The Opal Platform is purpose-built to architect, approve and deliver your communications mix, which means that we process your marketing and communications content before it’s ready to be published. Here are a few of the processes we have in place to make sure your content stays protected until you’re ready to share it with the world.
We safeguard your data by applying a wide range of modern security practices, embedding security practices into our development cycle, using third party auditors to verify our work and complying with international data privacy and protection requirements.
We work closely with multinational category leaders in banking, finance, aerospace, healthcare, tech, manufacturing, automotive, TV, apparel, retail, sports, and other industries who have chosen to trust us with their data.
How Do We Secure Your Data?
Audit & Compliance
Opal works with independent auditors to ensure that our security practices consistently meet a selection of best practices. Opal’s security management system has been reviewed by auditors against the ISO 27001:2013 standard, and we engage SOC 2 auditors to review our compliance with the 2017 Trust Service Criteria, including Security and Confidentiality criteria. You can view executive summaries of these reports here and here. We’re happy to share the full reports with customers & prospects upon request & under NDA.
We encrypt our customers’ data by default—in transit and at rest—and regularly test our encryption algorithms to make sure they’re strong. Databases and database backups are fully encrypted at rest. You can perform an independent test of our encryption quality using the Qualys SSL Test.
Data in transit is encrypted using TLS 1.1+, and data at rest is encrypted using AES-256, with encryption keys stored in Hardware Security Modules (HSMs). We hash passwords with bcrypt before storing them in our encrypted database.
Opal’s login process includes support for custom password complexity requirements, secure reset mechanisms, enforcement of 2FA, and defined rotation schedules.
We also support SAML-based integrations into your Single Sign On (SSO) system, if you’d prefer to keep control over the authentication and provisioning process.
Fundamental to our security posture is securing our Platform, codebase, dependencies and ecosystem of tools that allow us to produce and maintain the Opal Platform. While this isn’t a comprehensive list, here are a few of the things we do to secure the development and release process.
- Opal follows an Agile development methodology to ensure that changes are released in small chunks; this helps our peer reviewers and QA team catch bugs before they’re released and allows us to roll back changes without significant disruption in the event that they introduce unforeseen issues
- Prior to release, changes undergo peer review, automated and manual testing, a variety of automated code quality checks, and static code analysis to reduce the chance of avoidable security mistakes making their way into production
- Opal maintains a variety of tooling to detect out-of-date software and dependencies in our environments that pose security risks; and we commit to rapid patching of critical issues
- The Opal Platform is generally provided as a multi-tenant cloud Platform; typically, security improvements that we make for any one customer are shared across our global customer base
We use a wide range of Security tools and methodologies to protect our Customers’ data, including the following:
- Network-based intrusion detection/prevention systems (IDS/IPS)
- Network and host-based anti-malware countermeasures
- Full disk encryption on Opal workstations
- System Integrity Protection (SIP) to protect operating systems against tampering
- Weekly vulnerability scanning and annual penetration testing using third party technologies and providers
- Rapid patching of critical security issues
- Internal security training programs, including social engineering/phishing training, BC/DR tabletop exercises, and OWASP training for all engineers
- Extensive platform logging, with active review and escalation procedures for potential security issues
Business Continuity & Disaster Recovery
We provide the Opal Platform as a load-balanced cloud service. If a server malfunctions, we will typically replace it on-the-fly with a healthy replacement. In the event of widespread disruption, the Opal database is replaced on-the-fly with backup infrastructure provisioned in an alternate availability zone within our cloud provider.
We also take backups incrementally throughout the day, with full backups taken every day. For the purposes of planning and testing, we set a Recovery Point Objective (RPO) of 1 hour, and a Recovery Time Objective (RTO) of 12 hours, meaning that you should expect us to recover from anticipated disruptions quickly and with minimal potential data loss.
While specific uptime requirements may be negotiated, we offer a standard uptime guarantee of 99.9% to enterprise customers, and generally exceed 99.99% uptime in practice.
In the event that we experience a data breach affecting EU citizen data, we have committed to notifying European authorities within 72 hours of discovery of the incident.
If you would like to report a potential security incident to Opal, please email firstname.lastname@example.org and cc email@example.com. To ensure the fastest possible investigation of your report, please include the following information:
- High level description of issue
- Detailed steps to reproduce issue
- Notes regarding your operating systems, web browser, and technology stack in use (if relevant)
- Screenshots, videos, gifs, or log output to support your report
- Your preferred contact method, in case follow-up discussion is required
Compliance & Legal
We host Opal Platform data on AWS, which maintains best-in-class physical and electronic security countermeasures. You can find more information about Amazon’s compliance programs at Amazon Compliance Programs or in the security whitepaper, available as a PDF Download.
In short, AWS maintains SOC 2 and ISO 27001 compliance, stringent backup and environment control systems, and has a demonstrated track record of exceptional uptime, resilience and overall performance levels.
We typically store data in the AWS-East region, with a AWS-Frankfurt hosting available for EU-based Customers.
If you choose to end your relationship with Opal, we are happy to provide you with a copy of your Platform data and/or securely erase your data upon request. Our primary hosting provider complies with DoD standards for secure erasure and secure decommissioning of storage media.
Privacy by design
We try to collect the minimum amount of information needed to provide Opal Platform services and minimize the number of internal staff that interact with it. If you need to further restrict the visibility of marketing content, we offer private stories, moments and content that provide fine-grained controls over who is allowed to access specific, highly-sensitive marketing content.
In general, we directly process:
- Marketing collateral, including text, images, audio and video files
- Internal discussions surrounding marketing content and anticipated release timing
- Limited personal information regarding system users, including name, email address, phone number (if SMS alerts or mobile apps are used), IP address and profile pictures (if elected)
We never process PCI information, information about your customers, financial information or account numbers as part of Opal Platform services. Opal Platform users are typically our customers’ employees, contractors or agency partners; never members of the general public.
If you have questions about our security practices that aren’t covered above or have suggestions for how we can improve this page, please contact firstname.lastname@example.org. If you’d like to speak to our sales team, you can complete our demo request form.
Version 2.0, last updated 12/28/18