SCHEDULE A DEMO
Search
Search

Security Controls

Overview

ARInsights’ secure hosting and management of its software platform is crucial to its success as an enterprise Software as a Service (SaaS) solution provider.  The following competencies and practices represent significant intellectual property assets of the company.  As such, this document will generally describe the back-end components, processes, and architecture, but only to the extent that important trade secrets are not revealed.

At ARInsights, the security of your data has always been a priority. We are committed to protecting and securing your data as you use each of the Services that comprise our platform.  We have completed a SOC 2 Audit that is available upon request.

This document should be reviewed together with our Privacy Policy.

Protecting your data

The aim of ARInsights security practices is to prevent any unauthorized access to customer data.

We are always looking at ways in which we can improve the security of our Services and continuously work to identify, monitor, and mitigate risks in our environment.

ARInsights is committed to constantly maintaining knowledge of the evolving application security landscape and implementing controls designed to ensure that security best practices are upheld across our organization.

Regular management security reviews are in place to address any areas that we believe should be improved upon and further secured. We implement security controls as described in this document and may modify them from time to time by pursuing new security certifications, evaluating our compliance posture, or through the use of third-party testing from time to time.

Contact us at security@arinsights.com if you have any security-related concerns about any of our Services. Please also refer to our Privacy Policy  and Terms of Service .

Security highlights

Least Privilege Access Yes
Full Daily Backups Yes
Data Encrypted in Transit and at Rest Yes
Two Factor Authentication* Yes
Vulnerability Scanning Yes
Mitigating Common Attacks Yes
Annual Penetration Testing Yes

Physical security

We have engaged Amazon Web Services, Inc. (“AWS”) to provide cloud hosting for the Services. A summary of the controls in place at AWS facilities and environments is set out below (as described by AWS). View the AWS security page for more details.

AWS operates ISO27001, PCI DSS Level 1 & SOC 2 Type II compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas. All AWS data centers are constructed to N+1 redundancy standards.

AWS’s global security operation centers conduct 24/7 monitoring of data center access activities, with electronic intrusion detection systems installed in the data layer.

Each of AWS’ data centers have a controlled perimeter layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.

Network security

We employ AWS security groups and IAM controls to lock down communication between components so access to Services must be granted explicitly on an as-needed basis.

ARInsights’ system audit logs are maintained and checked for anomalies, and we use AWS services to protect from distributed attacks.

Access to hosting servers for the Services and live environments are provided on least privilege access. A very limited number of personnel have access to live environments, which also require multiple levels of security access.

ARInsights continually monitors our cloud services and have a response team on call 24/7 to respond to security incidents. Our hosting provider, AWS, also provides 24/7 monitoring and support.

ARInsights conducts a third-party penetration test annually.

ARchitect security

ARchitect employs complex password access for user authentication.  ARchitect 4 password specifications:

  • Passwords must be complex: they must contain one or more characters from 3 of the following 4 groups:  upper case letters, lower case letters, numerals, and special characters.
  • Passwords must be a minimum of 8 characters long – up to 24 characters in length.
  • All passwords are one-way hashed. Hashed passwords are hashed using the SHA1 hash algorithm and a randomly generated salt value.
  • Users are locked out after 5 invalid login attempts.

Once authenticated, users maintain a session via a cookie that may only be transmitted over SSL-secured channels. The cookie is encrypted using AES encryption, and a validation scheme verifies that the contents of an encrypted cookie have not been altered in transit. The cookie is created using cookie validation by concatenating a validation key with the cookie data, computing a message authentication code (MAC), and appending the MAC to the outgoing cookie.

User self-service password recovery is accomplished as follows:

  1. User enters their username. (If both username and password are forgotten, then self-service recovery is not possible.)
  2. User provides the correct answer to a personal question. (Both the question and answer were previously captured and recorded upon initial login.)
  3. The system generates a random temporary password and emails to the user.
  4. User accesses ARchitect with a temporary password and is required to immediately set a new password.

ARchitect users assume one of four possible roles within ARchitect:

  1. Site Administrator – this role has pervasive powers with their ARchitect site. They can view all records, add/edit/delete/unlock users, and accomplish a wide array of site customization tasks.  Each site generally assigns two or three people to this role. 
  2. Regular License – this is the standard role for most ARchitect users. This role can add/edit/delete all ARchitect entities, subject to ARchitect permission constraints. 
  3. View-Only License – this role has limited functionality in ARchitect and is most useful to those people, generally outside of the AR program, who “have a need to know,” but will not be entering data in the system or updating records.
  4. Disabled – This role prevents a user from logging into the system and is used in cases where a user is taking a leave of absence, has recently left the AR team, or other circumstances in which they may return and be re-enabled or the site simply prefers to maintain the user’s transaction and data history intact.

Within the ARchitect application, row-level entities such as individual interactions, files, private data records, captured research, etc. may all receive their own security setting, known colloquially as Visibility or Edit Permissions.  Three possible visibility/editing permissions may be set:

  1. Public – every user within the site would have visibility to the item.
  2. User Group – only members of the assigned user group would have visibility to the item. Sites may create and maintain an unlimited number of user groups to segment users among divisions, product lines, org charts, etc.  Users may belong to any number of user groups.
  3. Private – only the owner of that item will have visibility.

Update privileges for entities in ARchitect generally reside with only the owner of an item, or additionally in certain circumstances, with a designated alternate person.  For this reason and for user-support requirements, site administrators have public visibility to all items on their site at all times.

Development

We have a team of people who review and test all changes to our code base. For every update or release to the software, testing is performed by development and QA teams with a multi-level approach.

We maintain separate environments for both staging and testing. These environments are logically separated from the live production environment. No customer data is used in testing or development.

In addition to application penetration testing, unit testing, human auditing, static analysis, and functional tests, we perform a minimum of monthly third-party vulnerability scans of our production and test environments.

  1. Public – every user within the site would have visibility to the item.
  2. User Group – only members of the assigned user group would have visibility to the item. Sites may create and maintain an unlimited number of user groups to segment users among divisions, product lines, org charts, etc.  Users may belong to any number of user groups.
  3. Private – only the owner of that item will have visibility.

Update privileges for entities in ARchitect generally reside with only the owner of an item, or additionally in certain circumstances, with a designated alternate person.  For this reason and for user-support requirements, site administrators have public visibility to all items on their site at all times.

Our tools have been built to mitigate common attack vectors such as SQL injection attacks and cross-site scripting attacks (XSS). ARInsights cloud environments also take advantage of AWS’ enterprise-grade Web Application Firewall (WAF) in an attempt to automatically block or challenge suspicious requests.

  1. Public – every user within the site would have visibility to the item.
  2. User Group – only members of the assigned user group would have visibility to the item. Sites may create and maintain an unlimited number of user groups to segment users among divisions, product lines, org charts, etc.  Users may belong to any number of user groups.
  3. Private – only the owner of that item will have visibility.

Update privileges for entities in ARchitect generally reside with only the owner of an item, or additionally in certain circumstances, with a designated alternate person.  For this reason and for user-support requirements, site administrators have public visibility to all items on their site at all times.

Encryption

All customer data is stored encrypted on AWS servers with the AES-256 encryption algorithm.

Any data that is transmitted into and from the ARInsights Services is encrypted. Web traffic over HTTP is secured by AWS with TLS 1.2 or 1.3 using proven-secure cipher suites.

Software

All customers have access to an SSO option for the Services.

ARInsights requires 2FA for all internal administrators of its Services.

Availability & security incidents

ARInsights uses AWS to host its Services, and maintains an uptime promise consistent with AWS of at least 99% (subject to scheduled downtime, emergency maintenance, and issues outside our or AWS’ control).

We use AWS with redundancy over multiple availability zones, with database backups offering 30 days’ worth of point-in-time recovery, if needed. Additional encrypted off-site backups are updated weekly.

We have established procedures and policies with regards to responding and communicating about security incidents. The level of the security incident will dictate how we communicate and respond to our customers. If a security incident does occur which affects your personal information, we will inform you as required by applicable law. We annually reevaluate our response procedures and amend them as we deem necessary.

  1. Public – every user within the site would have visibility to the item.
  2. User Group – only members of the assigned user group would have visibility to the item. Sites may create and maintain an unlimited number of user groups to segment users among divisions, product lines, org charts, etc.  Users may belong to any number of user groups.
  3. Private – only the owner of that item will have visibility.

Update privileges for entities in ARchitect generally reside with only the owner of an item, or additionally in certain circumstances, with a designated alternate person.  For this reason and for user-support requirements, site administrators have public visibility to all items on their site at all times.

A business continuity plan has been put in place in the event an emergency or critical incident impacting any facet of ARInsights business operations, including the Services, occurs. This was created with the intent that we can continue to function as a business for our customers in the event of major disruptions. The business continuity plan is tested and checked on an annual basis for applicability and any additional improvements that could be made.

  1. Public – every user within the site would have visibility to the item.
  2. User Group – only members of the assigned user group would have visibility to the item. Sites may create and maintain an unlimited number of user groups to segment users among divisions, product lines, org charts, etc.  Users may belong to any number of user groups.
  3. Private – only the owner of that item will have visibility.

Update privileges for entities in ARchitect generally reside with only the owner of an item, or additionally in certain circumstances, with a designated alternate person.  For this reason and for user-support requirements, site administrators have public visibility to all items on their site at all times.

Organizational security

Personnel & Endpoints

Every employee workstation is set up and monitored to ensure data is encrypted at rest, unique user authentication is required, up-to-date OS patches, and active, up-to-date antivirus is installed.

We perform background checks on all new hires and on commencement of employment at ARInsights, and all personnel who have access to your personal information and Financial Information are required to execute nondisclosure agreements.

All employees at ARInsights are required to participate in our security awareness training that focuses on helping each person understand the role they play in protecting data and preventing security breaches. Employees also are required to review the ARInsights security policies on a recurring annual basis.

Vendor management

In order for ARInsights to run efficiently, we rely on sub-service organizations to help us deliver our Services. When selecting a suitable vendor for a required Service, we take the appropriate steps designed to ensure that the security and integrity of our Services is maintained. Every sub-service organization is scrutinized, tested, and security checked prior to being implemented into ARInsights.

ARInsights monitors the effectiveness of these vendors, and they are reviewed annually to confirm security and safeguards are being upheld per the terms of our agreements with them.

PRODUCT

Platform Overview

ARchitect User Login

Analyst Portal Login

RESOURCES

Blog

Webinars

Case Studies

White Papers

Infographics

ARchitect Analyst Power 100

COMPANY

About Us

Partners

Newsroom

Copyright ©2023 ARInsights. All Rights Reserved.