Users log in using their business email address and password, or through SSO. Password policies are set by each company, defining how many characters a password should contain, and how many of them should be upper case, lower case, numbers, or special characters. User credentials are stored with cryptographic hash functions. At the time of authentication, the supplied credentials are encrypted and compared with stored data.
SSO Integration with SAML
BrandSystems Marcom Manager supports identity federation through SAML2. For organizations desiring maximum control over authentication security, BrandSystems recommends SAML integration with the organization’s own IdP.
An Access-based Platform
BrandSystems Marcom Manager has role-based access controls with prescribed privilege levels that define what each user can access, and whether they have read-only or read-and-write privileges. From access to marketing plans to financial information, and down to each individual digital asset, users will only see what they have access to, securing easy cooperation with external agencies while giving managers a fully transparent system.
Every time a user logs in, a new session is started. That session is used to temporarily store information about the user. After 60 minutes of inactivity, the session is reclaimed (destroyed). This is to keep a lid on the number of memory sessions consume, as well as to protect the user data from unauthorized access.
BrandSystems Marcom Manager never connects directly with other software through API. Every integration is run through a custom-built middleware, that acts as a gatekeeper, defining which data the API can read or write. The API then pulls and pushes the data to and from the middleware, not the database itself.
An audit log is kept for every action performed by users and API within BrandSystems Marcom Manager, tracking the action, processes, and timestamps of the actions. The log is only accessible to BrandSystems administrators; no programmatic access is available, nor are logs exported outside the secure environment.
Product Releases and Patch Management
BrandSystems has approximately 4 (four) product releases per year with new features. Upgrades normally happen during a service window (approximate downtime 30 min). Client administrators are informed about product releases 30 (thirty) days in advance by email. The communication contains a quick overview of the features.
Minor bug and security patches are released ad hoc. Critical patches are released regardless of the time of day, while less critical patches are run outside of clients’ business hours. If a client has a staging environment, we will only push releases to their staging environment. The client decides when we should push a release to live.
BrandSystem’s development staff follow regulated processes and best practices for all kinds of development, e.g. new features, change requests, and bug fixes. All our source code goes through code review and gets approval before a release. Every 6 months we run a code cleanup process to remove unnecessary code. If a client has a staging environment, we will only push releases to their staging environment. The client then decides when we should push a release to the live instance.
BrandSystems Marcom Manager is hosted in Amazon AWS Cloud. AWS is a secure and reliable Infrastructure-as-a-Service hosting platform. BrandSystems customers benefit from the cutting edge security measures that AWS employs at its data centers, ranging from the physical security of the facilities to its network, hardware, host operating systems, and virtualization services. For more information, please visit https://aws.amazon.com/security/
Data Center Locations
BrandSystems maintains both production and warm standby processing environments in each processing jurisdiction (Europe, USA, and Australia) in the event one region were to become unavailable. These standby environments are provisioned in separate availability zones from the production environments to ensure recoverability and continuity of service.
BrandSystems deploys a firewall powered by deep learning in front of BrandSystems Marcom Manager to expose hidden risks, stop unknown threats, and isolate infected systems. The firewall monitors host network activity and receives health status directly from our endpoints so we have constant visibility into the health of the entire network. Our security solution is able to identify the source of an infection on the network and automatically limit access to other network resources in response.
BrandSystems uses both internal and external monitoring solutions that use deep learning to check the health of our systems. When monitoring agents identify an anomalous event, appropriate security team members are notified in real-time via email, secure corporate chat, and SMS notifications.
Backup and Disaster Recovery
All client-specific data is automatically backed up at regular intervals. The backup process is carried out in the background.
Data and File backups are handled in different ways:
Data: We take incremental backups of the database after business hours every day, and weekly when we take a full backup.
Files: File backups run instantly after the file is placed into the clients S3 bucket.
BrandSystems has two different backup strategies: daily and weekly. All the backups are stored in Amazon Glacier.
Disaster recovery (DR) tests have been performed with the automatic backup process implemented.
Privacy and Data Protection
BrandSystems is committed to helping our customers validate their privacy and compliance requirements, as well as meeting these requirements ourselves.
Creating, updating, and maintaining our data privacy policies and procedures, which protect the data assets handled by BrandSystems employees and partners.
Making sure BrandSystems meets the data privacy commitments it has made to customers, partners, investors, and employees.
Handling third-party audits of our privacy policies, and ensuring that we remain in compliance with those policies.
Providing data privacy and compliance training for employees.
The application is installed repeatedly, once for each client. Each instance of the app is a standalone instance, meaning that it never interacts with any other standalone instance.
Each instance of the app has a database all to itself, and each instance only has one tenant (client).
If data is read or written by an API, the API never has direct contact with the database but is always run through a custom-built middleware that acts as a gatekeeper, defining which data the API can read or write.
EU Data Privacy Requirements
BrandSystems fully complies with all relevant data privacy requirements under EU General Data Protection Regulation (GDPR) regulations.
Meet all requirements under GDPR Chapter 3 (Rights of the Data Subject).
Process privacy-impacted assets only in covered jurisdictions.
Have, appointed a data protection officer.
Conduct employee training on compliant security and privacy procedures.
Provide configurable privacy and compliance features to our customers.
Carry out Privacy Impact Assessments.
Assure adequate data asset transfer methods for our customers.
Maintain records of data processing activities.
BrandSystems provides transparency into the geographical regions where our customers’ data assets are stored and processed. The customer has its choice of processing jurisdictions to ensure compliance with relevant regulations. BrandSystems, its customers, and its supply chain comply with applicable international data privacy regulations. Common privacy principles throughout jurisdictions include notice, choice, access, use, disclosure, and security. Our application is designed to only allow processing according to the customers' privacy criteria, so organizations can meet the requirements of their country’s specific privacy laws.
To control which privacy jurisdiction their data assets are processed and stored in, our clients choose between data processing environments in the EU, Australia, or the US. When a customer organization sets up an instance of BrandSystems Marcom Manager, we assign them to the processing jurisdiction of their choice (EU, Australia, or the US).
Once selected, all processing for that organization will occur within that jurisdiction.
BrandSystems minimizes both the collection and use of personally identifiable data assets. For each user, our application only requires a business email address, and a first name and last name for identification/authentication purposes. These data assets are only used to authenticate and communicate with the user. There are no secondary or downstream uses of these personally identifiable data assets.