Security & Privacy
Trust is our #1 value at Gravity CX, and that means we take privacy and security seriously. Our policies have been structured to ensure the highest level of confidentiality and integrity when processing your data.
Privacy by design
At Gravity CX, we believe privacy is more than a list of policies or some boxes to tick. From the beginning Gravity’s platform & tools have been built with our customers’ privacy in mind.
As a global company, we’re committed to compliance with privacy laws around the world — with the EU’s GDPR legislation setting the bar for building privacy into the foundations of our product.
Technical Measures
Gravity CX mitigates risk to its application infrastructure and service delivery by rigorously adhering to industry security principles.
Organizational measures
We maintain strict controls and measure our adherence to industry benchmarks with regular validation testing.
Data and media disposal
Customer data is removed immediately upon deletion or message retention expiration. Backups are destroyed within 14 days. We follow industry standards and advanced techniques for data destruction.
Gravity CX defines policies and standards requiring media be properly sanitized once it is no longer in use. Our hosting provider GCP is responsible for ensuring removal of data from disks before they are re-purposed.
Disaster recovery and business continuity
Gravity CX utilizes the services provided by our hosting provider Google Cloud Computing (GCP) to operate the whole base infrastructure of our production environment. The distinct locations within the GCP network ensure protection from loss of connectivity, power, and other possible location specific events.
Full backups are stored in the GCP cloud in a highly redundant and available storage solution. Backups are created multiple times a day.
We maintain disaster recovery and business continuity plans, providing our processes and procedures to follow in the event of a disaster. These plans are updated as needed and at a least annually.
Authentication
We use multifactor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, we use private keys for authentication. To connect with administrative access to production servers, our team is required to connect using both an SSH key and a one-time password associated with a device-specific token.
Where passwords are used, multifactor authentication is enabled. The passwords themselves are required to be complex: auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements.
Gravity CX allows personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
Encryption at rest
Data at rest in our production network is encrypted using AES256 encryption. This applies to all types of data at rest within our systems — relational databases, file stores, database backups, etc.
Gravity CX stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.
Access controls
We adhere to the principle of least privilege. Our teams are only authorized to access data they are required to handle in order to fulfill their current job responsibilities.
All systems require users to authenticate, and users are granted user specific credentials. Systems access for all employees are reviewed at least quarterly to ensure the correct level of access.
Audits and regular reviews
The core of our security program is to prevent unauthorized access to customer data. We take extensive measures to ensure we identify and mitigate risks, implement best practices, and evaluate how we can do better.
Responding to security incidents
We maintain policies and procedures (also known as runbooks) for responding to potential security incidents. Gravity CX defines the types of events that must be managed via our incident response process. Incidents are classified by severity and response procedures are tested and updated at least annually.
Version control
All code is stored in a version-controlled repository with changes subject to peer review and continuous integration testing. Defects found in this process must be remediated prior to deployment.
Personnel security
Personnel practices apply to all members of the Gravity CX workforce: regular employees and independent contractors who have direct access to Gravity’s internal information systems, and/or unescorted access to Gravity’s office space. All workers are required to understand and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management and incident reporting. Upon termination of work at Gravity CX, all access to Gravity’s systems is removed immediately.
Policies and standards
We maintain a set of policies, standards, procedures and guidelines (“security documents”) that govern our activities. These security documents help ensure that our customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
- Fair, ethical, and legal standards of business conduct
- Acceptable uses of information systems
- Planning for business continuity and disaster recovery
- Classification of security incidents
- Control of changes
- Security development life cycle process
- Description, schedule and requirements for retention of security records
We update these documents as needed and at least annually to ensure they are accurate.