Nureva Inc. legal
Nureva® Console

Security Practices

Effective date: September 16, 2020

Security at Nureva Inc.


Information Security Management System

We have established an Information Security Management System (ISMS) that is ISO 27001 compliant. We have successfully completed our stage 1 certification audit and are preparing for the stage 2 certification audit.


Scope

The scope of our ISMS includes the applications, systems, people and processes involved in the development, delivery and operation of Nureva’s collaboration hardware products, software products and subscription services.

If the employment of any employee is terminated for any reason, access to the Nureva Console service and any information system is terminated at the same time.


Independence

Our information security and privacy roles are independent of our information systems and product development functions; reporting directly to the VP, legal and general counsel.


Hiring and training

People are central to our ISMS.

All Nureva employees are screened through identity and background checks and receive mandatory security awareness training. Our people are required to review and accept key company policies an annually. All employees are tested quarterly on social engineering attacks and receive follow-up training as required.

We take very careful and deliberate steps to manage the employment life cycle (prior to employment, during employment and at termination or change of employment) to ensure that there are no information security exposures to our customer-facing services and internal operational systems. This includes active and ongoing monitoring of access to systems to ensure no unauthorized access. Our access control procedures ensure timely modification or removal of access rights when user roles change.


Network security

Our network architecture follows industry recommended practices of segmentation; the internal enterprise network is logically and physically separate from the Nureva Console production network with several layers of access control implemented to restrict access to the Nureva Console production environment.


Change management

We use documented change management procedures to ensure changes to information systems and services are done reliably and with the least impact to customers and internal users.


Incident response

If a security event is suspected to have occurred, our security incident process guides us through threat evaluation and containment of the event. This process includes appropriate notifications to customers.


Security for the Nureva Console service


Nureva Console overview

Nureva Console is a cloud-based platform used for managing Nureva audio conferencing systems across multiple locations. This platform provides a single, secure dashboard that allows IT managers to configure and monitor their audio systems remotely.


Microsoft® Azure™ security

Nureva Console is hosted on the Microsoft Azure platform. The service is segregated so that users and devices can only access their devices, services and data. All user interaction with enrolled devices in Nureva Console is done via encrypted communications using industry leading TLS 1.2 communications.

The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:

  • ISO/IEC 27001, 27018
  • GDPR
  • SOC1, 2, 3
  • FedRAMP
  • PCI
  • NIST
  • EU/US Privacy Shield

More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.


Okta Identity Cloud security

Nureva Console leverages Okta Identity Cloud for all identity and access management (IAM) services.

Okta service states the following security and privacy accreditations:

  • ISO 27001:2013, 20717:2015 and 27018:2019
  • SOC 2 Type II
  • CSA STAR
  • FedRAMP
  • FIPS Validated 140-2
  • HIPAA
  • PCI-DSS 3.2
  • SOX
  • GDPR
  • NYDFS

More information about Okta can be found at https://trust.okta.com/compliance.


Encryption

Data within the Nureva Console service is encrypted using 256-bit AES encryption while in transit and at rest.


Account data

In order to provide the Nureva Console service to our users, we collect and store account data each time a new account is created. Account data includes a user’s first name, last name, email, password and company name. Account data is stored in Microsoft Azure in the United States. Authentication of user credentials is managed through Okta identity service in the United States. Additionally, we collect anonymous nonpersonally identifiable usage data about features of the Nureva Console as feedback toward improving the application.


Application types

The Nureva Console service supports two types of applications. A cloud-based application intended for managing and monitoring devices remotely and another is a Windows® client to facilitate connectivity between Nureva devices and the cloud-based application. The browser-based application is served from a web server hosted on Microsoft Azure.

Communication with these services is encrypted using Transport Layer Security (TLS) 1.2.


Databases and storage

The Nureva Console service stores and retrieves data from an Azure SQL database in the United States. Data stored in the Azure SQL database is encrypted.


Security by design

Nureva follows a secure software development process that ensures security and privacy are integrated throughout every phrase of the development life cycle. Design and code changes must meet defined completeness criteria prior to introduction into service, and they are reviewed for correctness. Any issues identified during these reviews must be rectified before the change is committed. All new features are tested, and the system is regression tested by a dedicated quality assurance team prior to release.


Monitoring and logging

We create, store and monitor a range of application and infrastructure logs for the Nureva Console service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected. These are investigated by the development and information security management teams.


Nureva Console service access security


User authentication and access

The Nureva Console service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Identity and account management services are managed through Okta Identity Cloud.

When users create their account, they have administrator level permissions that allow them to add and remove devices, change devices settings, perform firmware updates and access device information through the Nureva Console service.


Device access

For enrolling devices into Nureva Console, Nureva Console uses OpenID Connect and OAuth2 to authenticate a device and allow the device to be accessed by the user account.


© 2020 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. September 2020.