Information Security Policy
Our business relies on your ability to utilize Instapage in a safe, secure manner. We take your security and privacy seriously. That is why we have created highly secure processes to ensure that the code running on our service is stable and that there are no security gaps.
Assuring that these exchanges are secure is a top priority for Instapage.
The Instapage Information Security Policy is based on the ISO/IEC 27001 standard and is focused on the following areas:
- Risk assessment
- Human Resources Security
- Organizing Information Security
- Asset management
- Physical Security
- Communications and Operation Management
- Cloud security
- Sign in
- Encrypted communication
- Session management
- Sign out
- Network security
- Host security
- Access Control
- User permissions
- System Development and Maintenance
- Security program
- Code assessments
- Information Security Incident Management
- Business Continuity Management
The Instapage approach to security is based on risk assessment CRAMM methodology for confidentiality, integrity and availability of information and continuous evaluation of the need for protective measures. An overall risk assessment of all information systems is performed annually.
To maintain the highest level of security, Instapage checks every new employee’s references, verifies their education and employment history. All the personal data using in a hiring process are protected in accordance with US and EU law.
Instapage strives to ensure that employees protect all data. Monthly, the Instapage Chief Security Officer provides security awareness training. Topics covered range from social engineering, physical, desktop and mobile security, how to spot and stop phishing scams, hoaxes, malware and copyright law with regard to file sharing. These training sessions give our employees a clear understanding of why security is vital and guide them in knowing how to prevent incidents from happening and what to do if one occurs.
Instapage hosts an internal Information Security Forum once a month at its offices in Poland. Required attendees to the forum include department directors, lead architects and our information security officer.
(Our information security officer is a certified lead auditor ISO/IEC 27001, ISSA and ISACA member with more than ten years experience.) During the forum a thorough risk analysis process is performed, its results discuss and appropriate security solutions are implemented.
Instapage offices are protected by the on-site security guards, alarm systems, and video surveillance. Offices are accessible only to those with personalized proximity cards.
Communication and Operation management
Instapage is a cloud-based solution, which using Google and Amazon cloud services. Both of them maintain a secure environment and allow us to grow and be innovate. Thanks to them our system is always available, scalable and secure. Log in required two-factor authentication, all stored data are encrypted, transfer all data into the cloud is also encrypted, access management and monitoring software working well. Thanks to them Instapage doesn’t need to maintain costly infrastructure such as own data center.
Instapage requires authentication for all application pages and resources, except those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Instapage uses TLS-encrypted POST requests to transmit authentication credentials.
We enforce the following password requirements and security standards:
- Passwords must be a minimum of 8 characters in length
- Passwords are hashed with Argon2 - a 2016 award-winning password encrypting algorithm
- No plaintext passwords are stored.
Multiple login attempts with the wrong username or password will result in a locked account. The account will be disabled for a period of time to prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application.
Email-based password reset links are sent only to a user's pre-registered email address with a temporary link.
All communication with instapage.com is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest cryptography and TLS configuration.
The Instapage website and entire application are covered by EV certificate issued by digicert.com. Our certificate is encrypted and authenticated using a robust protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with X25519), and a strong cipher (AES_128_GCM)
Each time a user signs into instapage.com, they receive a new, unique session identifier. Each session identifier is 64-bytes of random data to protect against brute force logins.
When signing out, the session cookie is deleted and the session identifier is invalidated on all Instapage servers.
Instapage regularly updates its network architecture schema and data flows between its systems.
Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
All hosts run centrally managed endpoint protection software, this includes:
- Antivirus (regularly updated with security patches)
- Full disk encryption
- Browser check
- Host intrusion prevention system to control and prevent unknown or suspect network flow
- Device control, which allow to write information only on whitelisted devices
Access to a customer’s information is restricted within Instapage and is only authorized for the purposes of providing direct customer support or for future product enhancements (e.g., to understand how an engineering change affects a group of customers). Instapage subcontractors may have access to customer data when analyzing or maintaining infrastructure. Under no circumstances is sensitive customer data shared with anyone outside of Instapage and its subcontractors.
Instapage has made it a priority to ensure the safety and security of all information. We have in place strict employee access controls that protect all information from unauthorized use:
- Account data is used only to provide services to you.
- Instapage does not sell, rent, or otherwise disclose the information users provided when setting up their accounts.
- We limit access to user content and information to Instapage employees who require such information to perform their jobs, or as required to provide support.
- Access to systems containing sensitive information is logged and audited.
- Instapage requires the use of single sign-on, strong passwords and 2-factor authentication (where available).
- Instapage employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer information.
For easier teamwork Instapage create a feature called Team Members.
Team members make collaboration super easy. Instead of sharing your private login details with everyone who needs access to your account, you can now add multiple users with different roles and even choose which of your client accounts they can access.
Setting Permissions roles are available as follow:
- View is the most limited access; the new team member will only have view access to your pages.
- Edit will allow the team member to edit your pages.
- Manage is giving full access to your account except to the billing information.
System Development and Maintenance
The Instapage software development lifecycle (SDLC) requires the following ongoing activities to build security into Instapage products:
- Defining Security Requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments)
- Deployment controls (security, confidentiality, integrity, and availability code reviews)
Instapage clients (web, desktop, mobile, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Automated source code analysis is utilized to find common defects.
Manual source code analysis is performed on security-sensitive areas of code and new features and components.
Third-party reviews are performed annually by security consultants.
Information Security Incident Management
Instapage has rapid response Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.
Business Continuity Management
Our infrastructure is designed to provide stability and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes.
We use state-of-the-art cloud providers namely, Google App Engine and Amazon Web Services, which are trusted by thousands of businesses to store and serve our data/services.
To help ensure availability in the event of a disaster, we replicate data across multiple data centers. We also keep all the important data on site (encrypted backup).