Privacy & Security

Last updated 3/29/2022

About Winware:

Winware was created to help ensure that customers have the best product experience. We deliver actionable recommendations to help customers have the full product experience

To remove the developer support requirement for instrumentation, Winware accesses site usage data using Winware’s own javascript added by its customers to their sites. The Winware script pulls anonymous event data through the APIs. Winware's JavaScript does not capture PII data of any kind. Winware's Customers pass its users ID and Email so that Winware can match site usage behaviors to specific users and sales activities in its customers CRM tool on Winware's backend. Winware stores all event data on Google Cloud. Data is encrypted both at rest and in transit. Winware’s data capture is also asynchronous, so it doesn’t impact page load. More on that below.

Instead of showing analytics in a confusing dashboard, Winware shows event data in a Chrome Extension that overlays your browser. Individual users add Winware's extension to their browser.

Security and Reliability

Your data is secure with Winware and that is why we use industry-standard best practices to provide a highly safe and secure product.

Javascript Overview:

Winware captures our customer’s users website actions via a JavaScript code that is added by our customer to its website header. This JavaScript code simply counts the number of times that an HTML element is clicked. The HTML element selector path/ID that the JavaScript captures is the same information that any user of a website can attain simply by right-clicking their mouse on a website page and choosing the “Inspect” menu option. However, we also require customers to pass use their User IDs and email for every session. We match the User ID and email to sales information on our backend.

You can read more about Winware’s JavaScript that captures site usage data here:

Note: ESPN is not an Winware customer. This is an example to show that an element's selector path is publicly available information.

Integration with CRM Data

One of the core values of Winware is to inform its customer's sales teams of critical product usage by its prospects or customers. To do this, Winware will map a user's product usage (from its JS Script) to the data captured in our customer's CRM. We accomplish this by passing only important data from the CRM into a GoogleSheet. We then match the GoogleSheet data from the CRM to the click data from Winware's JavaScript using the User ID and email.


Acceptable Use:

Winware had defined and communicated to its employees the requirements for acceptable use of Winware's resources in order to mitigate the risk of unauthorized access to Winware equipment, as well as use and modification of information assets. These include a clear desk and clear screen rules, data handling requirements, password maintenance, equipment security, and breach reporting/incident notification.

1. User responsibilities 

a. Winware information must be handled in compliance with the information security policy. 

b. Actual or suspected information security incidents must be reported without delay in compliance with Winware information security incident section of this policy. 

2. Use of IT systems and equipment 

a. Winware assets (e.g., laptops, desktops, internet connection, data, and software) must only be used for approved purposes. 

b. Reasonable use of Winware systems is permitted, providing it does not interfere with the employee’s work for Winware. 

c. Personal use of Winware information of any type or classification except for Public information is prohibited. 

3. Use of Email 

a. Winware provides email to facilitate the company’s business needs and interests. Email must be used in compliance with Winware's Information Security policy. All-Access to email messages must be  limited to authorized personnel. 

b. Winware users must exercise caution when opening unsolicited attachments, phishing emails, and web links from both known and unknown sources. 

4. Use of the Internet 

a. Winware internet must not be used to visit sites that contain pornographic, obscene, indecent, hateful, or other offensive material, visit hacker sites or breach copyright legislation.


Access Controls

Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes.

a) Each user of Winware information resources must have a uniquely assigned user account to allow them to access information resources. This user account is not shared and directly ties to an individual to support accountability; 

b) User’s access to information resources must be requested, approved, and granted through a standard documented request and approval process. 

c) User’s account information must not be divulged to any other person without a documented reason that has been approved by management per the requirements listed in the information classification and handling section of this document. 

d) Accounts that are inactive for a maximum period of 90 consecutive days must be disabled. Any exceptions must be authorized and documented appropriately. 

e) Notifying the IT&SD Department of the transfer, resignation, or termination of any staff member under the supervisor’s supervision. A staff member’s access to Winware’s information system will be disabled on the date of the staff member’s termination or resignation, or if necessary for other reasons in the judgment of Winware’s Vice President of IT&SD.


Password Policy

Winware employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Employees have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.


Cybersecurity Governance

Winware recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration, or destruction of such data. For this purpose, Winware implements industry-standard security controls and maintains a comprehensive security program


Risk Management

Winware has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted periodically and identified risks are mitigated according to risk severity and business priorities.


Physical Security

Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to Winware's employees, premises, system, and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies, and procedures implemented are commensurate with the risks and particular legal, regulatory, or contractual requirements associated with each facility.

Third-Party Risk Managment

Winware maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process, or host Winware data or have access to Winware network and systems.

a. All third-party must adhere to the following information security requirements who have access to confidential or restricted information. 

i. A non-disclosure agreement (NDA) must be in place before Winware Internal, Confidential or Restricted information is disclosed to the third party. 

ii. Reasonable steps must be taken to obtain assurance that appropriate security controls are in place at the third party. These steps must be taken regularly in line with the risk associated with sharing data with the third-party. 

iii. An inventory of all third parties with access to Winware information must be maintained. 

iv. Contracts with the third party must be signed before any third party is provided access to Winware information. 

v. A reassessment of the third party’s security controls must be considered in the case of a change to the data classification or frequency of data shared with the third party. 

vi. At the termination of a contract: 

1. Winware information assets must be returned, retained, transferred or securely destroyed. 

2. Physical and logical access to Winware's information assets and facilities must be revoked.


Incident Management

Winware has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.

a. Winware management is committed to building and maintaining an incident management program in order to support the organization’s business mission, protect its customer data and services, and protect Winware proprietary information, systems, services, facilities, and people. 

i. Changing the configuration of, removing, de-activation or otherwise tampering with any malware software that has been installed on systems is only allowed for authorized users. 

ii. All incidences of malware or virus must be reported immediately to Winware management. The infected system must be isolated as soon as possible from the network infrastructure and handled. 

iii. Any actual or suspected information security incidents must be reported to Winware management as soon as they are suspected. 

iv. Information security incidents must be managed in accordance with defined Incident Management standards, comply with applicable local legal and regulatory requirements, designate specific people to be available to respond to alerts, and be supported by tools and procedures. 

v. Information security incidents must be reviewed to determine common factors, patterns, and trends, understand the costs and impact and assess the effectiveness of controls


Business Continuity

Winware utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.

a. A business continuity plan (BCP) must be documented and reviewed once a year. Components of the documented plan must include: 

i. Acceptable recovery time frames (e,g., Recovery point objective (RPO), and Recovery time objective (RTO)) 

ii. Roles and responsibilities of key team members 

iii. The BCP must be based on a Business Impact Analysis (BIA). 

b. Both fallback and resumption-related emergency procedures must be defined to allow for both temporary measures and full resumption as required. 

c. The documented plan must be tested regularly. 

i. Testing may involve, but may not be limited to, discussion, simulation, technical recovery testing, or complete rehearsals. 

d. Updates to the business continuity plan must be disseminated on a timely basis. 

e. Business Impact Analysis 

i. Winware will conduct a business impact analysis (BIA) in order to identify the criticality of its assets, facilities, and processes. The BIA will be reviewed regularly for currency and accuracy. 

f. Redundancy and Capacity Planning 

i. Winware will identify areas in which it requires redundancy in order to maintain its business objective for availability and provide adequate resources to support that level of redundancy and future capacity needs.


Want to report a security concern?

Here at Winware, we review all reports of security vulnerabilities seriously. To report a vulnerability in one of our products or solutions, please contact our Computer Security Incidents Response Team (CSIRT) at support@impactproduct.com.