Security at ClientSuccess

Some say rest-easy, but at ClientSuccess we believe that success requires you to be on your feet. So, work hard knowing that your data is protected by ClientSuccess. To provide your team with powerful tools, insights, and analytics the ClientSuccess platform needs to access your customer data. We appreciate and embrace the responsibility of protecting your data and the implications of data security on our platform. Our primary goal is for you to succeed by helping your customers succeed and believe that that begins with protecting your data in a way that exceeds your expectations.

Our team has relevant experience

Our team includes people who’ve played lead roles in designing, building, and operating highly secure internet-facing systems, such as payment processing platforms, analytics, cloud services, and content distribution networks in previous startups and large, enterprise companies.

Our team is trained and committed

Every employee must agree to comply with the ClientSuccess security policy. We provide supplemental training and assistance on an ongoing basis as threats evolve and our practices change.

Our network is minimal and secure

We operate a minimal amount of network infrastructure and do not own or operate any servers on our premises, which we believe reduces our security risk in many ways:

• Simplified network security
• Avoidance of management challenges related to installed software
• Increased physical security

We host in world class facilities

ClientSuccess runs on Amazon Web Services (AWS), an architecture trusted by enterprise-grade firms in the Fortune 100. AWS accepts responsibility for security which includes facilities, network, hardware, and the host OS. ClientSuccess ensures that the Guest OS, application software, and security controls run on the AWS stack.

ClientSuccess’ implementation on AWS includes the following approaches:

• Data Segregation—Logical segregation of each customer’s data in full
• Application Instance Isolation—Dedicated application instance for each customer
• IP-based Access—Control of access between software tiers at the firewall / IP level
• Pre-deployment Updates—Updated and validated machine images, patches, and configurations before deployment
• End User Usage Trends—Feature usage for every end user over time
• Logging, Auditing, and Alerting— Monitoring and tracking of instances for performance and security

We enable security features

ClientSuccess is built from the ground up to adhere to our rigid security standards. We’ve invested significant development efforts into building robust security features. Security not only comprises a major component of our product today, it will be a significant theme of our roadmap moving forward.

Key security capabilities of ClientSuccess include, or will include as applicable features require them:

• OAuth 2.0 protocol, the industry standard for HTTP authorization
• Additional levels of user validation to dramatically increase security levels
• Data encryption
• Fully encrypted data transmissions from customer repositories to the ClientSuccess
• Certification that the ClientSucces for Salesforce application available on the Salesforce AppExchange follows industry best practices for security

We follow best practices

At ClientSuccess we follow a number of best practices that improve our security posture. Here are a few examples:

• We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes. We typically deploy dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.
• All data sent to ClientSuccess is encrypted in transit. Our API and application endpoints are TLS/SSL only.
• We use technologies such as Spring Security, Logentries, NewRelic, and AWS Cloudtrail to provide an audit trail over our infrastructure and the ClientSuccess platform. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
• We use two-factor authentication whenever possible. We ask vendors to enforce two factor authentication in all our accounts. We review which accounts can access our systems and the permissions they have regularly.
• We have an incident response plan and educate all staff on security procedures and policies.

We do not store payment details

ClientSuccess is not in the business of storing or processing payments. All payments made to ClientSuccess go through a third-party partner. Details about their security setup and PCI compliance can be made available upon request.