RELIABILITY & AVAILABILITY
Vista Social works hard to minimize impacts and downtime. We design and build our systems and applications for fault tolerance, and our team is trained for fast incident recovery. Vista Social attempts to avoid downtime at all costs, unplanned or planned. Our maintenance effort, for the most part, require no downtime, except for most unavoidable situations which are quite rare. Business continuity and disaster recovery processes are built into our practices and our systems.
- A proven track-record 99.99% uptime is a key performance indicator (KPI) for our Engineering group. At the time of writing, we have had higher than 99.95% uptime over the prior 12 months.
- Isolation Our highly distributed system uses isolation design patterns to mitigate risks across components. Failures of one system component almost never affect other components.
- Transparency to customers. Trust begins with open communication. We publicly share real-time system status and metrics on our status page, https://vistasocial.freshstatus.io/ for Vista Social. There we communicate incidents and planned maintenance, including any customer impact, and we display system health metrics sourced from independent third-party providers. Customers may subscribe to receive immediate SMS or email notifications of future incidents.
- Recovery point objectives (RPOs). Recovery strategies are designed to provide up-to-date RPOs at low Recovery Time Objectives (RTOs), with older data recovered against longer RTOs. This is consistent with customer expectations, enabling customers to meet the immediate needs of their customers.
- Social media feeds. Our data processing layer combines multiple connections to social network APIs. Being fully approved on social networks like Facebook, Twitter, Instagram and LinkedIn, Vista Social is able to have higher levels of redundancy and access to their support teams.
- DevOps best practices. Our engineering team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. All 24/7/365 on-call team members are empowered to rebuild systems and topologies with full consistency. In the event of system loss, our Engineering team quickly recreates systems by executing the infrastructure code.
- Backups. Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.
- Monitoring & on-call support. We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team and our engineering team. Specialized engineers are on call 24/7/365.
Vista Social’s products are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.
- Data location. Customer data is hosted in the United States, in AWS’s us-east-1.
- Facilities. AWS's data centers are outfitted with world-class physical hosting capabilities. Buildings have temperature and humidity monitoring and management, automatic water detection and removal, and automatic fire detection and suppression. Combinations of multiple power feeds, Uninterruptible Power Supply (UPS) systems, and on-site electrical generators provide layers of backup power. Telecommunications and Internet connections are redundant. There are no product dependencies on Vista Social corporate offices or other facilities we manage.
- IT security. Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per NIST 800-88.
- Physical security. Data Center buildings have strict physical access review and scrutiny. All physical access is monitored 24/7 by personnel. Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.
INFRASTRUCTURE & NETWORK SECURITY
Vista Social employs a dedicated security team. All systems are monitored and alerted 24/7/365 for security and operational events. Host-based Intrusion Detection Systems (IDS) are deployed on all production systems.
- Network controls. Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.
- Incident management & response. Vista Social's incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.
- Scanning. Systems and applications are scanned regularly for common vulnerabilities.
- Encryption at rest & in transit. All communications over public networks with Vista Social’s application and API utilize HTTPS with TLS 1.2 or higher enforced. All data is stored encrypted-at-rest with AES-256 or greater, including backups.
- System administration. Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.
Vista Social's developers are given annual training on secure coding. All application code is written by Vista Social Employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.
- Third-party penetration testing. Vista Social contracts with multiple penetration testing vendors to conduct several tests per year. Reports are available upon request by customers under NDA.
- DDoS mitigation. Distributed Denial of Service mitigation is provided via our hosting platform.
- Responsible disclosure policy. Security researchers may report vulnerabilities by contacting our support team.
EMPLOYEES & INTERNAL IT
Vista Social invests time to train developers how to write secure coding, and all employees participate receive annual general security and data privacy training. Phishing drills are routinely administered, and measured against industry benchmarks.
- Information security policies & standards. Vista Social has a comprehensive set of policies and standards covering all aspects of security and privacy. All Employees must affirm their responsibilities in protecting customer data as part of their condition of employment.
- Secure support protocols. Our world-class Support team follows phishing and threat-resistant protocols designed by our Security team, when conducting sensitive actions on customer accounts.
- Offices. Vista Social offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.
- Devices. All Vista Social devices are inventoried with asset tags and managed with a central mobile device management (MDM) solution.
- Endpoints. Employee workstations are secured with hard drive encryption, Antivirus and advanced malware detection with central management and control.
- Background checks. All new hires with access to customer data undergo a criminal history and background check prior to employment.
- Business continuity. Like the hosting of our products, while Vista Social maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. During the COVID-19 (Coronavirus) pandemic, Vista Social transitioned to an all-remote workforce without delay or interruption, ensuring continuity of services to our customers. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and makes use of these tools daily.
PRODUCT SECURITY FEATURES
- Multi-factor authentication (MFA). Account owners and administrators may require that their users leverage this additional security layer. Vista Social supports apps like Google Authenticator and others that implement the Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) for generating passcodes.
- Secure credential storage.
- Brute-force protections. In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.
- Approval workflows. Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.
- IP restrictions. Vista Social may be configured to restrict application and API access from specific IP ranges.
- Email signing. Vista Social implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Vista Social, helping to prevent spoofing and ensure authenticity.
- Access permissions. Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users on their account.
COMPLIANCE & CERTIFICATIONS
- SOC 2 Type 2. Vista Social regularly completes a SOC 2 Type 2 audit by a qualified, third-party auditor to examine our information systems relevant to security in accordance with the AICPA’s Statement on Standard for Attestation Engagements No. 18 (SSAE 18).
- CSA STAR. Vista Social aligns its security program, in part, with the Cloud Controls Matrix framework offered by the Cloud Security Alliance (CSA). Vista Social has completed a Level 1 assessment through the CSA’s Security Trust Assurance and Risk (STAR) registry.
- Payment Card Industry (PCI). Vista Social is PCI DSS compliant through a PCI SAQ A self-assessment. Vista Social entirely outsources its processing of cardholder data to third-party payment processors who are approved by PCI and compliant to PCI DSS
- GDPR and CCPA/CPRA. Vista Social aligns its privacy program with the General Data Protection Regulation (GDPR) of the European Union and United Kingdom, and the California Consumer Privacy Act (CCPA), as further amended by the California Privacy Rights Act (CPRA).