Technical and Organizational Security Measures

Last Updated: August 8, 2018

This document is a high level overview of technical and organizational security measures and controls implemented by Nativo to protect personal data and ensure the ongoing confidentiality, integrity and availability of Nativo’s products and services.

More details on the measures are available upon request.  Nativo reserves the right to revise these technical and organizational measures at any time, without notice

Organization of Information Security

Security coordination is managed by Nativo CTO and Director of DevOps and will be reviewed on a periodic basis as needed to reflect changes in applicable laws and technology.

Measures:

  • Nativo has implemented least privilege access management model with access based on team role.
  • Employees in critical roles are trained on our data protection policies.
  • Security and system patching is built into the release process.
  • Nativo has an interest based advertising privacy policy at (https://www.nativo.com/interest-based-ads)
  • Nativo has a privacy policy addressing our website privacy practices at (https://www.nativo.com/privacy-policy)

Information Security Management System

Nativo Platform does not have any regulations requirements besides GDPR and has never filed for any certifications.

Measures:

  • Security and system patching are built into the release process. Nativo uses Green/Blue deployment, which means servers are replaced during every release.
  • Nativo utilizes Amazon Web Services "AWS" and has implemented AWS monitoring service offerings along with internal monitoring per application.

Hosting Facility

Nativo utilizes Amazon Web Services "AWS".  AWS created a shared responsibility model which sets boundaries for where AWS responsibilities end and Customer responsibilities start.

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Measures:

  • AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

System Access

Nativo utilizes Amazon Web Services "AWS" for the production infrastructure.  AWS created a share responsibility model which sets boundaries for where AWS responsibilities end and Customer responsibilities start.

Nativo employees in critical roles are trained on our data protection policies.  Data access is restricted to authorized Nativo engineering and support staff only, based on Nativo departments and roles. Only engineers have direct access to the production environment, limited by their specific role.

Measures:

  • Security coordination is managed by our CTO and Director of DevOps.
  • Direct access to the production environment requires VPN.
  • Nativo has implemented least privilege access management model.
  • Nativo Engineering can only access systems based on team role and requires two-factor authentication.
  • AWS Resources permissions are limited by AWS Regions, instance firewalls and security groups. For engineers, individuals accounts with multi-factor authentication to AWS Console.
  • All access or attempted access to systems is logged and monitored.

Data Access

Nativo utilizes Amazon Web Services "AWS" for production infrastructure.  AWS created a shared responsibility model which sets boundaries for where AWS responsibilities end and Customer responsibilities start.

Nativo employees in critical roles are trained on our data protection policies.  Data access is restricted to authorized Nativo engineering and support staff only, based on Nativo departments and roles. Only engineers have direct access to the production environment, limited by their specific role.

Measures:

  • Security coordination is managed by our CTO and Director of DevOps.
  • Nativo Platform user permissions are assigned permissions and access based on Built-in roles. All of our administrators are listed in internal systems.
  • Data is never extracted or moved in unencrypted form nor permanently stored outside Nativo's secure servers.
  • Direct access to the production environment requires VPN.
  • Nativo does not provide any external access to stored user records or logs, except in the case of an audit.
  • Data access is restricted to authorized Nativo engineering and support staff only, based on Nativo departments and roles. Only engineers have direct access to the production environment, limited by their specific roles.
  • All access or attempted access to systems is logged and monitored.  
  • Employees in critical roles are trained on our data protection policies.

Data Transmission/Storage/Destruction

All data is held in secure storage provided by AWS. Data is transferred securely between AWS regions.  User records have a defined 45-day TTL and are automatically deleted.  Nativo keeps log records for up to two years. Log records older than two years will be deleted permanently.

Measures:

  • Data is always transmitted securely via encrypted channels like HTTPS.
  • In limited cases, raw log data is transferred to third parties for audit purposes.  All such data is encrypted before transfer such that it can only be viewed by the authorized partner.
  • Nativo keeps user profile records as long as the user with a known cookie ID remains active on sites that Nativo works with. If Nativo does not see repeat visits from a user with a given cookie ID for 45 days, Nativo will delete that record permanently.
  • Nativo keeps log records for up to two years. Log records older than two years will be deleted permanently.
  • Log files are automatically deleted using AWS S3 object lifecycle management solution.


Confidentiality and Integrity

Employees in critical roles are trained on our data protection policies.  Data access is restricted to authorized Nativo engineering and support staff only, based on Nativo departments and roles. Only engineers have direct access to the production environment, limited by their specific role.

Measures:

  • Employees are required to sign a non-disclosure agreement or abide by a code of ethics which includes rules on information security, communications and data privacy.
  • Nativo has implemented least privilege access management model.
  • Nativo Platform user permissions are assigned permissions and access based on roles.  All of our administrators are listed in internal systems.
  • Nativo Engineering can only access systems based on team role and requires two-factor authentication.
  • Nativo conducts two third party system penetration tests per year.
  • Nativo is periodically subject to publisher audits using their own third-party companies.

Availability

Nativo’s Ad Delivery infrastructure is a fault tolerant platform across multiple AWS Regions. The data layer is fault tolerant across multiple AWS Availability Zones. Logs are stored on AWS S3 for two years.

Measures:

  • Databases are backed up daily. Data is stored in AWS S3.
  • Database backup restores are tested monthly.

Data Separation

Nativo is a standard, multi-tenant SaaS platform which provides comprehensive, fully-integrated native and content advertising technology stack custom-built, created and controlled by Nativo. The Nativo platform is built to facilitate ad creation, distribution, and measurement for content and native advertising programs at scale.

Measures:

  • Data is restricted by organizations and roles.
  • Roles are assigned to individual users based on need for access. Built-in roles include: Organizational Admin, Campaign Manager, Campaign Editor, Publication Manager, and Reports Only.

Incident Management

In the event of any security breach of personal data, Nativo will notify customers promptly.

Measures:

  • The Nativo breach management program includes three levels of severity with scenarios and specific action plans.

Audit

Nativo utilizes Amazon Web Services "AWS" and has implemented AWS monitoring service offerings along with internal monitoring per application.

Nativo conducts semi-annual penetration tests per year using a third party vendor In addition, Nativo is periodically subject to publisher audits using their own third-party companies.

Measures:

  • Third Party Executive Summary:
  1. A black box penetration test of the Nativo web application and API was conducted in order to assess its risk posture and identify security issues that could negatively affect Nativo data, systems, or reputation.
  2. Penetration test of Nativo's web application covers OWASP top 10, ASVS, and business logic.
  3. Findings are shared and reviewed with Nativo Engineering.
  • Customers can request copies of these test results on an annual basis through their Nativo contact.