Funnel Information Security Overview
Introduction
At Funnel we take information security very seriously. Protecting your data is one of our most important responsibilities. We strongly believe in being transparent with how we work and this must also apply to our security practices so that you as a customer understand our approach and commitment.
Organizational Security
Funnel has designed a security program that we work according to. The program is based on the global ISO27001 standard and gives us an opportunity to work in a structured way to protect our organization and our customers' data. The program is led by our Chief Information Security Officer (CISO) which has the task of ensuring that we have appropriate security measures implemented and that these are continuously evaluated and improved.
Our approach to security compliance
In order to make our continuous security work verified, we have adopted several of the most accepted global security standards applicable to the SaaS industry(SOC 2 Type II and ISO 27001). As part of these standards, it is included that we annually conduct security audits with external independent auditors.
To support our customers in their internal compliance processes, customers are given the opportunity to get access to Funnel's security compliance profile* where we share audit reports and other associated compliance content.
With this transparent approach to our security compliance work, we would like to argue that our customers receive a strengthened assurance process that is more suitable and facilitates Security Due Diligence of SaaS products.
Due to this, we have also decided that we do not support the traditional approach of filling out vendor security questionnaires, simply because these questions can rarely be applied well in a SaaS context and the security domains that questionnaires are based on are covered in audit reports that customers can take part of.
*Existing customers who would like to get access to our security compliance profile can contact their sales representative
Protection of our customers data
The core of our security program is to prevent unauthorized access to our customers' data.
All data is handled carefully according to a defined model and throughout the entire information life cycle using an associated set of security controls.
Information handling
All information assets are classified according to a developed classification matrix and have designated roles and ownership distributed across the organisation.
Type of data that we process
In general, the type of data handled is related to cost monitoring. The majority of the data will be on costs, number of clicks, sign-ups and similar. The data originates from sources that our customers already use (Facebook, LinkedIn etc.) and will only be imported to Funnel from such sources that our customers actively choose to import.
In rare cases, there may be a use case in importing fields that could contain a customer ID number or something else that could be categorized as personal data. However, PII data is not the key type of data handled in the Funnel service; data for follow-up of costs is.
Data in transit
All data transferred between the customer's service and the various services within Funnel are done through the use of strong Transport Layer Security (TLS 1.2) encryption.
Data at rest
All data is encrypted at rest using the Advanced Encryption Standard (AES256).
Data segmentation
Our product operates in a Virtual Private Cloud and each customer's data are logically separated.
Risk Management
Risk management is a central activity within Funnel and it is of fundamental importance for our long-term stability to have a sound risk culture and effective risk management.
Risk life cycle
Funnel continuously identifies, assesses, manages and reports risks to which we may be exposed. Risk is assessed on the basis of its probability and impact according to an established model.
HR Security
In the HR field, we work actively in a number of areas to ensure that our employees and consultants understand their responsibilities, are suitable for the roles and are continuously being trained.
Background checks
Background checks are conducted prior to employment with Funnel.
Checks are made carefully and include credit history, criminal checks etc.
Funnel uses external services in order to execute these activities.
Onboarding
Everyone follows an established onboarding process that includes signing an Acceptable use Policy, security introduction sessions etc.
Offboarding
Offboarding follows a strict process that includes predetermined steps that the nearest Manager needs to go through. It also includes communicating the ongoing liability that remains valid upon termination of employment with respect to the signed NDA or employment contract containing the confidentiality clauses.
Security Awareness
There is an established awareness program that runs continuously throughout the year and which includes general training combined with more targeted training for current types of threats. In addition, Phishing simulation tests are conducted with general and targeted campaigns.
Disciplinary Process
There is a disciplinary process that determines what actions will be taken when security has been breached and is intended to provide a fair, efficient and consistent method of handling disciplinary matters.
Access Management
There are implemented access management controls to ensure that only authorised individuals can gain access. Users have been granted access rights that are sufficient for their role and for them to perform their duties (following the principles of Need-to-Know and Least Privilege).
Authentication
We use authentication controls such as Multi Factor Authentication, hardware tokens and Single Sign-On to secure the accounts used to manage our services.
Management of privileged access
The allocation and use of privileged rights is limited to authorized personnel only and all activities performed are closely monitored.
Access Reviews
Review of accesses is performed according to an established process and is executed regularly.
Customer authentication options
We offer Single Sign-On and Multi Factor Authentication options for our customers through OKTA, Google and Azure AD.
Physical security
The Funnel SaaS operates on AWS. The physical infrastructure is therefore hosted by AWS and we rely on their data center security controls.
We continuously monitor the performance and compliance of these controls through independent reports.
Funnel office facilities have industry standard physical security protection with secure access, burglary alarm, CCTV, motion detectors etc. Further all visitors are required to sign in upon arrival in the reception.
Secure Development
Funnel's development organization follows a robust development process where security is an integral part of the various development phases.
Code Deployment
All changes to source code destined for production use are subject to code review by a qualified engineering peer that includes security and performance analysis.
Prior to updating production services, all contributors to the updated software version are required to commit that their changes are working as intended in the staging environment.
Use of 3rd party software
For the 3rd party software used as part of the development, there is an automated flow that ensures that potential vulnerabilities are identified and remediated.
Monitoring
Our SaaS is constantly monitored for different types of deviations and patterns. We monitor what happens to our customers' accounts as well as what activities are performed by Funnel users (including privileged accounts). We monitor different types of traffic and behavior patterns to be able to identify deviations as well as to be able to act quickly through automated alarms.
We continuously monitor the availability of our product using dedicated services.
Incident Management
Funnel has an established incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to service and security incidents.
Supplier management
In order to operate in an efficient and effective manner Funnel relies on a series of supporting services from other 3rd party suppliers. Where those suppliers may be integrated to the Funnel service or in any other way have an impact on Funnels’ security and risk tolerance, we perform a thorough risk assessment which involves different departments within our organization. This is performed prior to the trial period for all new services and as deemed necessary for our current suppliers.
Disaster recovery
All services are deployed redundantly in multiple physical data centers (availability zones). This setup protects the Funnel service from service disruptions in case of environmental risks such as seismic activity or flooding, power outage or connectivity issues.
Backups of Funnel data is performed by AWS S3 versioning and lifecycle management. The backups are retained in multiple versions with a durability of 99.9999999999%. The versioning and restoration mechanisms are operated and tested by Amazon Web Services. Old versions can be accessed at an object-level on-demand without the need for a full restore of the complete data set. Funnel will backup all customer configuration and business data at least once every day. The data is stored as long as the customer is a customer of Funnel or if the customer chooses to delete the data.
For worst case scenarios and disaster recovery Funnel has an established Business Continuity Plan.
Independent Testing and Assurance
We see independent testing as important for continuous evaluation and we have established a formal process that includes various types of testing of our security posture. This is done through external partners who are accredited and certified in what they do.
Penetration testing
Funnel conducts a yearly penetration test using an independent external 3rd party specialised in cyber security. The penetration test is conducted as a Whitebox test where the penetration testers have access to system documentation and the source code while conducting the tests. This provides the penetration testers with optimal conditions to identify and verify the existence of potential vulnerabilities. An executive summary of the latest penetration test can be shared on request.
Internal penetration tests are scheduled once a year and conducted by the Security Team. Furthermore, continuous security reviews and tests are performed as an integrated part of the Secure Development method used in Funnel.
External Audits
Funnel conducts annual external security audits performed by accredited Auditors.
Internal Control
We have an internal control framework that includes a large number of defined controls.
Controls are followed up and evaluated continuously.