ImpactProduct ("IP") was created to democratize product analytics. We deliver actionable insights to teams that are impacted by the product usage, but do not access traditional product analytics tools. We do so by removing the largest usage challenges of most analytical tools - namely, requirement of developer support for instrumentation, confusing analytical dashboards and we focus on delivering insights, rather than raw data. IP's primary use case is to push important information to our customer's sales organization about product usage by its customers and prospects (see "Integration with CRM Data" section below).
Instead of showing analytics in a confusing dashboard, IP shows event data in a Chrome Extension that overlays your product. Individual users add IP's extension to their browser.
Your data is secure with ImpactProduct and that is why we use industry-standard best practices to provide a highly safe and secure product.
Our Security strategy involves the following components:
ImpactProduct had defined and communicated to its employees the requirements for acceptable use of ImpactProduct's resources in order to mitigate the risk of unauthorized access to ImpactProduct equipment, as well as use and modification of information assets. These include a clear desk and clear screen rules, data handling requirements, password maintenance, equipment security, and breach reporting/incident notification.
a. ImpactProduct information must be handled in compliance with the
information security policy.
b. Actual or suspected information security incidents must be reported
without delay in compliance with ImpactProduct information security
incident section of this policy.
a. ImpactProduct assets (e.g., laptops, desktops, internet connection, data, and software) must only be used for approved purposes.
b. Reasonable use of ImpactProduct systems is permitted, providing it does not interfere with the employee’s work for ImpactProduct.
c. Personal use of ImpactProduct information of any type or classification except for Public information is prohibited.
a. ImpactProduct provides email to facilitate the company’s business needs and interests. Email must be used in compliance with ImpactProduct
Information Security policy. All-Access to email messages must be
limited to authorized personnel.
b. ImpactProduct users must exercise caution when opening unsolicited attachments, phishing emails, and web links from both known and
a. ImpactProduct internet must not be used to visit sites that contain
pornographic, obscene, indecent, hateful, or other offensive material, visit hacker sites or breach copyright legislation.
Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes.
a) Each user of ImpactProduct information resources must have a uniquely assigned user account to allow them to access information resources. This user account is not shared and directly ties to an individual to support accountability;
b) User’s access to information resources must be requested, approved, and granted through a standard documented request and approval process.
c) User’s account information must not be divulged to any other person without a documented reason that has been approved by management per the requirements listed in the information classification and handling section of this document.
d) Accounts that are inactive for a maximum period of 90 consecutive days must be disabled. Any exceptions must be authorized and documented appropriately.
e) Notifying the IT&SD Department of the transfer, resignation, or termination of any staff member under the supervisor’s supervision. A staff member’s access to ImpactProduct’s information system will be disabled on the date of the staff member’s termination or resignation, or if necessary for other reasons in the judgment of ImpactProduct’s Vice President of IT&SD.
ImpactProduct employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Employees have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.
ImpactProduct recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration, or destruction of such data. For this purpose, ImpactProduct implements industry-standard security controls and maintains a comprehensive security program
ImpactProduct has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted periodically and identified risks are mitigated according to risk severity and business priorities.
Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to ImpactProduct's employees, premises, system, and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies, and procedures implemented are commensurate with the risks and particular legal, regulatory, or contractual requirements associated with each facility.
ImpactProduct maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process, or host ImpactProduct data or have access to ImpactProduct network and systems.
a. All third-party must adhere to the following information security requirements who have access to confidential or restricted information.
i. A non-disclosure agreement (NDA) must be in place before
ImpactProduct Internal, Confidential or Restricted information is disclosed to the third party.
ii. Reasonable steps must be taken to obtain assurance that appropriate security controls are in place at the third party. These steps must be taken regularly in line with the risk associated with sharing data with the third-party.
iii. An inventory of all third parties with access to ImpactProduct information must be maintained.
iv. Contracts with the third party must be signed before any third party is provided access to ImpactProduct information.
v. A reassessment of the third party’s security controls must be considered in the case of a change to the data classification or frequency of data shared with the third party.
vi. At the termination of a contract:
1. ImpactProduct information assets must be returned, retained,
transferred or securely destroyed.
2. Physical and logical access to ImpactProduct’s information assets
and facilities must be revoked.
ImpactProduct has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.
a. ImpactProduct management is committed to building and maintaining an incident management program in order to support the organization’s business mission, protect its customer data and services, and protect ImpactProduct proprietary information, systems, services, facilities, and people.
i. Changing the configuration of, removing, de-activation or otherwise tampering with any malware software that has been installed on systems is only allowed for authorized users.
ii. All incidences of malware or virus must be reported immediately to ImpactProduct management. The infected system must be isolated as soon as possible from the network infrastructure and handled.
iii. Any actual or suspected information security incidents must be reported to ImpactProduct management as soon as they are suspected.
iv. Information security incidents must be managed in accordance with defined Incident Management standards, comply with applicable local legal and regulatory requirements, designate specific people to be available to respond to alerts, and be supported by tools and procedures.
v. Information security incidents must be reviewed to determine common factors, patterns, and trends, understand the costs and impact and assess the effectiveness of controls
ImpactProduct utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.
a. A business continuity plan (BCP) must be documented and reviewed once a year. Components of the documented plan must include:
i. Acceptable recovery time frames (e,g., Recovery point objective (RPO), and Recovery time objective (RTO))
ii. Roles and responsibilities of key team members
iii. The BCP must be based on a Business Impact Analysis (BIA).
b. Both fallback and resumption-related emergency procedures must be defined to allow for both temporary measures and full resumption as required.
c. The documented plan must be tested regularly.
i. Testing may involve, but may not be limited to, discussion, simulation, technical recovery testing, or complete rehearsals.
d. Updates to the business continuity plan must be disseminated on a timely basis.
i. ImpactProduct will conduct a business impact analysis (BIA) in order to identify the criticality of its assets, facilities, and processes. The BIA will be reviewed regularly for currency and accuracy.
i. ImpactProduct will identify areas in which it requires redundancy in order to maintain its business objective for availability and provide adequate resources to support that level of redundancy and future capacity needs.
Here at ImpactProduct, we review all reports of security vulnerabilities seriously. To report a vulnerability in one of our products or solutions, please contact our Computer Security Incidents Response Team (CSIRT) at firstname.lastname@example.org.