Nureva legal

Nureva® legal

Security for the Nureva Console service

Last updated: April 29, 2022

The information provided below relates to the Nureva Console Security Practices. Nureva Console Privacy Policy is available here.

For information relating to Nureva General Security Practices and Privacy Policy, see the Nureva Security Practices and Nureva Privacy Policy.

For information relating to Span, see the Span Security Practices and Span Privacy Policy.


Nureva Console overview

Nureva Console is a cloud-based platform used for managing Nureva audio conferencing systems across multiple locations. This platform provides a single, secure dashboard that allows IT managers to configure and monitor their audio systems remotely.


Microsoft® Azure security

Nureva Console is hosted on the Microsoft Azure platform. The service is segregated so that users and devices can only access their devices, services and data. All user interaction with enrolled devices in Nureva Console is done via encrypted communications using industry leading TLS 1.2 communications.

The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:

  • ISO/IEC 27001, 27018
  • GDPR
  • SOC1, 2, 3
  • FedRAMP
  • PCI
  • NIST
  • EU/US Privacy Shield

More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.


Okta Identity Cloud security

Nureva Console leverages Okta Identity Cloud for all identity and access management (IAM) services.

Okta service states the following security and privacy accreditations:

  • ISO 27001:2013, 20717:2015 and 27018:2019
  • SOC 2 Type II
  • CSA STAR
  • FedRAMP
  • FIPS Validated 140-2
  • HIPAA
  • PCI-DSS 3.2
  • SOX
  • GDPR
  • NYDFS

More information about Okta can be found at https://trust.okta.com/compliance.


Encryption and key management

Data within the Nureva Console service is encrypted using 256-bit AES encryption while in transit and Transport Layer Security (TLS) 1.2 while at rest. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed periodically and as new threats emerge.

Security controls are implemented to ensure that cryptographic keys are managed across the life cycle – generation, distribution, storage and change. Management of key vaults are restricted and automated with the intent to limit access.


Account data

In order to provide the Nureva Console service to our users, we collect and store account data each time a new account is created. Account data includes a user’s first name, last name, email, password and company name. Account data is stored in Microsoft Azure in the United States. Authentication of user credentials is managed through Okta identity service in the United States. Additionally, we collect anonymous non-personally identifiable usage data about features of the Nureva Console as feedback toward improving the application. Please see our Nureva Console Privacy Policy.


Application types

The Nureva Console service supports two types of applications. A cloud-based application is intended for managing and monitoring devices remotely, and the other is a Windows® client to facilitate connectivity between Nureva devices and the cloud-based application. The browser-based application is served from a Web server hosted on Microsoft Azure.

Communication with these services is encrypted using Transport Layer Security (TLS) 1.2.


Databases and storage

The Nureva Console service stores and retrieves data from an Azure SQL database in the United States. Data stored in the Azure SQL database is encrypted.


Security by design

Nureva follows a secure software development process that ensures security and privacy are integrated throughout every phrase of the development life cycle. Design and code changes must meet defined completeness criteria prior to introduction into service, and they are reviewed for correctness. Any issues identified during these reviews must be rectified before the change is committed. All new features are tested, and the system is regression tested by a dedicated quality assurance team prior to release.


Monitoring and logging

We create, store and monitor a range of application and infrastructure logs for the Nureva Console service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected. These are investigated by the development and information security management teams.


Technical security assessments

We regularly engage an independent, accredited company to conduct vulnerability assessments and penetration tests of Nureva Console and other associated services. Any high severity vulnerabilities detected are immediately remedied and then retested.

The assessment uses security testing and incident response team’s (STIRT) vulnerability assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Testing Guide for the Open Web Application Security Project® (OWASP).

The cadence of these assessments is determined not only by product releases but also conducted at specified time intervals.


Nureva Console service access security


User authentication and access

The Nureva Console service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Identity and account management services are managed through Okta Identity Cloud.

When users create their account, they have administrator level permissions that allow them to add and remove devices, change devices settings, perform firmware updates and access device information through the Nureva Console service.


Device access

For enrolling devices into Nureva Console, Nureva Console uses OpenID Connect and OAuth2 to authenticate a device and allow the device to be accessed by the user account.


© 2022 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. April 2022.