Demandbase Security Posture
Customer trust is a core principle at Demandbase and a thorough program addressing privacy and security is essential to earning and sustaining it. Data maintained by Demandbase is handled with consideration throughout the organization and product lines.
Products
This document specifically applies to Demandbase’s ABM Platform, Targeting, Engagement and Conversion solutions but the policies and procedures described herein are common across the organization.
Architecture
Demandbase has outsourced its infrastructure resources for production environments to Amazon Web Services (AWS). The Demandbase platform is built across multiple AWS regions, in separate geographic locations, and multiple availability zones within each region for redundancy, performance and disaster recovery purposes. Demandbase relies on a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, edge locations, operating, managing and controlling the components from the host operating system, virtualization layer and storage), and Demandbase is responsible for securing the platform deployed in AWS.
The majority of components are built using a combination of containerization and configuration management tools. This approach allows for scale as well as compartmentalization.
Compliance reports provided by Amazon related to services used are reviewed by Demandbase security and compliance personnel on a regular cadence.
Information Security
Standards
Security Compliance
Demandbase’s information security control environment undergoes the Service Organization Control (SOC) 2 audit relevant to Security.
Audit Report
A report of the SOC 2 audit is available upon request to customers. Any requests must be sent to security[at]demandbase.com. Following receipt by Demandbase of a request, Demandbase will provide: (i) reasonable date(s) of access and (ii) security and confidentiality controls applicable to any review of the SOC 2 Report under this section.
Policy
All employees are required to read and sign the following security documents:
- IT Acceptable use policy
- BYOD Policy
- Security Incident Response and Reporting Guidelines
The Demandbase Information Security Policies and Procedures Document:
- Is posted on the company Intranet for all employees to view
- Is reviewed and updated annually by the InfoSec team
Customer Configurations
Through the Demandbase ABM Platform, users have various configurable security controls, such as:
- Role-based Access
- Email Login Verification
- SAML
- Complex password policy
Sub-processors
When Demandbase uses sub-processors, it has written agreements in place covering arrangements with those sub-processors. Sub-processors compliance reports are reviewed by Demandbase internal security team. A list of current Demandbase sub-processors is available here.
Background Checks
Where legally permitted, Demandbase offers of employment are contingent upon completing a background check.
Security Training and Awareness
All employees receive training on the secure handling of confidential information. In addition to confidentiality, employees also receive training on password protection and identifying malicious tactics such social engineering and phishing.
Demandbase IT teams regularly engage in test phishing of internal employees and provide guidance and offer additional training to employees with high ‘click rates.’
Access Controls
Employee status changes are processed via the Human Resources department and are communicated to the IT team via an internal ticketing system. User access privileges must be: authorized according to business needs, restricted to least privileges necessary to perform job responsibilities. Access control systems must have a default "deny-all" setting.
Logs
The production servers are configured to: (i) log access events including successful and unsuccessful access attempts in addition to privileged access requests; and (ii) forward the logs to a centralized logging repository where logs of all production servers are maintained and available for review in the event of an incident. Logs are available and used on an as-needed basis for troubleshooting and investigative purposes.
Physical and Environmental Security
The Demandbase platform is hosted and physical security is the responsibility of AWS. Access to the Demandbase office is protected through the use of badge readers and access controls. Guests to the Demandbase office must present Government ID prior to entering the office and are issued badges that only permit access from 8:30am-5pm Monday through Friday.
Incident Response Management
In the event of a security incident Demandbase, policy is to follow the procedures described below:
- Preserve the evidence, if the incident involves a compromised computer system, do not alter the state of the computer system.
- Report the incident to Demandbase Security Team.
Upon notification of a security incident Demandbase Security team will classify the incident from level 1 – level 3 and take the appropriate prescribed action.
Not more than one week following the incident, members of the Security team and all affected parties will meet to review the effectiveness of the Incident Response Plan.
Customers affected by a security incident are notified and provided with appropriate details about the incident via their account team.
Risk Management and Disaster Recovery
Demandbase has defined a risk assessment and treatment methodology which includes the process for identifying, evaluating, and mitigating risks including disaster threats. Demandbase products are built across multiple AWS regions, in separate geographic locations, and multiple availability zones. Demandbase systems are most typically built as code or infrastructure as code providing for the ability to redeploy as necessary. Demandbase relies on several cloud vendors for office applications and tools including but not limited to email, file storage and ticketing systems.
Encryption
Demandbase follows industry standard practice of encryption for the administration of appropriate systems. Demandbase web applications use SSL communication protocol to ensure traffic between client and server is encrypted.
Vulnerability Management
Demandbase managed endpoints are required to run centrally managed up-to-date endpoint protection. Demandbase corporate networks are protected by IDS and IPS systems. Demandbase uses automated tooling to search the codebase of its core applications for open source vulnerabilities. Demandbase runs dynamic application security testing (DAST) continuously against its web applications.
Pen Testing
Penetration testing services are provided to Demandbase by trusted 3rd party vendors. Penetration testing is performed at least annually. Vulnerabilities identified and categorized as urgent, critical, or high result in a ticket being created and are tracked through to remediation.
Network Security
AWS security groups are also in place to provide security for the production environment maintained within AWS. The security groups analyze traffic and determine whether they should be allowed through based on the ruleset. Environments are physically and logically separated by function such as development vs production. Corporate locations are insulated by Next-Generation Firewall technologies and utilize active threat monitoring, active traffic analysis, IPS, and IDS defenses.
Secure Development Policies
The Demandbase software development practice policy requires that internal and third-party development of proprietary software must include security checks and measures throughout the development life-cycle, including but not limited to:
- Requirements Analysis - developers should determine whether application requirements are inherently insecure.
- Design - application components should be planned in a manner consistent with data and network security.
- Development - developers must consider all application vulnerabilities with special attention paid to the OWASP Top 10 and SANS Top 20.
- QA Implementation and Testing - implementation should not compromise security controls already in place nor introduce new vulnerabilities. In addition to functional and efficiency testing, all security features of the application should be tested.
In addition to the security measures that take place throughout the application development life-cycle, Demandbase gives special care to web-based applications.
Data Integrity and Management
Demandbase policies and practice ensure logical separation of each customer’s data. Per policy, all confidential or sensitive data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted or rendered unavailable.