We ensure the confidentiality and integrity of customer data with industry best practices. EvaluAgent is hosted at SSAE-16, PCI DSS, or ISO 27001 compliant facilities.
Our software development teams securely develop and test against security threats to ensure the safety of our customer data. In addition, EvaluAgent employs third-party security experts to perform detailed penetration tests covering our application and infrastructure.
We make it easy for customers to manage access, configure roles and permissions and assign granular reporting levels to their users. All communications with EvaluAgent servers are encrypted with industry standard HTTPS over public networks, meaning the traffic between you and EvaluAgent is secure.
EvaluAgent leverages Amazon Web Services network of data centres across the globe, including Europe, USA and Australia regions. Customers can choose to locate their service data in a specific region (applies to specific plan levels).
Facilities & On-Site Security
EvaluAgent is hosted within Amazon Web Service global infrastructure. Access to data centers is closely monitored by AWS Security Operations centers. AWS continually watch for unauthorized entry, using video surveillance, intrusion detection, and access log monitoring systems. Entrances are secured with devices that sound alarms if a door is forced or held open.
All of our production systems are monitored constantly. We use anomaly detection to alert us of anything that’s happening which is out of the normal state of operation. Production systems are only administered by EvaluAgent staff. Physical security, power, and internet connectivity are monitored by our infrastructure provider, Amazon Web Services.
Our network is protected by redundant firewalls, load balancers, secure HTTPS transport over public networks and regular audits by 3rd party security experts.
We implement multiple security zones in our network architecture. Sensitive systems, such as database servers, are protected in our most trusted zones. Other systems are housed in zones applicable to their sensitivity, risk and function.
Network Vulnerability Scanning
Network security scanning gives us in-depth insight for out-of-compliance and/or potentially vulnerable systems.
Third-party Penetration Tests
We perform internal testing in an automated and manual fashion. Bi-annually EvaluAgent, employs third-party security experts to perform a broad penetration test across the EvaluAgent production network and infrastructure.
Access to the EvaluAgent production network is restricted to a strict, need-to-know basis, that utilises the least privilege, and is frequently audited and monitored. Employees accessing the EvaluAgent production network are required to use multiple factors of authentication.
Intrusion Detection and Prevention
All of our network ingress and egress are monitored 24/7, with automatic alerts set for any abnormal values and incidents differ from our pre-defined thresholds.
Security Incident Response
Our employees are fully trained in our security response protocols including escalation paths and appropriate communication channels. In the case of a system alert, events are escalated to our teams providing operations, security and engineering support.
Encryption at rest
All customers of EvaluAgent benefit from the protections of encryption at rest for storage of attachments held in Amazon S3, and data stored within our Amazon RDS instances.
Encryption in transit
Communications between you and EvaluAgent servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.
EvaluAgent is deployed across multiple availability zones, and multiple instances within each zone to eliminate single points of failure. Our strict backup procedures ensure Service Data is actively replicated across primary and secondary DR systems and facilities.
Our Disaster Recovery program ensures that our services remain available or easily recoverable in the case of a disaster. We have built a redundant technical environment and have created Disaster Recovery plans which are regularly tested.
Annually, our engineers participate in secure code training covering the OWASP Top 10 security flaws, common attack vectors, and EvaluAgent security controls. Our engineers also attend conferences and training by 3rd parties such as AWS on Security Best Practices.
As part of every release, our team reviews and tests our code base to identify, test and triage possible security vulnerabilities in the code. This is in addition to any 3rd party testing and automated testing.
Test and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.
EvaluAgent utilise framework security controls to limit exposure to OWASP Top 10 security flaws. These include controls that reduce our exposure to Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), and SQL Injection, amongst others.
Dynamic Vulnerability Scanning
We use a number of third-party, qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws.
Static Code Analysis
The source code repositories for EvaluAgent are continuously scanned for security issues via our integrated static analysis tooling.
Security Penetration Testing
In addition to an extensive internal scanning and testing program, each quarter EvaluAgent employs third-party security experts to perform detailed penetration tests on our applications and infrastructure.
Configurable Password Policy
EvaluAgent provides the following levels of password security: low, medium, and high, as well as allowing you to set custom password rules. Only users with the appropriate permission can change the password security level.
Secure Credential Storage
EvaluAgent follows security best practices for credential storage by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
API Security & Authentication
The EvaluAgent application and API is SSL-only and you must be an authenticated user to make API requests.
Access Privileges & Roles
Access to data within EvaluAgent is governed by access rights, and can be configured to define granular access privileges. EvaluAgent provides a standard set of permissions to get you started and you totally customise and/or disable these initial set of permissions if required. Learn more about access levels.
EvaluAgent can be configured to only allow access from specific IP address ranges you define. Please note, this is only available for Enterprise accounts.
In EvaluAgent you can uploaded attachments to contacts, such as call recordings, email transcriptions, chat conversations, etc. Users must be signed in to EvaluAgent and have the appropriate permissions set to allow access to attachments and a further permission to be able to upload attachments.
All communications with EvaluAgent servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and EvaluAgent is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.
EvaluAgent has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees with access to EvaluAgent assets.
All employees attend Security Awareness training which is given upon hire and annually thereafter. All engineers receive annual Secure Coding training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
EvaluAgent performs background checks on all new employees in accordance with local laws in our territories. These checks are also completed for contractors. The background check includes criminal, education and employment verification.
All employees and contractors are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.