EvaluAgent Security

Global brands trust us to keep their sensitive data secure. This is not something we take lightly. With enterprise security features and regular audits of our applications and networks, we ensure customer and business data is always protected. Enabling our customers to continue with their day-to-day business knowing that the information they trust us with is safe, secure and protected.

Data center and network security

We ensure the confidentiality and integrity of customer data with industry best practices. EvaluAgent is hosted at SSAE-16, PCI DSS, or ISO 27001 compliant facilities.

Aws badge

Application Security

Our software development teams securely develop and test against security threats to ensure the safety of our customer data. In addition, EvaluAgent employs third-party security experts to perform detailed penetration tests covering our application and infrastructure.

Secure-and-scalable-300x300

Product Security Features

We make it easy for customers to manage access, configure roles and permissions and assign granular reporting levels to their users. All communications with EvaluAgent servers are encrypted with industry standard HTTPS over public networks, meaning the traffic between you and EvaluAgent is secure.

https

Data center and Network Security

Physical Security

Locations

EvaluAgent leverages Amazon Web Services network of data centres across the globe, including Europe, USA and Australia regions. Customers can choose to locate their service data in a specific region (applies to specific plan levels).

Facilities & On-Site Security

EvaluAgent is hosted within Amazon Web Service global infrastructure. Access to data centers is closely monitored by AWS Security Operations centers. AWS continually watch for unauthorized entry, using video surveillance, intrusion detection, and access log monitoring systems. Entrances are secured with devices that sound alarms if a door is forced or held open.

Monitoring

All of our production systems are monitored constantly. We use anomaly detection to alert us of anything that’s happening which is out of the normal state of operation. Production systems are only administered by EvaluAgent staff. Physical security, power, and internet connectivity are monitored by our infrastructure provider, Amazon Web Services.

Network Security

Protection

Our network is protected by redundant firewalls, load balancers, secure HTTPS transport over public networks and regular audits by 3rd party security experts.

Architecture

We implement multiple security zones in our network architecture. Sensitive systems, such as database servers, are protected in our most trusted zones. Other systems are housed in zones applicable to their sensitivity, risk and function.

Network Vulnerability Scanning

Network security scanning gives us in-depth insight for out-of-compliance and/or potentially vulnerable systems.

Third-party Penetration Tests

We perform internal testing in an automated and manual fashion. Bi-annually EvaluAgent, employs third-party security experts to perform a broad penetration test across the EvaluAgent production network and infrastructure.

Logical Access

Access to the EvaluAgent production network is restricted to a strict, need-to-know basis, that utilises the least privilege, and is frequently audited and monitored. Employees accessing the EvaluAgent production network are required to use multiple factors of authentication.

Intrusion Detection and Prevention

All of our network ingress and egress are monitored 24/7, with automatic alerts set for any abnormal values and incidents differ from our pre-defined thresholds.

Security Incident Response

Our employees are fully trained in our security response protocols including escalation paths and appropriate communication channels. In the case of a system alert, events are escalated to our teams providing operations, security and engineering support.

Encryption

Encryption at rest

All customers of EvaluAgent benefit from the protections of encryption at rest for storage of attachments held in Amazon S3, and data stored within our Amazon RDS instances.

Encryption in transit

Communications between you and EvaluAgent servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.

Availability & Resilience

Uptime

EvaluAgent actively maintains a publicly available status page that includes system availability details, scheduled maintenance, service incident history and relevant security events.

Redundancy

EvaluAgent is deployed across multiple availability zones, and multiple instances within each zone to eliminate single points of failure. Our strict backup procedures ensure Service Data is actively replicated across primary and secondary DR systems and facilities.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available or easily recoverable in the case of a disaster. We have built a redundant technical environment and have created Disaster Recovery plans which are regularly tested.

Application Security

A Secure Software Development Lifecycle (SDLC)

Security Training

Annually, our engineers participate in secure code training covering the OWASP Top 10 security flaws, common attack vectors, and EvaluAgent security controls. Our engineers also attend conferences and training by 3rd parties such as AWS on Security Best Practices.

Quality Assurance

As part of every release, our team reviews and tests our code base to identify, test and triage possible security vulnerabilities in the code. This is in addition to any 3rd party testing and automated testing.

Separate Environments

Test and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.

Security Controls

EvaluAgent utilise framework security controls to limit exposure to OWASP Top 10 security flaws. These include controls that reduce our exposure to Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), and SQL Injection, amongst others.

Application Vulnerabilities

Dynamic Vulnerability Scanning

We use a number of third-party, qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws.

Static Code Analysis

The source code repositories for EvaluAgent are continuously scanned for security issues via our integrated static analysis tooling.

Security Penetration Testing

In addition to an extensive internal scanning and testing program, each quarter EvaluAgent employs third-party security experts to perform detailed penetration tests on our applications and infrastructure.

Product Security

Authentication Security

Configurable Password Policy

EvaluAgent provides the following levels of password security: low, medium, and high, as well as allowing you to set custom password rules. Only users with the appropriate permission can change the password security level.

Secure Credential Storage

EvaluAgent follows security best practices for credential storage by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

API Security & Authentication

The EvaluAgent application and API is SSL-only and you must be an authenticated user to make API requests.

 

Additional Product Security Features

Access Privileges & Roles

Access to data within EvaluAgent is governed by access rights, and can be configured to define granular access privileges. EvaluAgent provides a standard set of permissions to get you started and you totally customise and/or disable these initial set of permissions if required. Learn more about access levels.

IP Restrictions

EvaluAgent can be configured to only allow access from specific IP address ranges you define. Please note, this is only available for Enterprise accounts.

Attachments

In EvaluAgent you can uploaded attachments to contacts, such as call recordings, email transcriptions, chat conversations, etc. Users must be signed in to EvaluAgent and have the appropriate permissions set to allow access to attachments and a further permission to be able to upload attachments.

Transmission Security

All communications with EvaluAgent servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and EvaluAgent is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Email Signing (DKIM/DMARC)

EvaluAgent utilises DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails.

Additional security methods

Security Awareness
Policies

EvaluAgent has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees with access to EvaluAgent assets.

Training

All employees attend Security Awareness training which is given upon hire and annually thereafter. All engineers receive annual Secure Coding training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Employee Vetting
Background Checks

EvaluAgent performs background checks on all new employees in accordance with local laws in our territories. These checks are also completed for contractors. The background check includes criminal, education and employment verification.

Confidentiality Agreements

All employees and contractors are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.