

11. Availability:

• The infrastructure of ContentStudio is designed to be fault-tolerant, ensuring high availability and reliability in line with the Service Level Agreement (SLA) commitments.

12. Disaster Recovery:

• To guarantee the availability of Customer Content, it is redundantly stored across multiple locations within ContentStudio’s hosting provider's data centers.

• ContentStudio implements robust backup and restoration procedures that are capable of facilitating recovery from significant disasters.

• The operational team is promptly alerted in the event of any system failures, ensuring that backups are conducted regularly and tested every 90 days to confirm their effectiveness.

13. Physical Security:

• ContentStudio utilizes Google Cloud and Hetzner as its primary data centers to host the ContentStudio Services, selected for their robust physical and technological security measures.

• These facilities are compliant with international standards such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, and are certified for SOC 1, SOC 2, and SOC 3, PCI DSS Level 1, among others.

14. Security Policies and Procedures:

• ContentStudio's security policies and procedures are crafted in alignment with the National Institute of Standards and Technology (NIST) cybersecurity framework.

• These policies govern the operation of the ContentStudio Services, ensuring that customer passwords are securely managed through one-way salted hashing, access logs are meticulously maintained, and that no customer passwords are logged.

15. Product Design Security Practices:

• All new features, functionalities, and design changes undergo a thorough security review process facilitated by the ContentStudio security team.

• The software code is rigorously tested and manually peer-reviewed before deployment to production environments.

• The security team collaborates closely with product and engineering teams to address any security or privacy concerns that might arise during the development phase.

16. Incident Management & Response:

• ContentStudio maintains comprehensive policies and procedures for managing security incidents.

• The company commits to notifying affected customers promptly and without undue delay about any unauthorized disclosure of their Customer Content by ContentStudio or its agents, in compliance with legal requirements.