Last updated: April 29, 2022
We have implemented an information security management system (ISMS) that complies with the ISO27001 standard. The system is continuously reviewed. When the review identifies needed changes, improvements are made. An audit is conducted annually by an external auditor, but we have not yet conducted a certification audit.
The scope of our ISMS includes the applications, systems, people and processes involved in the development, delivery and operation of Nureva’s collaboration hardware products, software products and subscription services.
If the employment of any employee is terminated for any reason, access to the Span service and any information system is terminated at the same time.
Our information security and privacy roles are independent of our information systems and product development functions, reporting directly to the VP, legal and general counsel.
People are central to our ISMS.
All Nureva employees are screened through identity and background checks and receive mandatory security awareness training. Our people are required to review and accept key company policies annually. All employees are tested quarterly on social engineering attacks and receive follow-up training as required
We take very careful and deliberate steps to manage the employment life cycle (prior to employment, during employment and at termination or change of employment) to ensure that there are no information security exposures to our customer-facing services and internal operational systems. This includes active and ongoing monitoring of access to systems to ensure no unauthorized access. Our access control procedures ensure timely modification or removal of access rights when user roles change.
Our network architecture follows industry recommended practices of segmentation; the internal enterprise network is logically and physically separate from the production network with several layers of access control implemented to restrict access to the production environment.
Access to our corporate facilities is managed by a third-party facility management company. Physical access to our corporate facilities is restricted to authorized Nureva personnel, registered visitors and authorized facility management personnel. Additionally, security controls such as a badge access system and closed-circuit television (CCTV) monitoring are in place to ensure that only authorized individuals access our facilities.
We adopt the use of 256-bit AES encryption for data in transit and Transport Layer Security (TLS) 1.2 for data at rest. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength on our website. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed periodically and as new threats emerge.
Security controls are implemented to ensure that cryptographic keys are managed across the life cycle – generation, distribution, storage and change. Company-owned devices are encrypted, and the management of encryption keys and certificates are limited to authorized personnel.
We use documented change management procedures to ensure changes to information systems and services are done reliably and with the least impact to customers and internal users.
We use approved third-party companies and technology to help meet our needs and that of our customers. These companies and technologies are carefully evaluated to ensure that appropriate security and privacy requirements are embedded into these relationships, partnerships and technology use.
We use an independent, PCI-compliant company to process credit card payments.
If a security event is suspected to have occurred, our security incident process guides us through threat evaluation and containment of the event. This process includes appropriate notifications to customers.
We also take proactive steps by planning and testing our business continuity and disaster recovery capabilities to reduce the time and effort of recovering from a potential disruptive incident. The lessons learned from these exercises help improve the processes and our business continuity framework.
We regularly engage an independent, accredited company to conduct vulnerability assessments and penetration tests of our information systems and products. Any high severity vulnerabilities that are detected are immediately remedied and then retested.
The assessment uses security testing and incident response team’s (STIRT) vulnerability assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Testing Guide of the Open Web Application Security Project® (OWASP)
The cadence of these assessments is determined not only by product releases but also conducted at specified time intervals.
© 2022 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. April 2022.