Security at Customer.io
Customer.io delivers millions of emails a month for thousands of users. So keeping your company's data secure is a top priority. As a data company, we understand and stress the importance of complying with global privacy protocol. As such, data privacy and security are things that we take very seriously at Customer.io. Our goal is to provide a secure environment, while also keeping our application’s performance at the highest quality to provide you with best overall user experience.
From time to time, customers ask us security questions about Customer.io. In general, we don't like to expose much information about our security practices, because it only helps the very people we're securing ourselves against. But we’re serious about transparency (it’s one of our core values after all!) and realize security is important to our customers. Below we share answers to the questions we feel are most important for our customers to know.
Operational Security/Internal Protocol
Security is the responsibility of all Customer.io employees, and we take measures to ensure that access to our systems and your data is restricted only to those who need access in order to provide you awesome support.
- Our Site Reliability Engineering (SRE) team is tasked with the operational aspects of our business, and ensure information security.
- All backend machines that run our infrastructure are kept up to date and patched. All software installation is strictly controlled. Access to these machines is restricted to members of the SRE & backend server team.
- Our organization's Development, Test, and Operational systems are separated.
We also have have strict requirements for all employees, including but not limited to:
- All staff machines must comply with our Confidentiality Policy which includes a requirement to "take all reasonable measures to protect the security and prevent the unauthorized access or disclosure of all confidential information".
- The majority of our staff are fully remote and adhere to specific requirements such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and specific recommendations such as configuring computers and phones to lock after a certain period. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.
- For the employees that work from our Portland Headquarters, our office has 24-hour security, cameras, and requires a key to access.
- A thorough employee termination/access removal process.
- All communication between users and the Customer.io application is over secure, encrypted channels with 128-bit TLS encryption and any requests to retrieve or alter data must be authenticated.
- Customer.io account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset. Customer.io monitors ongoing security, performance and availability 24/7.
- Periodic audits are run by our manager to review compliance with security policies, and procedures. If violations are found, corrective actions are taken immediately.
- We also contract a third party for annual high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
- We offer and recommend that all team members enable 2FA for added protection on your account.
Data Center Security
- Customer.io is compliant with the U.S.-EU Privacy Shield & U.S.-Swiss Privacy Shield Framework as set forth by the U.S. Department of Commerce (https://www.privacyshield.gov/). And plan to be EU General Data Protection Regulation (GDPR) compliant when it comes into effect in May 25, 2018 (http://www.eugdpr.org/).
- Our data centers manage physical security 24/7. More specifically, our website (https://customer.io/) and Knowledge Base (https://learn.customer.io/) are hosted on Amazon Web Services (https://aws.amazon.com/security/), and our App (https://fly.customer.io) is hosted on Google Cloud (https://cloud.google.com/security/).
- Our servers are located in the US, and are restricted to infrastructure engineers and maintenance staff. Each employee is given access through a unique key that can be revoked, if needed, and required to connect to our 2FA enabled VPN.
- If you require compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), it's generally a best practice to not send sensitive personal health information (PHI) over email. We always recommend the approach of sending your customers an email with a link back to a secure area on your site, where they can properly authenticate themselves with your service prior to viewing any sensitive information.
If you have more in-depth questions about our security program, let us know.