Effective date: June 3, 2020
The Nureva® Span™ Workspace is a transformational product that helps people collaborate to create, collect and process ideas. Users can create, share and edit ideas in an expansive cloud-based digital canvas.
We understand that the data you store in this service is valuable, and we have implemented security controls to protect the confidentiality, integrity and availability of your data.
We have established an Information Security Management System (ISMS) which is ISO 27001 compliant. We have successfully completed our stage 1 certification audit and are preparing for the stage 2 certification audit.
The scope of our ISMS includes the applications, systems, people and processes involved in the development, delivery and operation of Nureva’s collaboration hardware products, software products and subscription services.
If the employment of any employee is terminated for any reason, access to the Span service and any information system is terminated at the same time.
Our information security and privacy roles are independent of our information systems and product development functions; reporting directly to the VP, Legal and General Counsel.
People are central to our ISMS.
All Nureva employees are screened through identity and background checks and receive mandatory security awareness training. Our people are required to review and accept key company policies an annually. All employees are tested quarterly on social engineering attacks and receive follow-up training as required.
We take very careful and deliberate steps to manage the employment lifecycle (prior to employment, during employment and at termination or change of employment) to ensure that there are no information security exposures to our customer facing services and internal operational systems. This includes active and on-going monitoring of access to systems to ensure no unauthorized access. Our access control procedures ensure timely modification or removal of access rights when user roles change.
Our network architecture follows industry recommended practices of segmentation; the internal enterprise network is logically and physically separate from the Span Workspace production network with several layers of access control implemented to restrict access to the Span production environment.
We use documented change management procedures to ensure changes to information systems and services are done reliably and with the least impact to customers and internal users.
If a security event is suspected to have occurred, our security incident process guides us through threat evaluation and containment of the event. This process includes appropriate notifications to customers.
The Span service offers an expansive cloud-based canvas for creative collaboration. By using a digital set of familiar tools such as sticky notes, sketches, images and flip charts, teams can make the shift from paper to a digital collaboration experience without compromising their proven processes.
The Span service is hosted on the Microsoft Azure platform. The service is segregated so that users can only access their services and data. Their content is always encrypted while being moved (in transit) and while it is stored (at rest).
The Span service is hosted on the Microsoft Azure platform. The service is segregated so that users can only access their subscribed services and data. All customer data in the Span service is encrypted in-transit and at rest. The Microsoft Azure cloud services have extensive built-in security controls that Microsoft advises conform to the following security and privacy accreditations:
More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.
Data within the Span service is encrypted while in transit and at rest. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength. We only use current cryptographic technologies and disable older, less secure or compromised technologies. Encryption controls are reviewed quarterly, and as new threats emerge.
To meet requirements for customer data to be stored in a specific region, the Span service is configured with sets of services running in different geographic regions. Currently, there are four regions: The United States, Canada, Europe and Australia. Data created by a user in a region will remain in that region unless a user specifically requests that the data be moved to another region.
In order to provide the Span service to our users, we collect and store subscription data each time a new subscription is activated. Subscription data includes the subscription name, region, subscription resources and the users in the subscription. Billing information is collected by Nureva and sent to an accredited third-party vendor where it is processed and stored. We also collect and store account data for each user account. Account data includes a user’s first name, last name, user name, email, password and last login date. Both subscription and account data are stored in a data center in the United States and are replicated, as needed, under Nureva’s control, to other regions. Authentication of user credentials occurs through a service located in the United States. Additionally, we collect anonymous usage data about features of the Span application as feedback towards improving the application.
The Span service supports two types of clients. One is a Windows® client, and the other is a browser-based application. The browser-based application is served from a web server located in North America (West US). Both clients communicate with two hosted API servers called the Web API and the Media API servers. There are two of these servers for each of the supported geographic regions.
Both clients can also communicate with a reporting service that we use to improve customer support and to diagnose field issues with the Span service. They can also communicate with a screen-sharing service that allows users to share their desktop or a window on their desktop with other users in a canvas. Communication with these services is encrypted using Transport Layer Security (TLS) 1.2.
The Web API server stores and retrieves data from an Azure SQL database in its region. The Media Service stores images, PDF exports and Excel exports. Data stored in the Azure SQL database and the data stored in the Media Service is encrypted.
There is one database and one storage account for each of the supported geographic regions. Data is stored in the region in which it was created unless a user specifically requests that the data be moved to another region.
A Web API server uses a third-party email relay service to send emails related to the Span service. Email is sent when a user is added to a subscription, needs to reset a password or is invited to a canvas or when a PDF or Microsoft Excel export is sent to a user.
We regularly engage an independent, accredited company to conduct vulnerability assessments of the Span service. Any high severity vulnerabilities detected are immediately remedied and then re-tested.
The assessment uses Security Testing and Incident Response Team’s (STIRT) Vulnerability Assessment (VA) methodology, which is based on the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM). The VA methodology also includes developments from the Open Web Application Security Project’s (OWASP) Testing Guide.
The cadence of these assessments is determined by product releases rather than specified time intervals.
In conjunction with vulnerability assessments, we regularly engage an independent, accredited company to conduct penetration testing of the Span service. To date, these tests have shown that the security of the service is continually becoming more robust. To date, all attempts to breach security measures of the Span service have been unsuccessful.
Data stored by the Span service in each region uses locally redundant storage where the data is replicated multiple times within each data center. Data stored in SQL databases can be recovered to the second within the last 30 days. Data stored in the Azure database can be recovered to any particular day from the date it was created.
Nureva follows an agile software development process to manage the risk associated with any change to the Span service. Design and code changes must meet defined completeness criteria prior to introduction into service, and they are reviewed for correctness. Any issues identified during these reviews must be rectified before the change is committed. All new features are tested, and the system is regression tested, by a dedicated quality assurance team prior to release.
We use an independent, PCI-compliant company to process credit card payments.
We create, store and monitor a range of application and infrastructure logs for the Span service. We also use database auditing and threat detection to monitor actions carried out against our databases. Alerts are automatically generated if anomalous activity is detected. These are investigated by the development and information security management teams.
Access to the Span service is carefully controlled. Our administrative access control is based on ‘least privilege’ and ‘segregation of duties’ principles. Customers can control many aspects of user access.
Access to the Span service is determined by role. The four primary roles in the Span service are Global Administrator, Service Administrator, Subscription Administrator and User.
Global Administrators are Nureva employees who have specific roles with regard to system management, updates and support. These accounts are highly controlled and specifically limited in number. There is also one protected automation account used to provision subscriptions that are purchased through Nureva’s website.
Service Administrators are Nureva employees who act in a support role for customers. They only access customer data if given explicit consent by the customer and terminate their access as soon as the issue has been resolved
A Subscription Administrator is assigned by the customer and can add and remove users from a subscription, as well as control several other administrative functions.
Users are assigned by the Subscription Administrator and have access to a set of resources based on their Span subscription.
The Span service employs an authentication/authorization service that uses standard OAuth2 protocols to identify and authorize users accessing resources within the service. Authentication of user credentials occurs through a service located in the United States.
Once a user has been added to a subscription, that user will be able to create and add content to canvases. The user may also be able to give other users access to canvases.
Users can be given different permissions to define how they can interact with a canvas. A canvas manager has full permission to control access, edit, contribute and delete the canvas and assign permissions to other users.
© 2020 Nureva Inc. All rights reserved. Nureva, Span and the Nureva and Span logos are trademarks of Nureva Inc. in the United States, Canada and other countries. All third-party product, company names and logos are for identification purposes only and may be trademarks of the respective owners. June 2020.