Effective date: May 25, 2018
The Nureva™ Span™ service is a transformational product that helps people collaborate to create, collect and process ideas. Users can create, share and edit ideas on their personal devices. They can also contribute and interact with content directly on the interactive digital wall.
We understand that your data stored in this service can be valuable, and we have implemented security controls to protect the confidentiality, integrity and accessibility of your data.
Nureva has established a cross-functional security committee that is responsible for security matters. Nureva’s Information Security Management System (ISMS) uses a risk-based approach to assess and improve our security controls. This system of documented policies, dures and manuals is used to maintain consistent security controls and to review current and emerging threats. We are actively pursuing ISO 27001 certification for our ISMS.
The trustworthy technology foundation provided by the Azure cloud services addresses design and operational security. Here’s a paragraph from the Microsoft Azure Trust Center that addresses design and operational security:
People are a key component of our security program.
All Nureva employees are vetted by thorough identity and background checks and are required to attend security awareness training as well as review key company policies on an annual basis. All employees are tested quarterly on social engineering threats with follow-up training as required.
If the employment of any employee is terminated for any reason, access to the Span service and any information system is terminated at the same time.
Nureva uses LAN segmentation to compartmentalize computing devices to help protect devices that contain data.
Nureva uses documented change management procedures to ensure changes to data systems and services are done reliably and with the least impact to customers.
If a security event is suspected to have occurred, our security incident process guides us through threat evaluation and containment of the event. This process includes appropriate notifications to customers.
The Span service offers an expansive cloud-based canvas for creative collaboration. By using a digital set of familiar tools such as sticky notes, sketches, images and flip charts, teams can make the shift from paper to a digital collaboration experience without compromising their proven processes. For more information, visit https://www.nureva.com/visual-collaboration/span-software.
The Span service is hosted on the Microsoft Azure platform. The service is segregated so that users can only access their services and data. Their content is always encrypted while being moved (in transit) and while it is stored (at rest).
The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:
More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.
Data within the Span service is encrypted while in transit and at rest. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed quarterly and as new threats emerge.
To meet requirements for customer data to be stored in a specific region, the Span service is configured with sets of services running in different geographic regions. Currently, there are four regions: The United States, Canada, Europe and Australia. Data created by a user in a region will remain in that region unless a user specifically requests that the data be moved to another region.
In order to provide the Span service to our users, Nureva collects and stores subscription data each time a new subscription is activated. Subscription data includes the subscription name, region, subscription resources and the users in the subscription. Billing information is collected by Nureva and sent to an accredited third-party vendor where it is processed and stored. Nureva also collects and stores account data for each user account. Account data includes a user’s first name, last name, user name, email, password and last login date. Both subscription and account data are stored in a data center in the United States and are replicated, as needed, under Nureva’s control, to other regions. Authentication of user credentials occurs through a service located in the United States.
The Span service supports two types of clients. One is a Windows® client, and the other is a browser-based application. The browser-based application is served from a web server located in North America (West US).
Both clients communicate with two hosted API servers called the Web API and the Media API servers. There are two of these servers for each of the supported geographic regions.
Both clients can also communicate with a reporting service that we use to improve customer support and to diagnose field issues with the Span service. They can also communicate with a screen-sharing service that allows users to share their desktop or a window on their desktop with other users in a canvas. Communication with these services is encrypted using HTTPS.
The Web API server stores and retrieves data from an Azure SQL database in its region. The Media Service stores images, PDF exports and Excel exports. Data stored in the Azure SQL database and the data stored in the Media Service is encrypted.
There is one database and one storage account for each of the supported geographic regions. Data is stored in the region in which it was created unless a user specifically requests that the data be moved to another region.
A Web API server uses a third-party email relay service to send emails related to the Span service. Email is sent when a user is added to a subscription, needs to reset a password or is invited to a canvas or when a PDF or Microsoft Excel export is sent to a user.
Nureva regularly engages an independent, accredited company to conduct vulnerability assessments of the Span service. Any high severity vulnerabilities detected are immediately remedied and then re-tested.
The assessment uses Security Testing and Incident Response Team’s (STIRT) Vulnerability Assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Open Web Application Security Project’s (OWASP) Testing Guide.
The cadence of these assessments is determined by product releases rather than specified time intervals.
In conjunction with vulnerability assessments, Nureva regularly engages an independent, accredited company to conduct penetration testing of the Span service. To date, these tests have shown that the security of the service is continually becoming more robust, and all attempts to breach security measures have been unsuccessful.
Data stored by the Span service in each region uses locally redundant storage where the data is replicated multiple times within each data center. Data stored in SQL databases can be recovered to the second within the last 30 days. Data stored in the Azure database can be recovered to any particular day from the date it was created.
Nureva follows an agile software development process to manage the risk associated with any change to the Span service. Design and code changes must meet defined completeness criteria prior to introduction into service, and they are reviewed for correctness. Any issues identified during these reviews must be rectified before the change is committed. All new features are tested, and the system is regression tested, by a dedicated quality assurance team prior to release.
Nureva uses an independent, PCI-compliant company to process credit card payments.
Nureva creates, stores and monitors a range of application and infrastructure logs for the Span service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected.
Access to the Span service is determined by role. The four primary roles are Global Administrator, Service Administrator, Subscription Administrator and User.
Global Administrators are Nureva employees who have specific roles with regard to system management, updates and support. These accounts are highly controlled and specifically limited in number. There is also one protected automation account used to provision subscriptions that are purchased through Nureva’s website.
Service Administrators are Nureva employees who act in a support role for customers. They only access customer data if given explicit consent by the customer and terminate their access as soon as the issue has been resolved.
A Subscription Administrator is assigned by the customer and can add and remove users from a subscription, as well as control several other administrative functions.
Users are assigned by the Subscription Administrator and have access to a set of resources based on their Span subscription.
The Span service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Authentication of user credentials occurs through a service located in the United States.
Once a user has been added to a subscription, that user will be able to create and add content to canvases. The user may also be able to give other users access to canvases.
Users can be given different permissions to define how they can interact with a canvas. A canvas manager has full permission to control access, edit, contribute and delete the canvas and assign permissions to other users.
© 2018 Nureva Inc. All rights reserved. Nureva, Span and the Nureva and Span logos are trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product, company names and logos are for identification purposes only and may be trademarks of the respective owners. May 2018