Funnel Information Security Overview


Introduction

At Funnel we take information security very seriously. Protecting your data is one of our most important responsibilities. We strongly believe in being transparent with how we work and this must also apply to our security practices so that you as a customer understand our approach and commitment.
 

Organizational Security

Funnel has designed a security program that we work according to. The program is based on the global ISO27001 standard and gives us an opportunity to work in a structured way to protect our organization and our customers' data. The program is led by our Chief Information Security Officer (CISO) which has the task of ensuring that we have appropriate security measures implemented and that these are continuously evaluated and improved.

Compliance certifications and regulations

Funnel meets some of the most widely recognized security standards and has implemented processes and technical solutions to help our customers to meet their compliance requirements.
 

Funnel certifications and regulations


Funnel is certified according to ISO27001. The certificate is published here.


Funnel supports customers’ compliance with GDPR.

 
Funnel is using external service providers for credit card processing and is not subject to PCI DSS requirements.

Funnel has undergone a SOC 2 Type 2 attestation.
 

soc_image

 

Protection of our customers data

The core of our security program is to prevent unauthorized access to our customers' data.
All data is handled carefully according to a defined model and throughout the entire information life cycle using an associated set of security controls.

Information handling

All information assets are classified according to a developed classification matrix and have designated roles and ownership distributed across the organisation.

Type of data that we process

In general, the type of data handled is related to cost monitoring. The majority of the data will be on costs, number of clicks, sign-ups and similar. The data originates from sources that our customers already use (Facebook, LinkedIn etc.) and will only be imported to Funnel from such sources that our customers actively choose to import.
In rare cases, there may be a use case in importing fields that could contain a customer ID number or something else that could be categorized as personal data. However, PII data is not the key type of data handled in the Funnel service; data for follow-up of costs is.

Data in transit

All data transferred between the customer's service and the various services within Funnel are done through the use of strong Transport Layer Security (TLS 1.2) encryption.

Data at rest

All data is encrypted at rest using the Advanced Encryption Standard (AES256).

Data segmentation

Our product operates in a Virtual Private Cloud and each customer's data are logically separated.

Risk Management

Risk management is a central activity within Funnel and it is of fundamental importance for our long-term stability to have a sound risk culture and effective risk management. 

Risk life cycle

Funnel continuously identifies, assesses, manages and reports risks to which we may be exposed. Risk is assessed on the basis of its probability and impact according to an established model.

HR Security

In the HR field, we work actively in a number of areas to ensure that our employees and consultants understand their responsibilities, are suitable for the roles and are continuously being trained.

Background checks

Background checks are conducted prior to employment with Funnel. 
Checks are made carefully and include credit history, criminal checks etc.
Funnel uses external services in order to execute these activities.

Onboarding

Everyone follows an established onboarding process that includes signing an Acceptable use Policy, security introduction sessions etc.

Offboarding

Offboarding follows a strict process that includes predetermined steps that the nearest Manager needs to go through. It also includes communicating the ongoing liability that remains valid upon termination of employment with respect to the signed NDA or employment contract containing the confidentiality clauses.

Security Awareness

There is an established awareness program that runs continuously throughout the year and which includes general training combined with more targeted training for current types of threats. In addition, Phishing simulation tests are conducted with general and targeted campaigns.

Disciplinary Process

There is a disciplinary process that determines what actions will be taken when security has been breached and is intended to provide a fair, efficient and consistent method of handling disciplinary matters.

Access Management

There are implemented access management controls to ensure that only authorised individuals can gain access. Users have been granted access rights that are sufficient for their role and for them to perform their duties (following the principles of Need-to-Know and Least Privilege).

Authentication

We use authentication controls such as Multi Factor Authentication, hardware tokens and Single Sign-On to secure the accounts used to manage our services. 

Management of privileged access

The allocation and use of privileged rights is limited to authorized personnel only and all activities performed are closely monitored.

Access Reviews

Review of accesses is performed according to an established process and is executed regularly.   

Customer authentication options

We offer Single Sign-On and Multi Factor Authentication options for our customers through OKTA, Google and Azure AD.

Physical security

The Funnel SaaS operates on AWS. The physical infrastructure is therefore hosted by AWS and we rely on their data center security controls. 
We continuously monitor the performance and compliance of these controls through independent reports.
Funnel office facilities have industry standard physical security protection with secure access, burglary alarm, CCTV, motion detectors etc. Further all visitors are required to sign in upon arrival in the reception. 

Secure Development

Funnel's development organization follows a robust development process where security is an integral part of the various development phases.

Code Deployment

All changes to source code destined for production use are subject to code review by a qualified engineering peer that includes security and performance analysis.
Prior to updating production services, all contributors to the updated software version are required to commit that their changes are working as intended in the staging environment.

Use of 3rd party software

For the 3rd party software used as part of the development, there is an automated flow that ensures that potential vulnerabilities are identified and remediated.

Monitoring

Our SaaS is constantly monitored for different types of deviations and patterns. We monitor what happens to our customers' accounts as well as what activities are performed by Funnel users (including privileged accounts). We monitor different types of traffic and behavior patterns to be able to identify deviations as well as to be able to act quickly through automated alarms.
We continuously monitor the availability of our product using dedicated services.

Incident Management

Funnel has an established incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to service and security incidents.   

Supplier management

In order to operate in an efficient and effective manner Funnel relies on a series of supporting services from other 3rd party suppliers. Where those suppliers may be integrated to the Funnel service or in any other way have an impact on Funnels’ security and risk tolerance, we perform a thorough risk assessment which involves different departments within our organization. This is performed prior to the trial period for all new services and as deemed necessary for our current suppliers. 

Disaster recovery

All services are deployed redundantly in multiple physical data centers (availability zones). This setup protects the Funnel service from service disruptions in case of environmental risks such as seismic activity or flooding, power outage or connectivity issues. 
Read more about data center controls at AWS here - https://aws.amazon.com/compliance/data-center/controls/ 
Backups of Funnel data is performed by AWS S3 versioning and lifecycle management. The backups are retained in multiple versions with a durability of 99.9999999999%. The versioning and restoration mechanisms are operated and tested by Amazon Web Services. Old versions can be accessed at an object-level on-demand without the need for a full restore of the complete data set. Funnel will backup all customer configuration and business data at least once every day. The data is stored as long as the customer is a customer of Funnel or if the customer chooses to delete the data.
For worst case scenarios and disaster recovery Funnel has an established Business Continuity Plan.

Independent Testing and Assurance

We see independent testing as important for continuous evaluation and we have established a formal process that includes various types of testing of our security posture. This is done through external partners who are accredited and certified in what they do.

Penetration testing

Funnel conducts a yearly penetration test using an independent external 3rd party specialised in cyber security. The penetration test is conducted as a Whitebox test where the penetration testers have access to system documentation and the source code while conducting the tests. This provides the penetration testers with optimal conditions to identify and verify the existence of potential vulnerabilities. An executive summary of the latest penetration test can be shared on request.
 
Internal penetration tests are scheduled once a year and conducted by the Security Team. Furthermore, continuous security reviews and tests are performed as an integrated part of the Secure Development method used in Funnel.

External Audits

Funnel conducts annual external security audits performed by accredited Auditors.

Internal Control

We have an internal control framework that includes a large number of defined controls.
Controls are followed up and evaluated continuously.