Funnel Information Security Overview
At Funnel we take information security very seriously. Protecting your data is one of our most important responsibilities. We strongly believe in being transparent with how we work and this must also apply to our security practices so that you as a customer understand our approach and commitment.
Funnel has designed a security program that we work according to. The program is based on the global ISO27001 standard and gives us an opportunity to work in a structured way to protect our organization and our customers' data. The program is led by our Chief Information Security Officer (CISO) which has the task of ensuring that we have appropriate security measures implemented and that these are continuously evaluated and improved.
Compliance certifications and regulations
Funnel meets some of the most widely recognized security standards and has implemented processes and technical solutions to help our customers to meet their compliance requirements.
Funnel certifications and regulations
Funnel is certified according to ISO27001. The certificate is published here.
Funnel supports customers’ compliance with GDPR.
Funnel is using external service providers for credit card processing and is not subject to PCI DSS requirements.
Protection of our customers data
The core of our security program is to prevent unauthorized access to our customers' data.
All data is handled carefully according to a defined model and throughout the entire information life cycle using an associated set of security controls.
All information assets are classified according to a developed classification matrix and have designated roles and ownership distributed across the organisation.
Type of data that we process
In general, the type of data handled is related to cost monitoring. The majority of the data will be on costs, number of clicks, sign-ups and similar. The data originates from sources that our customers already use (Facebook, LinkedIn etc.) and will only be imported to Funnel from such sources that our customers actively choose to import.
In rare cases, there may be a use case in importing fields that could contain a customer ID number or something else that could be categorized as personal data. However, PII data is not the key type of data handled in the Funnel service; data for follow-up of costs is.
Data in transit
All data transferred between the customer's service and the various services within Funnel are done through the use of strong Transport Layer Security (TLS 1.2) encryption.
Data at rest
All data is encrypted at rest using the Advanced Encryption Standard (AES256).
Our product operates in a Virtual Private Cloud and each customer's data are logically separated.
Risk management is a central activity within Funnel and it is of fundamental importance for our long-term stability to have a sound risk culture and effective risk management.
Risk life cycle
Funnel continuously identifies, assesses, manages and reports risks to which we may be exposed. Risk is assessed on the basis of its probability and impact according to an established model.
In the HR field, we work actively in a number of areas to ensure that our employees and consultants understand their responsibilities, are suitable for the roles and are continuously being trained.
Background checks are conducted prior to employment with Funnel.
Checks are made carefully and include credit history, criminal checks etc.
Funnel uses external services in order to execute these activities.
Everyone follows an established onboarding process that includes signing an Acceptable use Policy, security introduction sessions etc.
Offboarding follows a strict process that includes predetermined steps that the nearest Manager needs to go through. It also includes communicating the ongoing liability that remains valid upon termination of employment with respect to the signed NDA or employment contract containing the confidentiality clauses.
There is an established awareness program that runs continuously throughout the year and which includes general training combined with more targeted training for current types of threats. In addition, Phishing simulation tests are conducted with general and targeted campaigns.
There is a disciplinary process that determines what actions will be taken when security has been breached and is intended to provide a fair, efficient and consistent method of handling disciplinary matters.
There are implemented access management controls to ensure that only authorised individuals can gain access. Users have been granted access rights that are sufficient for their role and for them to perform their duties (following the principles of Need-to-Know and Least Privilege).
We use authentication controls such as Multi Factor Authentication, hardware tokens and Single Sign-On to secure the accounts used to manage our services.
Management of privileged access
The allocation and use of privileged rights is limited to authorized personnel only and all activities performed are closely monitored.
Review of accesses is performed according to an established process and is executed regularly.
Customer authentication options
We offer Single Sign-On and Multi Factor Authentication options for our customers through OKTA, Google and Azure AD.
The Funnel SaaS operates on AWS. The physical infrastructure is therefore hosted by AWS and we rely on their data center security controls.
We continuously monitor the performance and compliance of these controls through independent reports.
Funnel office facilities have industry standard physical security protection with secure access, burglary alarm, CCTV, motion detectors etc. Further all visitors are required to sign in upon arrival in the reception.
Funnel's development organization follows a robust development process where security is an integral part of the various development phases.
All changes to source code destined for production use are subject to code review by a qualified engineering peer that includes security and performance analysis.
Prior to updating production services, all contributors to the updated software version are required to commit that their changes are working as intended in the staging environment.
Use of 3rd party software
For the 3rd party software used as part of the development, there is an automated flow that ensures that potential vulnerabilities are identified and remediated.
Our SaaS is constantly monitored for different types of deviations and patterns. We monitor what happens to our customers' accounts as well as what activities are performed by Funnel users (including privileged accounts). We monitor different types of traffic and behavior patterns to be able to identify deviations as well as to be able to act quickly through automated alarms.
We continuously monitor the availability of our product using dedicated services.
Funnel has an established incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to service and security incidents.
In order to operate in an efficient and effective manner Funnel relies on a series of supporting services from other 3rd party suppliers. Where those suppliers may be integrated to the Funnel service or in any other way have an impact on Funnels’ security and risk tolerance, we perform a thorough risk assessment which involves different departments within our organization. This is performed prior to the trial period for all new services and as deemed necessary for our current suppliers.
All services are deployed redundantly in multiple physical data centers (availability zones). This setup protects the Funnel service from service disruptions in case of environmental risks such as seismic activity or flooding, power outage or connectivity issues.
Read more about data center controls at AWS here - https://aws.amazon.com/compliance/data-center/controls/
Backups of Funnel data is performed by AWS S3 versioning and lifecycle management. The backups are retained in multiple versions with a durability of 99.9999999999%. The versioning and restoration mechanisms are operated and tested by Amazon Web Services. Old versions can be accessed at an object-level on-demand without the need for a full restore of the complete data set. Funnel will backup all customer configuration and business data at least once every day. The data is stored as long as the customer is a customer of Funnel or if the customer chooses to delete the data.
For worst case scenarios and disaster recovery Funnel has an established Business Continuity Plan.
Independent Testing and Assurance
We see independent testing as important for continuous evaluation and we have established a formal process that includes various types of testing of our security posture. This is done through external partners who are accredited and certified in what they do.
Funnel conducts a yearly penetration test using an independent external 3rd party specialised in cyber security. The penetration test is conducted as a Whitebox test where the penetration testers have access to system documentation and the source code while conducting the tests. This provides the penetration testers with optimal conditions to identify and verify the existence of potential vulnerabilities. An executive summary of the latest penetration test can be shared on request.
Internal penetration tests are scheduled twice a year and conducted by the Security Team. Furthermore, continuous security reviews and tests are performed as an integrated part of the Secure Development method used in Funnel.
Funnel conducts annual external security audits performed by accredited Auditors.
We have an internal control framework that includes a large number of defined controls.
Controls are followed up and evaluated continuously.