Nureva legal

Nureva® legal

Security for the Spanservice

Last update: April 29, 2022

The information provided below relates to Span Workspace Security Practices. Span Workspace Privacy Policy is available here.

For information relating to Nureva General Security Practices and Privacy Policy, see the Nureva Security Practices and Nureva Privacy Policy.

For information relating to Nureva Console, see the Nureva Console Security Practices and Nureva Console Privacy Policy.

Nureva Span Workspace is a transformational product that helps people collaborate to create, collect and process ideas. Users can create, share and edit ideas in an expansive cloud-based digital canvas.

We understand that the data you store in this service is valuable, and we have implemented security controls to protect the confidentiality, integrity and availability of your data.

Security for the Span service

Span service overview

The Span service offers an expansive cloud-based canvas for creative collaboration. By using a digital set of familiar tools such as sticky notes, sketches, images and flip charts, teams can make the shift from paper to a digital collaboration experience without compromising their proven processes.

Microsoft® Azure security

The Span service is hosted on the Microsoft Azure platform. The service is segregated so that users can only access their subscribed services and data. All customer data in the Span service is encrypted in-transit and at rest. The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:

  • ISO/IEC 27001, 27018
  • GDPR
  • SOC1, 2, 3
  • FedRAMP
  • PCI
  • NIST
  • EU/US Privacy Shield

More information about Microsoft Azure cloud services can be found at


Data within the Span service is encrypted while in transit and at rest. We maintain an “A” ranking from Qualys SSL Labs ( for our certificate, protocol support, key exchange and cipher strength. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed quarterly and as new threats emerge.

Regional data segregation

To meet requirements for customer data to be stored in a specific region, the Span service is configured with sets of services running in different geographic regions. Currently, there are four regions: the United States, Canada, Europe and Australia. Data created by a user in a region will remain in that region unless a user specifically requests that the data be moved to another region.

Subscription and Account Data

In order to provide the Span service to our users, we collect and store subscription data each time a new subscription is activated. Subscription data includes the subscription name, region, subscription resources and the users in the subscription. Billing information is collected by Nureva and sent to an accredited third-party vendor where it is processed and stored. We also collect and store account data for each user account. Account data includes a user’s first name, last name, user name, email, password and last login date. Both subscription and account data are stored in a data center in the United States and are replicated, as needed, under Nureva’s control, to other regions. Authentication of user credentials occurs through a service located in the United States. Additionally, we collect anonymous usage data about features of the Span application as feedback toward improving the application. Please see our Span Privacy Policy.

Client types

The Span service supports two types of clients. One is a Windows® client, and the other is a browser-based application. The browser-based application is served from a Web server located in North America (western US). Both clients communicate with two hosted API servers called the Web API and the Media API servers. There are two of these servers for each of the supported geographic regions.

Both clients can also communicate with a reporting service that we use to improve customer support and to diagnose field issues with the Span service. They can also communicate with a screen-sharing service that allows users to share their desktop or a window on their desktop with other users in a canvas. Communication with these services is encrypted using Transport Layer Security (TLS) 1.2.

Databases and storage

The Web API server stores and retrieves data from an Azure SQL database in its region. The Media API server stores images, PDF exports and Excel® exports. Data stored in the Azure SQL database and the data stored in the Media API server is encrypted.

There is one database and one storage account for each of the supported geographic regions. Data is stored in the region in which it was created unless a user specifically requests that the data be moved to another region.

Email services

A Web API server uses a third-party email relay service to send emails related to the Span service. Email is sent when a user is added to a subscription, needs to reset a password or is invited to a canvas or when a PDF or Microsoft Excel export is sent to a user.

Vulnerability assessments

We regularly engage an independent, accredited company to conduct vulnerability assessments of the Span service. Any high severity vulnerabilities detected are immediately remedied and then retested.

The assessment uses security testing and incident response team’s (STIRT) vulnerability assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Testing Guide for the Open Web Application Security Project® (OWASP).

The cadence of these assessments is determined by product releases rather than specified time intervals.

Penetration testing

In conjunction with vulnerability assessments, we regularly engage an independent, accredited company to conduct penetration testing of the Span service. To date, these tests have shown that the security of the service is continually becoming more robust. To date, all attempts to breach security measures of the Span service have been unsuccessful.

Disaster recovery

Data stored by the Span service in each region uses locally redundant storage where the data is replicated multiple times within each data center. Data stored in SQL databases can be recovered to the second within the last 30 days. Data stored in the Azure database can be recovered to any particular day from the date it was created.

Security by design

Nureva follows an agile software development process to manage the risk associated with any change to the Span service. Design and code changes must meet defined completeness criteria prior to introduction into service, and they are reviewed for correctness. Any issues identified during these reviews must be rectified before the change is committed. All new features are tested, and the system is regression tested by a dedicated quality assurance team prior to release.

Payment processing

We use an independent, PCI-compliant company to process credit card payments.

Monitoring and logging

We create, store and monitor a range of application and infrastructure logs for the Span service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected. These are investigated by the development and information security management teams.

Span service access security

Access to the Span service is carefully controlled. Our administrative access control is based on ‘least privilege’ and ‘segregation of duties’ principles. Customers can control many aspects of user access.

Access segregation

Access to the Span service is determined by role. The four primary roles in the Span service are global administrator, service administrator, subscription administrator and user.

Global administrators are Nureva employees who have specific roles with regard to system management, updates and support. These accounts are highly controlled and specifically limited in number. There is also one protected automation account used to provision subscriptions that are purchased through Nureva’s website.

Service administrators are Nureva employees who act in a support role for customers. They only access customer data if given explicit consent by the customer and terminate their access as soon as the issue has been resolved.

A Subscription administrator is assigned by the customer and can add and remove users from a subscription as well as control several other administrative functions.

Users are assigned by the subscription administrator and have access to a set of resources based on their Span subscription.


The Span service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Authentication of user credentials occurs through a service located in the United States.

User accounts

Once a user has been added to a subscription, that user will be able to create and add content to canvases. The user may also be able to give other users access to canvases.

Canvas and permissions

Users can be given different permissions to define how they can interact with a canvas. A canvas manager has full permission to control access, edit, contribute and delete the canvas and assign permissions to other users.

  • Edit – allows users to contribute and edit but not share
  • Contribute – allows users to only post content
  • View – allows users to only view the contents of a canvas

© 2022 Nureva Inc. All rights reserved. Nureva and the Nureva logo are trademarks or registered trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. April 2022.