Security & compliance

Security and compliance are a key priority for Intractive because they are fundamental for your continued trust in our platform. Intractive is heavily committed to securing your content and customer data, eliminating system vulnerabilities, and ensuring normal operation.

Intractive uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

Infrastructure and Network Security

Physical Access Control

Intractive is hosted on the Google Cloud Platform. Google data centers use a tiered security strategy, which includes numerous measures.

• Alarms
• Vehicle access barriers
• Perimeter fencing
• Metal detectors
• Custom-designed electronic access cards
• Biometrics

According to the Google Security Whitepaper: Google data centers also implement “security measures such as laser beam intrusion detection and 24/7 monitoring by high-resolution interior and exterior cameras” to detect and track intruders. In addition, “access logs, activity records, and camera footage are available in case an incident occurs” and “experienced security guards, who have undergone rigorous background checks and training, routinely patrol” Google data centers.

Intractive employees do not have physical access to Google data centers, servers, network equipment, or storage.

Logical Access Control

Only authorized Intractive operations team members have access to configure the infrastructure behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Penetration Testing

Intractive participates in yearly penetration testing performed by an external, independent agency. The company supplies the agency with a separate copy of its environments and a detailed overview of the application's structure for the tests. Customer data remains confidential and is not disclosed during the penetration testing process. 

The outcome of the penetration tests, particularly any security weaknesses identified, are used to determine priorities for mitigation and corrective actions. Customers can request a copy of the test results at any time.

Third-Party Audit

Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, the SSAE 18-compliant SOC 2 certification and ISO 27001 certification. Click here to learn more about Google Cloud Platform certification.

Intrusion Detection and Prevention

Intractive prioritizes addressing unusual network activities or suspicious behaviors in its infrastructure hosting and management efforts. To detect these activities, Intractive alongside Google Cloud Platform, employs intrusion detection and prevention systems (IDS/IPS) that utilize both signature-based and algorithm-based security measures to recognize traffic patterns indicative of known cyber threats. Read more about Google’s IDS solutions here.

While Intractive does not offer direct access to the details of security incidents, it ensures that its engineering and customer support teams are accessible during and following any unexpected outages. For the most current information on the status of all operational system, please visit our status page.

Business Continuity and Disaster Recovery

High Availability Measures

Intractive ensures high availability by deploying redundant server configurations across all aspects of its service, including but not limited to, multiple load balancers, web servers, and database replicas, to prevent service disruptions in case of a server failure. Regular maintenance activities are conducted in a manner that does not affect service availability.

Continuity of Operations

To safeguard against data loss, Intractive maintains daily, encrypted backups of all data across several locations within the Google Cloud Platform. In the unlikely event of a loss of production data (for example, the primary data storage is compromised), Intractive is prepared to recover organizational data from these backups promptly.

Disaster Recovery Strategy

Should there be a significant outage affecting an entire region, Intractive is prepared to activate a replicated environment in an alternate region on the Google Cloud Platform. The Intractive operations team is equipped to perform migrations across regions to ensure continuity of service.

Data Security and Privacy

Data Encryption

All data stored on Intractive database servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its distributed Key Management Service. If an attacker were ever able to access any of the physical storage devices, the Intractive data contained therein would still be impossible to decrypt without the keys. These encryption measures also extend to services like backup and infrastructure management, further strengthening data security and privacy.

Intractive exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application, for which only modern and uncompromised SSL cyphers are used. As an additional bonus, Intractive’s .app domains automatically force HTTPS connections through a mechanism called HTTP Strict Transport Security (HSTS).

Data Retention and Removal

Any data that is required for normal operation will be kept on our systems, such as story data. Customers can delete all information related to their stories via the interface. Temporary data, including login and authentication tokens, are retained for the shortest time necessary, varying from 15 minutes to 3 months. If a customer ends their subscription and opts to delete their account through their organization settings, the organizations’ data becomes inaccessible within 24 hours. 

All data in our production environments is backed up regularly, with these backups being destroyed within 90 days creation. Assistance in the removal of data can be requested by customers by contacting our customer support.

Application Security

Application level security practices

Intractive employs multiple security measures at the application level to guard against different kinds of attacks. In countering these threats, we rigorously adhere to the best practices recommended by the Open Web Application Security Project (OWASP). Some of our security measures include:

• Web application firewalls as provided by the Google Cloud platform
• Server level protection modules (such as CSRF and injection protection)
• Reasonable and sensible request limits
• Secure cookies
• Strong password requirements

All passwords and other critical information are encrypted with HMACSHA256. When sensitive data or parameters are transmitted, we always opt for an algorithm with similar or stronger features.

Application level security is tested periodically through aforementioned penetration testing by a third party. 

Email based web authentication flow

When opting to use Intractive’s web authentication module for your end-users, authentication is performed by a secure e-mail based authentication flow.  This method eliminates the requirement to store end-user passwords and inherently provides a level of security comparable to multi-factor authentication by default.

Email Security

The Intractive service includes email notifications and reports. We use sender policy framework (SPF) to prevent email address spoofing and minimize inbound spam. We have SPF records set through Google DNS, our domain name service (DNS), and domain-based message authentication, reporting, and conformance (DMARC) set up to prevent the possibility of phishing scams. 

Audit Controls

Intractive provides all its customers with administrative controls over identity, access, and usage to ensure the safety, security, and centralized management of data.

In Intractive, membership is managed at the organization level, allowing each user to have a single account that can be used across different organizations. It's important for each user to have an individual account, with the freedom to set personal preferences and notification settings. Roles within organizations dictate access levels. These include: Viewer, Editor, Admin, and Organization Owner.

The team portal displays detailed information about each user, such as username, email, status, date added, and role. Organization owners have the capability to revoke access at the organization level and to modify user roles. To request login and password reset histories and active sessions for any user, please contact support.

Software Development Lifecycle

We practice continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments. Contact us for an in depth overview of our SDLC.

Corporate Security

Malware Protection

At Intractive, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations are enrolled in a Mobile Device Management (MDM) solution to enforce security settings including full-disk encryption, screen lock, and OS updates.

Background Checks

Intractive conducts background checks for all new hires, including verification on the following:

• Identity verification
• Global watchlist check
• Criminal records check

Security Training

All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if applicable), security policies review, company policies review, and corporate values and ethics training.

Disclosure Policy

Intractive implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems. Should any data or security breach be identified (as outlined in Article 4 (12) of the GDPR), we pledge to disclose any such incident within 24 hours of its detection.

Vulnerability Disclosure

If you think you may have found a security vulnerability in any of our services, please get in touch with our security team: security@intractive.app

We take all disclosures very seriously, and once we receive a disclosure we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

Trusted domain names

We use multiple domain names to provide our services. Below, we have enumerated all the domain names affiliated with us to help our customers identify potential spoofing or phishing attempts.