Funnel Information Security Overview


1.
 Introduction

At Funnel we take information security very seriously.

We are entrusted with large amounts of customer reporting data and constantly monitor the evolution of best practices and refine our processes and technology solutions in this area.

It is part of our core business to provide accurate and timely reporting data, with high availability and security.

2. Scope of Funnel services

On behalf of our customers Funnel collects and processes reporting data at an aggregated level from advertising platforms and other online marketing data sources such as Google Adwords, Google Analytics, Facebook, Bing, Twitter, etc.

Funnel stores copies of the data (in Amazon AWS S3) to provide more efficient processing. The original data stays with the originating platform.

3. Data ownership

Funnel customers always retain full ownership of the reporting data collected by Funnel on behalf of the customers.

Collected data will be completely and permanently deleted from the Funnel systems on request, or after termination of a Funnel subscription.

4. Data collection, transfer and encryption

Reporting data is collected by Funnel from online platforms like Google, Facebook, Bing and Twitter.

All network connections used to collect, view or transfer reporting data are encrypted using TLS. All data is encrypted at rest.

5. Backup and archiving

Funnel will back up all customer configuration and business data every 24 hours. Backups are stored in AWS S3 and Glacier, in multiple versions with a durability of 99.999999999%.

The reporting data collected by Funnel is stored only for processing purposes and the original data always stays with the original provider.

6. Infrastructure and software

6.1 Physical infrastructure

The physical infrastructure for Funnel is provided by Amazon AWS and all services are hosted in the us-east-1, Northern Virginia region. All services are deployed redundantly in multiple physical data centers (availability zones).

Configuration of all infrastructure services are fully automated and version controlled, and in case of a disaster can be rebuilt automatically in a different AWS region within 48 hours.

6.2 Change management

All software changes go through a change management process including peer review and automated testing.

6.3 Application monitoring

The Funnel systems are continuously monitored for errors and unexpected events using centralized logging, alerts and anomaly detection within Amazon AWS.

External uptime monitoring is provided by Pingdom.

All configuration changes and important application events are logged and archived to AWS S3 to allow for monitoring and audits.

6.4 Networking services

Funnel operates in a Virtual Private Cloud and network services are protected by AWS ddos protection, firewalls and load balancers.

Internally Funnel operates a zero-trust network with no additional privileges allowed to Funnel office networks or computers.

7. Information handling

7.1 Information classification

All Funnel information are classified and handled according to the Funnel classification and handling policy

7.2 Human resource security

Processes for both on- and off-boarding are in place. All Funnel employees are subject to background checks and are required to sign a confidentiality agreement before starting employment.

All Funnel employees gets training in information security during their employment.

When an employment ends the off-boarding process is followed and all equipment, access tokens are returned, accounts are terminated and information are secured etc.

7.3 Passwords and accesses 

Access to Funnel systems are restricted to only authorized users or processes, based on the principle of strict need to know and least privilege.

All Funnel employees must use a separate, unique password for each of their work related accounts. Passwords must not be shared with anyone, including managers and coworkers.

All passwords are treated as sensitive, confidential Funnel information. 2-factor authentication are used whenever possible.8. Security audits

8. Security audits

Funnel performs external security audits annually and commit to resolving any identified issues with the highest priority.

9. Compliance and certifications

9.1 ISO/IEC 27001 - information security management

 

9.2 GDPR - General data protection regulation

Funnel is compliant with the requirements of the European Data Protection Regulation, GDPR.

9.3 PCI DSS - Payment card industry data security standard

Funnel is using external services for all credit card processing and is not subject to PCI DSS requirements.

updated 2021-05-31