We’re pleased to announce that CM Group is now Marigold. Learn more about Marigold here.
Sailthru provides cross-channel experience management and campaign coordination across email, web, mobile, and social for hundreds of clients, spanning thousands of domains. Our customers include both public entities and private organizations, many with global operations and hundreds of millions of customers. That’s why trust is the foundation of our privacy and data security promise to our customers.
Our adaptive, forward-looking measures are our promise to you.
Certifications and Compliance
As part of our privacy and security practices, Sailthru undergoes a SOC 2 Type II examination on an annual basis for the Security, Availability and Confidentiality ‘Trust Service Principles’. We regularly report to our Board of Directors on security and data privacy readiness and we baseline our program’s maturity against the National Institute of Standards and Technology (NIST) Cybersecurity Framework annually.
Dedicated security team
We have a dedicated information security team, responsible for the design and adoption of a mature security program as well as securing our platform, identifying vulnerabilities and responding to security events.
Data storage and processing locations
We store data in a US-based data centers. In addition, we also use the AWS’s CloudFront Content Delivery Network (CND) for faster content caching. More on Amazon’s CloudFront can be found here: https://aws.amazon.com/cloudfront/features/
We have a suite of security guidelines with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement. Our Security Incident Response policy has been specifically designed to include standards on customer notification which aligns with the EU’s GDPR.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
We provide an ongoing program of security awareness training designed to keep all members of staff informed and vigilant of security risks. This includes regular assessments of comprehension to measure the program’s effectiveness.
Disaster Recovery and Business Continuity
The Sailthru Disaster Recovery Plan focuses on the recovery of technology facilities and platforms, such as critical applications, databases, servers or other required technology infrastructure. This also includes the security and compliance requirements, impact ratings and the communication and notification process.
In the event of a disaster which interferes with our ability to conduct business from one of our offices, our Business Continuity Plan will be used by the responsible individuals to coordinate the business recovery of their respective areas and/or departments. The plan is designed to contain, or provide reference to, all of the information that might be needed at the time of a business recovery.
We implement physical controls designed to prevent unauthorized access to, or disclosure, of customer data.
Data center controls
We only use state of the art data centers and cloud providers. Our data centers are monitored 24×7 for all aspects of operational security and performance. They are also equipped with modern security controls such as biometrics, sensors for intrusion detection, keycards, and around-the-clock interior and exterior surveillance.
In addition, access is limited to authorized data center personnel; no one can enter the production area without prior clearance and an appropriate escort. Every data center employee undergoes background security checks.
Data center compliance
Our data center provider is certified to the following compliance standards: HIPAA, PCI-DSS, SOC 1 Type 2, SOC 2 Type 2. https://www.365datacenters.
Our cloud provider has the following certifications: PCI-DSS, ISO 27001, SOC 1 / 2 / 3, IRAP, ISO 27018 and ISO 9001. https://aws.amazon.com/compliance/
Our application has been designed with a focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a regular scheduled scans of our application to simulate a malicious user, while maintaining integrity and security of the application’s data and its availability.
We also leverage the services of an external third party to perform a yearly penetration testing exercise against our platform to make sure we’ve got every angle covered.
We store each account’s data within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.
Secure code development
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development. We do not use production data in our test and development environments.
To protect data we encrypt information in transit by supporting TLS 1.0 or better. Data at rest is also encrypted using AES-256 encryption.
We put considerable effort into ensuring the integrity of sessions and authentication credentials by offering our customers the ability to protect their accounts using multi-factor authentication. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API which uses secure transfer protocols.
Logging and cookie management
We use both session ID cookies and persistent cookies for user authentication and tracking purposes.
All key actions on the application are centrally logged, audited and monitored. For instance, whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.
Safe Harbor Policy
- The purpose of this Safe Harbor Policy is to create a process that enables security research into our systems while preserving a regularized method of compensating security researchers for their efforts to improve our systems.
- We want you to responsibly disclose through our Vulnerability Disclosure Program, and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
- Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties, as further described below.
- If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.
1. Safe Harbor Terms
We consider vulnerability research conducted according to this policy to be:
- Exempt as authorized under any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Exempt as authorized under any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis;
- Except: Where the use of services puts an excessive burden on the bandwidth of our services or compromises their performance;
- Lawful, helpful to the overall security of the internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
2. Third Party Safe Harbor
If you submit a report through our bug bounty program which affects a third party service, we will limit what we share with any affected third party. We may share non-identifying content from your report with an affected third party, but only after notifying you that we intend to do so and getting the third party’s written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report.
Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of our policy. Refer to that third party’s bug bounty policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party’s systems or services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party claim based on your actions.
That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this bug bounty program, and you have complied with this Safe Harbor Policy and have not acted in bad faith, upon your written request, we will inform the third party that your actions were conducted in compliance with this Safe Harbor Policy.
3. Limited Waiver of Other Site Policies
If at any time you have concerns or are uncertain whether your security research is consistent with this Safe Harbor Policy, please submit a report in advance as set forth in the security text file located here.
Note that the Safe Harbor applies only to legal claims under our control; it does not bind independent third parties.