Nureva legal

Nureva® legal

Security at Nureva Inc.

Last updated: March 29, 2023

The information provided below relates to the security practices at Nureva. Our Privacy Policy is available here.

For information relating to Nureva® Console, see the Nureva Console Security Practices and Nureva Console Privacy Policy.


ISO/IEC 27001 Certified – Information Security Management System

Nureva has implemented, maintains and reviews a comprehensive information security management system (ISMS) that has been certified to the ISO/IEC 27001 standard. Our ISMS has been designed to preserve the confidentiality, integrity and availability of our business information and that of our customers and other stakeholders that is in our system.


Scope

The scope of our ISMS includes the applications, systems, people and processes involved in the development, delivery and operation of Nureva’s collaboration hardware products, software products and subscription services.


Independence

Our information security and privacy roles are independent of our information systems and product development functions, reporting directly to the vice president, legal and general counsel.


Hiring and training

People are central to our ISMS.

All Nureva employees are screened through identity and background checks and receive mandatory security awareness training. Our people are required to review and accept key company policies annually. All employees are tested quarterly on social engineering attacks and receive follow-up training as required.

We take very careful and deliberate steps to manage the employment life cycle (prior to employment, during employment and at termination or change of employment) to ensure that there are no information security exposures to our customer-facing services and internal operational systems. This includes active and ongoing monitoring of access to systems to ensure no unauthorized access. Our access control procedures ensure timely modification or removal of access rights when user roles change.


Network security

Our network architecture follows industry recommended practices of segmentation; the internal enterprise network is logically and physically separate from the production network with several layers of access control implemented to restrict access to the production environment.


Physical security

Physical access to our corporate facilities is restricted to authorized Nureva personnel, registered visitors and authorized facility management personnel. Additionally, security controls such as a badge access system and closed-circuit television (CCTV) monitoring are in place to ensure that only authorized individuals access our facilities.


Secure software development

Nureva has implemented a Secure Development Process and formal procedures are in place to

  • Define Security Requirements – which include threat modelling, metrics for reporting and security/privacy considerations during design review
  • Secure Development and Testing – processes are in place to manage third-party components and tools; static analysis during application build procedures; dynamic analysis and penetration testing done internally and with external partners
  • Review Security Compliance – the software delivery process includes a final security review before deployment
  • Respond to Security Incidents – established incident response and periodic disaster recovery testing procedures are in place

Encryption and key management

We adopt the use of 256-bit AES encryption for data at rest and Transport Layer Security (TLS) 1.2 for data in transit. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength on our website. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed periodically and as new threats emerge.

Security controls are implemented to ensure that cryptographic keys are managed across the life cycle – generation, distribution, storage and change. Company-owned devices are encrypted, and the management of encryption keys and certificates are highly restricted.


Change management

We use documented change management procedures to ensure changes to information systems and services are done reliably and with the least impact to customers and internal users.


Supplier relationships

We use approved third-party companies and technology to help meet our needs and that of our customers. These companies and technologies are carefully evaluated to ensure that appropriate security and privacy requirements are embedded into these relationships, partnerships and technology use.


Payment processing

We use an independent, PCI-compliant company to process credit card payments. Nureva does not process or store customer payment card information.


Incident response and business continuity

If a security event is suspected to have occurred, our security incident process guides us through threat evaluation and containment of the event. This process includes appropriate notifications to customers.

We also take proactive steps by planning and testing our business continuity and disaster recovery capabilities to reduce the time and effort of recovering from a potential disruptive incident. The lessons learned from these exercises help improve the processes and our business continuity framework.


Technical security assessments

We regularly engage an independent, accredited company to conduct vulnerability assessments and penetration tests of our information systems and products. Any significant vulnerabilities that are detected are immediately remedied and then retested.

The assessment uses security testing and incident response team’s (STIRT) vulnerability assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Testing Guide of the Open Web Application Security Project® (OWASP).

The cadence of these assessments is determined not only by product releases but also conducted at specified time intervals.


© 2023 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. March 2023.