Funnel Information Security Overview

  1. 1. INTRODUCTION

    1. At Funnel we take information security very seriously.

      We are entrusted with large amounts of customer reporting data and constantly monitor the evolution

      of best practices and refine our processes and technology solutions in this area.

      It is part of our core business to provide accurate and timely reporting data, with high availability and security.

  2. 2. SCOPE OF FUNNEL SERVICES

    1. On behalf of our customers Funnel collects and processes reporting data at an aggregated level from advertising platforms and other online marketing data sources such as Google Adwords, Google Analytics, Facebook, Bing, Twitter, etc.

      Funnel stores copies of the data (in Amazon AWS S3) to provide more efficient processing. The original data stays with the originating platform. The collected data does not contain personal data.

  3. 3. DATA OWNERSHIP

    1. Funnel customers always retain full ownership of the reporting data collected by Funnel on behalf of the customers.

      Collected data will be completely and permanently deleted from the Funnel systems on request, or after termination of a Funnel subscription.

  4. 4. DATA COLLECTION, TRANSFER AND ENCRYPTION

    1. Reporting data is collected by Funnel from online platforms like Google, Facebook, Bing and Twitter. The collected data does not contain personal data. The data sources are most commonly located in the USA, and do not provide guarantees of encryption at rest.

      All network connections used to collect, view, or transfer reporting data are encrypted using ssl. Data classified as sensitive is encrypted at rest. Non-sensitive data is stored in an unencrypted format.

  5. 5. BACKUP AND ARCHIVING

    1. Funnel will back up all customer configuration and business data every 24 hours. Backups are stored in AWS S3 and Glacier, in multiple versions with a durability of 99.999999999%.

      The reporting data collected by Funnel is stored only for processing purposes and the original data always stays with the original provider.

  6. 6. INFRASTRUCTURE AND SOFTWARE

    1. 6.1 PHYSICAL INFRASTRUCTURE
      1. The physical infrastructure for Funnel is provided by Amazon AWS and all services are hosted in the us-east-1, Northern Virginia region. All services are deployed redundantly in multiple physical data centers (availability zones).

        Configuration of all infrastructure services are fully automated and version controlled, and in case of a disaster can be rebuilt automatically in a different AWS region within 48 hours.

    2. 6.2 CHANGE MANAGEMENT
      1. All software changes go through a change management process including peer review and automated testing.

    3. 6.3 APPLICATION MONITORING
      1. The Funnel systems are continuously monitored for errors and unexpected events using centralized logging, alerts and anomaly detection within Amazon AWS.

        External uptime monitoring is provided by Pingdom.

        All configuration changes and important application events are logged and archived to AWS S3 to allow for monitoring and audits.

    4. 6.4 NETWORKING SERVICES
      1. Funnel operates in a Virtual Private Cloud and network services are protected by AWS ddos protection, firewalls and load balancers.

        Internally Funnel operates a zero-trust network with no additional privileges allowed to Funnel office networks or computers.

  7. 7. INFORMATION HANDLING

    1. 7.1 INFORMATION CLASSIFICATION
      1. All Funnel information are classified and handled according to the Funnel classification and handling policy

    2. 7.2 HUMAN RESOURCE SECURITY
      1. Processes for both on- and off-boarding are in place. All Funnel employees are subject to background checks and are required to sign a confidentiality agreement before starting employment.

        All Funnel employees gets training in information security during their employment.

        When an employment ends the off-boarding process is followed and all equipment, access tokens are returned, accounts are terminated and information are secured etc.

    3. 7.3 PASSWORDS AND ACCESSES
      1. Access to Funnel systems are restricted to only authorized users or processes, based on the principle of strict need to know and least privilege.

        All Funnel employees must use a separate, unique password for each of their work related accounts. Passwords must not be shared with anyone, including managers and coworkers.

        All passwords are treated as sensitive, confidential Funnel information. 2-factor authentication are used whenever possible.

  8. 8. SECURITY AUDITS

    1. Funnel performs external security audits annually and commit to resolving any identified issues with the highest priority.

  9. 9. COMPLIANCE AND CERTIFICATIONS

    1. 9.1 ISO/IEC 27001 – INFORMATION SECURITY MANAGEMENT
      1. A project is planned and started to get certified according to the international standard for information security management, ISO/IEC 27001. The project is planned to be finished in Q3 2019.

    2. 9.2 GDPR – GENERAL DATA PROTECTION REGULATION
      1. Funnel is compliant with the requirements of the European Data Protection Regulation, GDPR.

    3. 9.3 PCI DSS – PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
      1. Funnel is using external services for all credit card processing and is not subject to PCI DSS requirements.