Security
Introduction
Information security is of paramount importance to Inline Manual, and all of our staff. We respect the trust of our customers and trial users in sharing confidential information. We are constantly developing our security infrastructure and processes to ensure the safeguarding of our customers' sensitive data.
Purpose
Inline Manual processes personal data only for purposes that are objectively justified by Inline Manual’s services to its subscribing customers, or for those on a trial of Inline Manual’s services. All processing is performed in accordance with the privacy rights, expectations and in respect of customer and trialists’ human rights as aligned with the principles and intent of the EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Personal Data Directive). Inline Manual processes personal data both as a processor and as a controller, as defined in the Personal Data Directive.
Information Collection and Use
During a customer’s registration on Inline Manual’s sites, Inline Manual collects information such as company name, company, e-mail, location, telephone, IP address, browser and operating system version. This information is used to identify contact persons within the customer’s organisation in Inline Manual’s system, for billing and demonstration scheduling reasons and to be able to contact customers to provide necessary service and information. The information gathered will be used within the Inline Manual Group only.
Staff Practices
At Inline Manual, we treat matters concerning user data with the utmost importance.
Inline Manual implement ongoing, relevant and up-to-date security training with all of our employees. Access to all data is limited only to those necessary, as dictated by the principle of least privilege. We conduct background checks before employment, and all of our staff members are required to read and sign our security and confidentiality policy agreement.
All of our employees are restricted by mandatory company policy to maintain confidentiality concerning user data. Access to data is restricted, limiting availability to only those necessary. In order for staff to access data generated from the daily use of the service requisite employees will only do so after requesting permission from the customer.
Data Handling and Privacy
Inline Manual do not sell, share or otherwise willingly disseminate Personally Identifiable Information sent through People Tracking feature to any third parties. Information gathered in the EU/EEA area will not be transferred outside the EU/EEA area.
Inline Manual Analytics data stored (Note: this feature is optional)
- IP address
- Browser headers
- Timestamp
- URL location
Inline Manual related data
- Topic start/end
- Step shown
- Search keywords
- Events
Inline Manual Segmentation data stored (Note: this feature is optional)
- Uid - mandatory
- Username
- Name
- Roles
- Group
- Plan
- Created
- Updated
- Custom fields/data
It is entirely up to the customer to set the values of the segmentation fields. Customers with higher levels of sensitive user data who want to use segmentation can hash the values before sending them to Inline Manual portal.
User data will be permanently deleted upon request.
Data Encryption
Communications between our service, customers portals and Inline Manual products are all encrypted via SSL/TLS.
PCI Compliance
Inline Manual is fully PCI compliant. Inline Manual ensure the security of respective customer information by using a PCI compliant payment gateway (Stripe). No credit card information is stored on our servers. Read more about the Stripe payment gateway security services here.
Security Incident Management
Inline Manual is committed to informing all customers in the event of any security breach or unauthorized access to user data.
Service Levels (Uptime) and Monitoring
We have observed 99.99% uptime or higher across our services. You can check and subscribe to our stats and incident history from our pingdom page here.
Our in-house engineering team (based in Prague, Czech Republic) monitors and logs errors using world-class tools like Pingdom, NewRelic, Datadog, OpsGenie.
New Releases
Inline Manual employs a staged rollout deployment process when there is a new version of the Inline Manual player. This enables our customers are able to switch to the new release, test it and then deploy it to their users - you can read about it here.
Hosting Infrastructure
Inline Manual servers are hosted by Google Cloud Platform. The Inline Manual service hosting servers are physically located at St. Ghislain, Belgium and London, UK (London’s Cloud Region). Google Cloud Platform security can be found here.
ISO27001
Inline Manual is ISO 27001:2014 certified. The certificate is available for download upon request.
The ISO/IEC 27000 standards provide a series of frameworks to help organizations benchmark their treatment of data. The most common of these standards, “ISO/IEC 27001” provides requirements for an Information Security Management System (ISMS) and assurance that requirements are met for organizations that complete a successful audit.
In order to fulfil the stated policy, we are committed to continuously improve the efficiency of the information security management system.
To do this, we obtain the participation and efforts of all employees and vendors, we continually develop their skills and through our personal commitment and sustained activity we lead as an example.
We perceive the protection of our customers' information as well as our own information as a comprehensive and managed system of balanced measures designed to adequately protect all important assets. The protection of customers' personal and company data is our priority. The key task is to ensure data availability, integrity and confidentiality.
We are committed to compliance with laws, regulatory requirements, contractual safety requirements and other requirements, increase the level of security of protected data and reduce the level of risk resulting from risk analysis.
Number of Inline Manual staff that have physical access to the systems | 0 |
---|---|
Number of staff that would have logical access to data | 3 |
How do staff access the production system | SSH console |
Encrypted administrative network traffic | All administrative network traffic to the platform is encrypted. |
The org structure for security operations | CTO is the main person responsible for the security and looking after all the security updates to the infrastructure. |
Monitoring | Pingdom, NewRelic, Datadog, OpsGenie |
Critical events after hours process | We are monitoring our servers via the tools above. We are getting notifications about any suspicious activity (performance, downtime,...). We react to these as soon as possible, typically within few minutes. |
Passwords | Passwords are hashed using BCrypt. Passwords retrieval process: request forgotten password > a unique link is sent to the requestor email with a secret token, upon clicking the password will be reset. |