Security and privacy as a priority
Protecting your customers’ data with the highest standards, at all times.
Designed with security in mind
Big data is tough. We get it.
From day one, Glassbox was designed and built as a big data solution for data-sensitive environments. Our team is constantly working to improve our technology and processes to address the privacy and security of our customers and their end users in accordance with the strictest standards and best practices.
It is our philosophy that privacy and transparency are key to compliance. As such, Glassbox products are configured out-of-the-box not to capture customer inputs including sensitive
information such as payment card information (PCI), personal health information (PHI) and personally identifiable information (PII).
Our high security standards are examined on a biannual basis, and we are both SOC 2 and ISO 27001 certified—in fact, Glassbox is the first and only digital experience analytics provider to receive the ISO 22701 certification for our privacy management framework. Glassbox is also compliant with major privacy protection regulations including HIPAA, GLBA, PCI, CCPA and GDPR.
Privacy by design
The privacy of your customers is central to our company mission. We’ve built the Glassbox platform around this belief, with tools that enable you to mask, omit and restrict access to customer data. Both omitting and masking come out-of-the-box and are fully customizable to meet your requirements and regulatory needs.
With data omitting capabilities, data is removed from the session before it ever leaves the user’s device. Decide in advance which data is stored and prevent any information, including payment card information (PCI) and personally identifiable information (PII), from ever being captured.
With data masking, data that is captured and sent during a session is masked and anonymized using encryption. It is only visible according to predetermined rules or roles that you configure. You can restrict data access to specific roles within your organization, according to your business needs and the principle of least privilege.
All data is encrypted at rest and transport. Configuration files within the Glassbox system are encrypted at all endpoints (including our clients’ websites and mobile apps).
Privacy by design
Privacy is built into the product and architecture of all Glassbox services and business practices. Privacy is an essential component of the core functionality of our product and is at the core of all our business practices.
Privacy by default
Our default settings are configured for the maximum degree of privacy by ensuring that personal data collection adheres to the principle of data minimization.
Four layers of security
Customer data helps your business thrive by offering the products, services, and experiences that your customers truly want, when they want them. The digital collection of personal data has never been under closer scrutiny.
Built for data-sensitive environments, Glassbox understands that the security of the data collected and stored by our customers is nothing less than critical. To deliver the peace of mind that our customers deserve, we apply four layers of security.
Password and credential storage
All passwords are encrypted and excluded from Glassbox logs. Password policy is hardened to support complexity and length.
Resolve issues faster
All communication between all end-user devices and Glassbox’s servers is encrypted using HTTPS (256-bit TLS). This high level of encryption is used to prevent third parties from seeing any sensitive information you are sending to or receiving from Glassbox.
All customer account and dashboard data is regularly backed up. Access to these backups is tightly controlled and audited.
Development and QA
Our developers work according to a Secured Software Development Life-Cycle (SSDLC) in all development stages—planning and requirements, architecture and design, test planning, coding, testing and results, release and maintenance. We work in accordance with FIPS 140-2 Standards. Penetration tests and audits are performed by an external agency on a regular basis.
Role-based access and authentication
Each and every change to your Glassbox system is captured in an audit log. Data access and software functionality are enabled according to role. You give permission per application to cover all your digital assets. Full user access is controlled through a seamless integration with LDAP/AD.
Glassbox supports Single Sign-On (SSO) including SAMEL2.0 or a certified third-party identity provider service such as OKTA. We also support Firewall IP whitelisting, which ensures access only to specified IP addresses. Use multi-factor authentication (MFA) with Glassbox to add an extra layer of protection on top of login credentials.
When you choose to deploy Glassbox in the cloud, you get your own single-tenant cloud environment (Virtual Private Cloud). As opposed to multi-tenant environments, a single-tenant cloud is not affected by the performance of other cloud customers or maintenance, system upgrades or updates performed by the multi-tenant cloud provider.
Disaster recovery and business continuity
The servers that support our products are built for continuity and quick recovery. This ensures services will be available for our customers even in the harshest of times with plans and redundancies in place to address resiliency, recoverability, and contingency from technical or equipment disruption. Together with our backup strategy we can ensure the safety and availability of our customers’ data.
We enforce the highest security standards for all our sites. Glassbox runs on cloud environments that adhere to the highest security standards and are compliant with CSA/ISO 9001, 27001, 27017, 27018, SOC 1-2, NIST, and privacy-shield.
Our security management program is audited twice a year by third parties to ensure we live up to the highest security standards. In addition, we regularly conduct penetration testing by third-party security experts.
We use a systematic approach to change management for all levels of operations. All changes to procedures are reviewed, approved and documented to ensure alignment. A change is then moved into a staging environment, where it is tested before being deployed to production.
Glassbox adheres to the principle of least privileged. This means our employees only receive access that is absolutely necessary to perform their duties and support our customers, based on their role at Glassbox.