Nureva® legal

Security for the Nureva Console service

Last updated: February 12, 2024

The information provided below relates to the Nureva® Console Security Practices. The Nureva Console Privacy Policy is available here.

For information relating to the Nureva General Security Practices and Privacy Policy, see the Nureva Security Practices and Nureva Privacy Policy.

Nureva Console overview

Nureva Console is a cloud-based platform used for managing Nureva audio conferencing systems across multiple locations. This platform provides a single, secure dashboard that allows IT managers to configure and monitor their audio systems remotely. Nureva Console is in the scope of our ISO/IEC 27001 certification.

Microsoft® Azure security

Nureva Console is hosted on the Microsoft Azure platform. The service is segregated so that users and devices can only access their devices, services and data. All user interaction with enrolled devices in Nureva Console is done via encrypted communications using industry leading TLS 1.2 communications.

The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:

  • ISO/IEC 27001, 27018
  • GDPR
  • SOC1, 2, 3
  • FedRAMP
  • PCI
  • NIST
  • EU/US Privacy Shield

More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.

Auth0 by Okta Identity Platform

Nureva Console leverages Auth0 by Okta for all identity and access management (IAM) services.

Auth0 by Okta service states the following security and privacy accreditations:

  • ISO 27001:2013 and 27018:2019
  • SOC 2 Type II
  • Gold CSA STAR
  • HIPAA BAA
  • PCS DSS compliance
  • GDPR

More information about Auth0 by Okta can be found at https://auth0.com/security.

Encryption and key management

Data within the Nureva Console service is encrypted using 256-bit AES encryption while at rest and Transport Layer Security (TLS) 1.2 while in transit. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed periodically and as new threats emerge.

Security controls are implemented to ensure that cryptographic keys are managed across the life cycle – generation, distribution, storage and change. Management of key vaults are restricted and automated with the intent to limit access.

Account data

In order to provide the Nureva Console service to our users, we collect and store account data each time a new account is created. Account data includes a user’s first name, last name, email, password and company name. Account data is stored in Microsoft Azure in the United States. Authentication of user credentials is managed through Okta identity service in the United States. Additionally, we collect anonymous non-personally identifiable usage data about features of Nureva Console as feedback toward improving the application. Please see our Nureva Console Privacy Policy.

Application types

The Nureva Console service supports two types of applications. A cloud-based application is intended for managing and monitoring devices remotely, and the other is a Windows® client to facilitate connectivity between Nureva devices and the cloud-based application. The browser-based application is served from a Web server hosted on Microsoft Azure.

Communication with these services is encrypted using Transport Layer Security (TLS) 1.2.

Databases and storage

The Nureva Console service stores and retrieves data from an Azure SQL database in the United States. Data stored in the Azure SQL database is encrypted.

Security by design

Nureva follows a secure software development process that ensures security and privacy are integrated throughout every phrase of the development life cycle, and formal procedures are in place to

  • Define security requirements – which include threat modelling, metrics for reporting and security/privacy considerations during design review
  • Secure development and testing – processes are in place to manage third-party components and tools; static analysis during application build procedures; dynamic analysis and penetration testing done internally and with external partners
  • Review security compliance – the software delivery process includes a final security review before deployment
  • Respond to security incidents – established incident response and periodic disaster recovery testing procedures are in place

Monitoring and logging

We create, store and monitor a range of application and infrastructure logs for the Nureva Console service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected. These are investigated by the development and information security management teams.

Technical security assessments

We regularly engage an independent, accredited company to conduct vulnerability assessments and penetration tests of Nureva Console and other associated services. Any significant vulnerabilities detected are immediately remedied and then retested.

The assessment uses security testing and the incident response team’s (STIRT) vulnerability assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Testing Guide for the Open Web Application Security Project® (OWASP).

The cadence of these assessments is determined not only by product releases but also conducted at specified time intervals.

Nureva Console service access security

User authentication and access

The Nureva Console service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Identity and account management services are managed through Okta Identity Cloud.

When users create their account, they have administrator level permissions that allow them to add and remove devices, change device settings, perform device updates and access device information through the Nureva Console service.

Device access

For enrolling devices into Nureva Console, Nureva Console uses OpenID Connect and OAuth2 to authenticate a device and allow the device to be accessed by the user account.

© 2024 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. February 2024.