Your security is important to us
At Interact, the security of our customers’ intranets, and the data that resides within them, is of utmost importance to us. We use the latest technology and processes to ensure your intranet is secure.
Every 12 months our engineering and support departments participate in secure code training.
Dedicated security engineers who are part of our QA and Architecture departments perform reviews and test our code base for security vulnerabilities.
Development, testing, and staging environments are separated physically and logically from the production environment. Customer data is never used in our development, testing, or staging environments.
Static Code Analysis
Our source code is regularly scanned for security issues and automatically refactored to best practices.
In addition to our internal security testing, we partner with NCC to perform extensive penetration tests across the application.
Our internal security team performs regular vulnerability scanning of the application and infrastructure.
Software Security Features
Interact supports multiple authentication options including Local Directory (username and passwords are stored within Interact) and SAML 2.0 SSO (e.g. ADFS, Okta, OneLogin).
Single Sign-On (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. Interact shall only grant access to users that have been authenticated by you.
Secure Credential Storage
Interact supports a full suite of password management tools including sophisticated password complexity rules, password history lengths and more. Passwords are securely encrypted, hashed, and salted within the application.
We use .Net security framework controls to limit exposure to exposure to Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection (SQLi) and many others.
Product Security Features
Access to data within Interact is governed by access rights. Access privileges can be configured and managed through the use of memberships and can be used to define granular access rights.
Interact can be configured to allow access from specific IP address ranges by an administrator.
Content Moderation & Approval
Interact’s fine-grain permission structure allows administrators who can author content within varied Content Areas and Categories. Interact can be configured in such a way that users must request approval before publishing their content.
Interact can be configured to automatically log users out after a period of inactivity.
Creation and modification of data stored within Interact are recorded along with access logs for future auditing.
Exclusion by Default
Upon creating new entities (e.g. Content Areas, Teams, Homepages) or enabling new features, users are excluded by default. This limits human error and mistakes by requiring the creating owner to specify who can access the entity and its contained content.
Interact encrypts customer data to AES-256 while at rest.
Transfer of data between Interact and the customer is encrypted using HTTPS and TLS.
Interact performs an extensive background check on all employees including five-year employment history, address history, and education verification.
Criminal Record Check
Employees with authorized access to production environments are required to undergo a criminal record check. UK employees are subject to the Disclosure Scotland process. While US employees are subject to a seven-year historical search of the County Criminal Courthouse Records.
All employees are required to sign Non-Disclosure and Confidentiality agreements.
Interact is certified and audited to the ISO 27001:2013 standard and we have modeled our Information Security Management System and controls on this standard.
Our hosting partner, Amazon Web Services, holds multiple security certifications and accreditations. See https://aws.amazon.com/compliance/services-in-scope/ for more details.
Interact has an established information security management framework describing the purpose, principles, and basic rules for how we maintain trust. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.
Interact employees attend a Security Awareness Training at least once every 12 months. Our Security Team provides security awareness updates and refreshers throughout the year to various teams and departments.
Interact has developed a comprehensive set of security policies which are made available to all employees. Policies are enforced through a blend of training, events, and auditing.
Interact has multiple territories where information can be domiciled – including the EU, Australia, and the USA – with multiple instances of Interact in each geo-location. Each territory has distinct local legal requirements and interconnectivity agreements in place which ensure that your content inherits the benefits of its host country. Customers can choose to locate their data in the EU-only, US-only, or Australia-only. Data always resides within its provisioned geo-location (EU and the USA) and cannot be transferred outside of its allocated area.
Interact and AWS (our hosting provider) utilize a wide variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Interact is designed with multiple layers of protection, covering data transfer, encryption, network configuration, and application-level control, all distributed across a scalable secure infrastructure.
Intrusion Detection Systems (IDS) are deployed throughout the Interact infrastructure. The systems are configured to identify malware infections, attacks, system compromises, policy violations, and other exposures.
Access to the Interact production network is restricted to a small number of employees and is frequently monitored and audited.
Information Security Policy
Policies that cover customer and Interact information include: device security, authentication requirements, acceptable usage of resources, data storage requirements, security access, and issue handling.
Physical Security Policy
Guidelines detailing how we maintain a safe and secure environment for people and property at Interact.
Change Management Policy
Policy for code review and managing changes that impact security by Interact developers to source code, system configuration, and production releases.
Incident Response Policy
Guidelines for responding to potential security incidents, including assessment, communication and investigation procedures.
Physical production access
Our procedures for restricting access to the physical production infrastructure, including management review of employees.
Access policies for our Service Desk on viewing, providing support or taking action with customer data.
Copies of all Interact policies are available on request.