Trust Center

Security and Compliance

Welcome to the Conversica Trust Center. We recognize that trust is built on transparency and earned with experience. Since our founding in 2007 we have provided Conversational AI solutions from a SaaS platform designed to protect the data which our customers entrust to us. We have also built service features to help our customers better meet consumer privacy expectations and comply with applicable law. Here we highlight some of our data protection safeguards and compliance-enabling service features.

  • Compliance

    Last updated Thu, May 19, 2022
    • CCPA

      As a business or data controller, Conversica adheres to the California Consumer Privacy Act of 2018 ("CCPA") and other state privacy laws, including the Virginia Consumer Data Protection Act. As a service provider or data processor for our customers, we provide information and service features that helps our customers meet their respective state law obligations.

      Conversica qualifies under the CCPA as a "service provider" with which you, as our Conversica customer or "business", can share CA consumer PI to the extent “reasonably necessary and proportionate” to achieve your business goals. You choose the PI we process on your behalf so our AI Assistants can initiate conversations on your behalf.

    • COPPA

      In accordance with the Children’s Online Privacy Protection Act (COPPA), the Conversica service agreement prohibits our customers from sending to us for processing the PII of anyone who is age 13 or under. If we knowingly receive such data in our services we will inform our customers and delete it.

    • EU-US Privacy Shield

      We are EU-U.S. Privacy Shield certified for non-HR data. Nonetheless, in accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020, and we continue to maintain our Privacy Shield certification as we look forward to the framework being recognized once again as an adequate mechanism for the transfer of data from the EU to US.

    • Swiss-US Privacy Shield

      We are Swiss-U.S. Privacy Shield certified for non-HR data. Nonetheless, in accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020, and we continue to maintain our Privacy Shield certification as we look forward to the framework being recognized once again as an adequate mechanism for the transfer of data from Switzerland to US.

    • GDPR

      As a data controller, Conversica adheres to the EU General Data Protection Regulation and other applicable data protection laws. As a data processor for our customers, we comply with the GDPR as applicable to our services and provide our customers with information and service features to facilitate their respective compliance efforts.

      As a service provider, Conversica provides appropriate data protection safeguards for the personal data we process on behalf of our customers. Conversica and its data hosting partner, AWS, have implemented appropriate administrative, physical, and logical safeguards designed to protect the security, availability, confidentiality, and integrity of Conversica customers' data. These safeguards include the technical measures specified by GDPR Article 32 and are audited by external auditors on an annual basis.

      For customers whose data includes personal data within the scope of the GDPR, Conversica's DPA includes the Standard Contractual Clauses updated in June 2021 with the appropriate modules for data transfers to third countries (the U.S.) from an exporter controller (Conversica's customer) and importer processor (Conversica).

    • ISO 27001

      We have certification from an independent auditor for compliance with ISO/IEC 27001:2013, a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. Our information security management system (ISMS) policies and related written procedures, which adhere to this ISO/IEC 27002 standard, have been adopted to provide guidance for our implementation of good security practices and help ensure that our organizational risk is appropriately mitigated.

    • PCI-DSS

      Conversica subscription services are out of scope for PCI-DSS because we do not process card data on behalf of our customers.

    • SOC 2

      An independent auditor has examined our Services platform controls and confirmed they are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principle for Security. Conversica undergoes an independent SOC 2 Type II audit on an annual basis. The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) 2 report gives assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. Our report covers, available under to customers or under NDA, addresses our controls around security.

  • Product Security

    Last updated Thu, May 19, 2022
    • Audit Logs

      Conversica maintains administrative logs as well as logs for account establishment and modifications (including adding or removing users, segments, sources, destinations).

    • Multi-Factor Authentication

      Conversica makes it easy for you to add multi-factor authentication to your Conversica account user login process to enhance account security.

    • Role-Based Access Control (RBAC)

      Customer account administrators can easily add and remove account users. Conversica has various, defined user roles with respective permissions.

    • SSO

      We are SAML 2.0 compliant. Consequently, if you are using a SAML compliant IDP, you can request assistance from our support team to help set up an SSO integration to enhance your account security.

  • Data Security

    Last updated Fri, Feb 11, 2022
    • Data Encrypted At-Rest

      Data is encrypted at rest using AES256.

    • Data Encrypted In-Transit

      We encrypt data in transit using HTTPS/TLS. The TLS version supported is currently 1.2 or newer.

    • Passwords Encrypted

      Account user passwords are encrypted and hashed with a SHA 256 algorithm.

  • Privacy

    Last updated Fri, Feb 11, 2022
    • Privacy Policy

      The Conversica Privacy Policy describes our practices regarding the personal information we process as a data controller operating a business. This policy also describes our role and practices in connection with personal information we may receive and otherwise process on behalf of our customers.

    • Data Retention Policy

      Conversica retains customer data in accordance with customer instructions contained in their respective services agreements. Following customer account termination, access is removed and the customer data associated with the account is logically deleted and then overwritten. When media that hosted customer data is no longer useful, it is destroyed in compliance with NIST SP 800-88 Revision 1 Guidelines for Media Sanitation and DoD security guidelines.

    • Data Processing Addendum

      Yes. We address data processing in our services agreement terms and offer a Data Processing Addendum to our customers. This DPA addresses our compliance with applicable privacy laws, which may include the GDPR and the CCPA as well as other state laws.

    • Data Removal Requests

      Customers can request data removal by contacting Conversica technical support. Any data removal request received from a data subject associated with a customer as the data controller will be referred to such customer.

    • Data Protection Officer (DPO)

      Conversica has appointed a team to share DPO duties. Team members include an experienced security professional (CISSP, CISM, MIS) and an experienced privacy law attorney (CIPP-U.S.).

  • Incident Management & Response

    Last updated Fri, Feb 11, 2022
    • Incident Response Plan (IRP)

      Conversica operates a formal Security Incident management process under a related policy and procedures. Escalation procedures exist to ensure the timely communication of any Security Incident through the management chain and to any affected customers without undue delay.

  • Availability & Reliability

    Last updated Fri, Feb 11, 2022

    We use the Amazon Web Services platform infrastructure because it has been architected to be one of the most flexible, reliable, and secure cloud environments available today, allowing our customers to benefit from this data infrastructure.

    Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all accesses are logged.

    We have designed our subscription service data collection environment for high availability - no less than 99.75%.

    • Denial of Service (DoS) Protection

      Conversica has deployed Amazon Web Services resources for Denial of Service protection

    • Infrastructure Redundancy

      Conversica services are deployed to benefit from the infrastructure redundancy of the Amazon Web Services platform.

  • Organizational Security

    Last updated Thu, Feb 17, 2022
    • Confidentiality Agreements

      Our service agreements provide for the confidential treatment of confidential customer information, including customer data. And we require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the protection of confidential information.

    • Employee Background Checks

      Conversica employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired.

    • Employee Security Training

      We train all new employees about their confidentiality, privacy and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access.

    • Employee Workstations Automatically Locked

      Our employee workstations are automatically locked after a pre-determined period of non-use via the MDM system we have implemented.

    • Employee Workstations Encrypted

      All employee workstations are encrypted and wiped at time of decommission using DoD standards.

    • Limited Employee Access (Principle of Least Privilege)

      Conversica follows the principle of "least privilege" in governing employee access to our systems. Access to our customers' data is limited to legitimate business needs, including activities needed to support customer’s use of our services. We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically reviews employee access to internal systems to ensure that employees access rights and patterns are commensurate with their current positions. A formal employee termination notification process exists, which is initiated by our Human Resources ("HR") department. Upon notification by HR, all physical and system accesses are promptly revoked.

    • Physical Access Control

      Conversica has implemented appropriate controls to restrict physical access to its offices. Our cloud service providers have implemented robust security measures to control physical access to the data processing facilities we use.

  • Business Continuity

    Last updated Fri, Feb 11, 2022
    • Business Continuity Plan

      Conversica has implemented an integrated Business Continuity and Disaster Recovery Policy and maintains related plans under the policy. Please see the text under Disaster Recover Plan for more information on this topic.

    • Disaster Recovery Plan

      Conversica maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, redundancy throughout our platform architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans and test them on a regular basis.

    • Data Backups

      Conversica stores all customer data on fully redundant Amazon Web Services (AWS) storage systems, utilizing hot backups stored in secure AWS facilities offsite from production facilities. Access to backup media is highly restricted.

  • Infrastructure

    Last updated Fri, Feb 11, 2022
    • Multi-Tenant Architecture

      Conversica provides its subscription services using multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at rest using AES 256.

    • ISO 27001 - Data Center

      Amazon Web Services data centers - certified as compliant with the following ISO standards: ISO 27001:2013, ISO 27017:2015, and ISO 27018:2019.

    • SOC 2 - Data Center

      Amazon Web Services - certified for compliance with SOC 2 Type 2 Security, Confidentiality, Availability, and Privacy Trust Principles.

    • Physical Access Control - Data Center

      All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all accesses are logged.

  • Threat Management

    Last updated Thu, Feb 17, 2022
    • Penetration Testing

      We have an independent, third party security vendor conduct manual penetration testing of our internal and external infrastructure and services on an annual basis. This manual testing is complimented by automated testing on a more frequent regular basis using a variety of commercially available testing tools.

    • Vulnerability Scanning

      Conversica uses a number of automated scanning tools to scan for application security vulnerabilities on a frequent basis. Scans are applied to every code build and prior to code merger.

    • Static Application Security Testing (SAST)

      Source code is regularly scanned for any vulnerabilities prior to production go live

  • Subprocessors

    Last updated Thu, Feb 17, 2022

    For up-to-date Sub-processor listing please subscribe to our list here:
    https://www.conversica.com/sub-processor/list-of-subprocessors/