Security is a focus for everyone at Sounding Board. All employees receive security and privacy training in their first two weeks at Sounding Board to keep both Sounding Board and customer data safe and secure. Every year, we work with our team to ensure that they understand the importance of security and, crucially, how to make security a practical, everyday part of their work.
Our security and privacy team ensures that security awareness and initiatives continually permeate the organization.
Sounding Board encrypts all customer data while it is at rest. That means that when the data is not being used or accessed, it’s encrypted to be safer and more secure. This is a fundamental design characteristic of the Sounding Board technology. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits, and the keys are managed by our Database provider (MongoDB).
Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. We utilize 128-bit SSL encryption for this.
SAML 2.0 allows for a seamless, single-sign-on experience between the customer’s internal web portal and Sounding Board. Customers login to their company’s internal web portal using their enterprise username and password and are then presented with a link to Sounding Board, which automatically gives customers access without having to log in again.
Sounding Board Native Login
Sounding Board offers a username/password for our Native Login. Your email is your unique identifier in the system. Sounding Board requires user’s passwords to meet the following requirements:
- More than 8 characters
- One uppercase letter
- One lowercase letter
- One symbol (!@#$%^&*, etc.)
- One number (1234567890)
Sounding Board applications are hosted on the Google Cloud Platform (GCP). Google Cloud Platform’s physical security controls are reviewed annually as part of Sounding Board’s vendor management program.
Sounding Board has established detailed operating policies, procedures, and processes designed to help manage the quality and integrity of the Sounding Board environment. Google Cloud Platform firewall rules are configured to block unauthorized inbound network traffic from the internet. In addition, monitoring software is used to identify vulnerabilities and security events on the network, servers, and database and is configured to alert personnel of possible or actual security breaches.
Sounding Board has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Sounding Board applications.
This program includes an in-depth security risk assessment and review of Sounding Board features. In addition, static source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by developer application security training and penetration testing of the application.
Sounding Board contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.
We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our web application annually in conjunction with our SOC 2 Type II audit. The firm conducts testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:
- Security weaknesses associated with Flash, Flex, AJAX, and ActionScript
- Cross-site request forgery (CSRF)
- Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
- XML and SOAP attacks
- Weak-session management
- Data validation flaws and data model constraint inconsistencies
- Insufficient authentication or authorization
- HTTP response splitting
- Misuse of SSL/TLS
- Use of unsafe HTTP methods
- Misuse of cryptography
Sounding Board is deeply committed to protecting the privacy of our customer’s data and helping our customers meet their privacy obligations. With Sounding Board, you gain leading privacy functionality and practices that enable you to meet your privacy obligations.
Additionally, we are transparent about our privacy practices. We also provide our customers with the necessary resources and information to help them understand and validate their organization’s privacy and compliance requirements.
As data protection issues and global laws evolve and become increasingly complex, Sounding Board understands the importance of maintaining a comprehensive privacy program embedded in our company’s culture and services.
We’re committed to following three principles that reflect our core values:
- We put privacy first.
- We innovate responsibly.
- We safeguard fairness and trust.
Our philosophy of “privacy by design” is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data. These privacy principles drive how we train our employees, design and build products, and, ultimately, how we process personal data.
Privacy and data protection require year-round vigilance, and we’re strongly committed to protecting the personal data of our customers and employees.
Global Data Privacy
Privacy continues to be front and center on the global stage with the advent of the General Data Protection Regulations, the continued momentum for U.S. privacy legislation, and new laws throughout Asia and Latin America. At Sounding Board, we welcome this renewed attention, as privacy protections have been a fundamental component of our services. We also understand that privacy is a shared responsibility between our customers and us.
Sounding Board and our customers must be prepared to comply with complex global privacy laws and regulations. Sounding Board stays ahead of international privacy regulations by maintaining a comprehensive global data protection program that contains comprehensive technical, administrative, and organizational safeguards. Our customers can rest assured that we are committed to global privacy standards, as shown by our implementation of Binding Corporate Rules for Processors (BCRs) and being the first company to certify the Asia-Pacific Economic Cooperation Privacy Rules for Processors.
EU Data Privacy
The General Data Protection Regulation (GDPR) is the global benchmark for privacy laws. It sets out individual privacy and access rights and establishes the mechanisms for holding businesses accountable for data use. We base our privacy compliance regime on the GDPR because we are a global-facing company and because the standards it sets protect individuals while simultaneously allowing us to deliver the best results for our customers.
Complying with GDPR means that we
- Respect data subject rights to access, rectification, portability, and deletion
- Secure information with an eye toward state of the art in technology
- Make transparency, accountability, and trust a central component of our operations
- Practice privacy by design and data minimization
Cross-Border Data Transfers
Complying with GDPR means ensuring that data is transferred out of the EU in accordance with established principles and procedural/technical safeguards. We rely on the Standard Contractual Clauses to transfer data from the EU and, in rare instances, with direct consent from data subjects. All data that leaves the EU is subject to heightened scrutiny and protection, and our obligations are rigorously enforced as set out in the SCCs.
Today’s technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies in an environment of increasingly complex security threats. Companies are also responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.
Sounding Board maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorized access to our customers’ data. The specifics of our security program are detailed in our third-party security audits and international certifications.
Sounding Board holds both SOC 2 Type I and Type II certifications. Reports are an independent assessment of our control environment performed by a third party and are available by request.