Instapage has a documented Information Security Risk Management Policy ensuring a systematic approach for measuring, managing, and reporting information security related risks within our environment. Any identified risks to our environment will be inventoried, managed in a central location, and remediated appropriately based on severity level. Additionally, Instapage has implemented a process to perform third-party risk assessments on our vendors who store and/or transport our data.
Instapage takes the privacy of our clients and clients’ visitors seriously to build and maintain trust with all our customers. As a result, we are committed to aligning our data privacy practices with GDPR and Privacy Shield principles. In doing so, Instapage has implemented an Information Security Program to ensure the confidentiality, integrity, and availability of data. Moreover, Instapage has a Data Privacy and Protection Program as well as a formal Data Handling Training guide. Our employees and contractors undergo training during employee onboarding and awareness is performed annually.
Information Security Program
Instapage has implemented a formal Information Security Program which includes Architecture, Charter, Policies, and Processes. Our Information Security Policy and Processes are aligned to ISO 27001/2 and NIST 800-53 frameworks and are reviewed and updated annually – or in the instance of a major business change. The policies include the following: Information Security Program Governance Policy; Security Architecture Policy; Security Operations Policy; People Security; Third Parties Policy; Physical Security Policy; Business Continuity Policy; and Compliance Security. Processes are performed within our environment to support the policies listed above.
Asset & Information Management
Our Compliance Security Policies identify several levels of data sensitivity and classification that are safeguarded by our best of industry infrastructure and security controls. Amazon Web Services (AWS) and Google Cloud Platform (GCP) are certified with the most critical and relevant industry, compliance and regulatory certifications that are integrated across our cloud hosted infrastructure. Instapage has implemented a process for inventorying asset management that is managed within each location/office using formal documented management process. Each asset has an assigned owner who is responsible for that asset and is maintained in accordance with the classification restriction. Additionally, all assets are returned to Instapage once the assigned owner leaves the company or no longer has a use for the asset.
Human Resources Security
Personal data is systematically destroyed, erased and/or anonymized at the end of the contract where personal data is no longer needed or upon client request. Instapage performs onboarding and offboarding processes of employees and contractors. The offboarding of employees and contractors is enacted within 24 hours followed by the return of provisioned materials. This mitigates the risk of privileged and sensitive information being disclosed.
Employees receive information security training and awareness during onboarding as well as annually. This training maps to our functional human resources and information security policies and is incorporated in our employees’ work habits and routines. Two-factor authentication is required by employees where applicable. Employees and contractors are bound to maintain confidentiality of all data pursuant to non-disclosure agreements (NDA) as well as our code of ethics.
Physical & Environmental Security
Employees are issued electronic key cards or access codes for entry into our facilities. Additionally, our facilities include a security guard as well as CCTV monitoring, and are logged for 90 days and regularly reviewed. A process has been established for logging visitors who enter and exit our facility. Additionally, visitors are escorted by an Instapage employee. Our cloud hosted facilities have perimeter fencing, vehicle access barriers and security alarms which act as a preventative and detective security measure.
Instapage has documented Identity Management Policy and Processes to identify, authenticate, and authorize identities to Instapage’s systems and applications. Access is provided on a need to know basis and conforms to the concept of least privileged. Access logs are reviewed quarterly and individuals are properly removed if needed. VPN is required for all remote employees.
We currently use configuration change management of Operating System (OS) patching and updating with end point antivirus protection. We are currently working to enhance, improve and scale out our application security across all endpoints to prevent, deter and mitigate any application layer threats. Our current SDLC uses a framework that is based on Agile methodologies. The framework is comprised of a set of well-known mature processes, tools, and technologies. This allows us to create high quality and secure code by following a consistent, repeatable, and automated process. Our SDLC is currently undergoing a thorough review as part of an ongoing effort to continuously improve the quality and security of our software.
Incident Event & Communication Management
Instapage has a documented Information Security Incident Management Program that identifies, manages, responds, and resolves incidents in a timely manner. The Information Security Incident Management Program includes identified roles and responsibilities, and proactive capabilities within its processes, which has been integrated within our Vulnerability Management Program to identify potential incidents caused by vulnerabilities.
Instapage has a management approved Business Continuity Policy and Processes to ensure the availability of business services and processes at Instapage. A formal Business Continuity and Disaster Recovery Program has been developed.
End User Device Security
Instapage has a formal Security Operations Workstation Management Program which implements formal and secure processes to manage the operational activities associated with workstations within the environment. This is done by ensuring that only approved and authorized workstations are allowed to connect to Instapage’s network and all access to workstation will conform to the Identity Management Program. Additionally, our Mobile Device Management Policy will implement formal and secure processes to manage the operational activities associated with mobile devices within the environment. Identification Access Management is enforced with password complexity, encrypted session management, and two-factor authentication where applicable.
Instapage has a Security Architecture Management Policy which ensures appropriate preventative and detective network safeguards are in place. This includes, but is not limited to the following: encryption in transit as well as at rest using TLS 1.2 encryption type, network intrusion detection and prevention, browser session encryption and validation, host-based anti-virus with real-time signature updates, and full disk encryption. We also perform quarterly vulnerability assessments and annual penetration tests. Identified vulnerabilities are appropriate remediated based on their criticality (i.e., critical, high, medium, or low).
Instapage has implemented a Vulnerability Management Program to identify, prioritize, manage, and report on the threats and vulnerabilities of Instapage using a risk-based approach. All employees and contractors are responsible for reporting all discovered security vulnerabilities and are appropriate remediated based on their criticality.