We take security seriously.
Traction Guest is built on Salesforce’s Heroku cloud application platform. Heroku applies security best practices, manages platform security and is designed to protect customers from threats by applying security controls at every layer (physical to application). Traction Guest and its data are completely isolated and receive rapidly deployed security updates without customer interaction or service interruption.
While running on the Heroku platform, Traction Guest functions within its own insulated environment. This restrictive design prevents security and stability issues by isolating processes, memory, and the file system using LXC. Host-based firewalls restrict applications from establishing local network connections.
To further increase security levels, we are using Cloudflare as a Web Application Firewall (WAF) to protect our platform from malicious requests. By running all queries through the nearest Cloudflare data center, we shield our Domain Name System (DNS) infrastructure from Distributed Denial of Service (DDoS) attacks. Cloudflare will protect us from cyberattacks that attempt to disrupt or make our online service unavailable by overwhelming it with unwanted traffic from multiple sources.
Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes Amazon Web Services' (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under: AWS Compliance programs.
Traction Guest provides an option of a single tenant architecture, where an organization has their own independent instance. Automated data deletion can be enabled for Traction Guest customers with a single tenant installation. This automates the recurring process of deleting visitor PII data and provides advanced compliance and data controls.
Traction Guest offers the choice between a US, EU or Canadian data centers to help address legal or regulatory requirements for local data storage that are imposed on organizations that handle sensitive personal information.
We’re proud of reliable uptime and continue to make sure your operations run smoothly. Should an incident happen, we have a comprehensive incident response and customer notification procedures in place. For platform-wide Severity 1 and 2 issues, we keep our customer updated on our status page where you can subscribe to get instant notifications. Should you suspect a security breach, e-mail us at email@example.com and we’ll investigate immediately.
Critical system failure that results in an inability to fulfill vital business functions.
This means visitors or users cannot access the platform, notifications are not triggering, or account-wide issues to connect to the iPad. We focus on resolving any Severity 1 matter as quickly as possible. For our Enhanced & Complete customers, we offer 24/7 emergency phone support and, if required, will provide hourly updates until the issues are resolved.
Serious issues significantly impacting the use of the Traction Guest platform.
Visitors and users are materially impacted, with 50% of users or visitors not able to access the platform or certain features not functioning. This may include CSV files not uploading correctly, integrations not running smoothly or platform issues related to badge printing. We’ll respond to Severity 2 cases during business hours and will provide daily updates.
Negative features or missing features that are causing inconvenience to users.
Severity 3 cases are not business critical and can include how-to questions, reporting issues, smaller technical bugs or feature requests. We always love to hear your ideas and feedback. Depending on the complexity, we will do our best to fix the issue in the next release or add it to our roadmap.
The Traction Guest development team uses a standardized process to ensure changes are made securely and reliably, with a focus on quality. New releases are typically available at least once a month. Releases include documentation (ie: release notes), demonstrating new functionality to all customers.
- All changes begin with a pull request from a local development branch to a QA environment.
- Before changes are merged into a QA environment, a code review is done by a senior developer.
- The change is then tested in QA, and another run of testing in UAT.
- Code is finally pushed from UAT to production. All code migrations occur across SSL.
Traction Guest employees all undergo background criminal checks and sign an NDA upon hire. We do not use consultants/contractors. Traction Guest employees undergo training and awareness programs to ensure that privacy and security stay top of mind. Employees do not have access to customer accounts unless granted by customers.
Traction Guest proactively engages a third-party security specialists to conduct an annual penetration test of its cloud platform. The annual review uncovers any potential vulnerabilities and assures the most critical web application security standards are followed. In line with the Open Web Application Security Project (OWASP) Web Application Penetration testing methodology, the assessment includes security reviews of source code, API (Application Program Interface) and penetration testing.
At Traction Guest, data protection is a priority. We value our customers’ trust and will ensure their visitor data is protected. Demonstrating our long-term commitment to security, we are taking every step to ensure our people, processes and technology are compliant with any laws, rules, regulations and standards. For any questions about information and data security, please contact firstname.lastname@example.org.
Service Organization Controls (SOC) ensure service providers securely manage client data to protect the interests of both the client’s organization and privacy of their customers. Traction Guest has achieved SOC 2 Type-2 certification and completed an audit performed by qualified evaluators from an independent third-party auditing firm.
To ensure the protection against unauthorized access, internal controls need to mitigate the potential abuse or misuse of the platform, theft or the unauthorized removal of data, and disclosure of personal information.
To control the access to a platform as per the contract and/or service level agreement with customers (specifically regarding the minimum acceptable level of performance), internal controls need to monitor performance and availability.
To assure the intended purpose of a platform is achieved, internal controls need to monitor data processing and quality assurance procedures. The purpose focuses on processing the right data at the right time.
To ensure the restriction of confidential data, internal controls need to define security and data protection procedures.
To control the collection and use of personal information, internal controls need to support the protection of personal information from unauthorized access.
General Data Protection Regulation (GDPR) increases accountability and transparency in the management of personal data. We believe in data protection by design and understand that complying with the GDPR is a joint liability between the data controller and processor. We’re doing our due diligence and take necessary action to ensure compliance.
Training and awareness
We made data privacy an integral part of our culture. Employees undergo training, agree to NDAs and drive awareness within the company.
We continue to review and adapt our internal processes to further mitigate any privacy risk.
Policies procedures and guidelines
We document and reinforce data protection in how we conduct our business.
Third-party risk management
We carefully assess who we work and integrate with.
We enforced greater diligence in managing and proving consent in line with the GDPR.
We established new processes to retain personal data only for the duration that is needed to fulfill the purpose.
We provide a data centre in Europe to allow organizations to host data locally.
Terms & Conditions
We updated our Ts&Cs in accordance with the new GDPR requirements.
We’re adding more features to provide our customers with more flexibility in data management.
Data breach notifications
We continue to follow our incidence response principles.
Whether you're just starting a visitor management initiative, comparing vendors or simply looking for adoption strategies - know that Traction Guest is here to listen, to help and to share in our wisdom and expertise.