Security Statement

Webtrends Optimize, and Accelerate Group Limited are each referred to herein as “Webtrends Optimize”.

Webtrends Optimize SaaS Solutions Security Statement

Last Updated: August 1, 2018

1  WEBTRENDS OPTIMIZE SAAS PRODUCTION ENVIRONMENT

Webtrends Optimize employs a public cloud deployment model with virtualized resources for its software-as-a-service solutions (“SaaS Solutions”). All maintenance and configuration activities are conducted by Webtrends Optimize employees.

Webtrends Optimize SaaS Solutions are multi-tenant and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities rest with Webtrends Optimize, and clients are provided with functionality to manage their own users and roles at the application level.

Webtrends Optimize follows guidance from the ISO/IEC 27002:2013 standard. Additionally, Webtrends Optimize employs industry standard practices and relies on its 15 years of experience in operating highly secure SaaS solutions for security controls such as firewalls, intrusion detection, change management and written security policies.

1.1 Scalability

Webtrends Optimize distributed architecture for data collection, processing and reporting allows it to scale horizontally as the number of clients and volume of traffic increase. Webtrends Optimize uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are load balanced and scaled up when predetermined capacity thresholds are reached.

1.2 SaaS Management

Webtrends Optimize SaaS operations team (“SaaS Operations”) is responsible for all aspects of the SaaS Solutions production environment. SaaS Operations is set up separately and independently from the corporate network IT organisation to ensure the necessary separation of duties. SaaS Operations’ professional depth enables Webtrends Optimize to provide SaaS services at the highest levels of efficiency.

2  RISK MANAGEMENT

Webtrends Optimize business continuity planning includes practices to assist management in identifying and managing risks that could affect the organisation’s ability to provide reliable services to its clients (as further described below). These practices are used to identify significant risks for the organisation, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.

Webtrends Optimize evaluates and manages risks related to its SaaS Solutions throughout their lifecycle, taking into considerations the consequences for our clients of loss of confidentiality or availability of the information we collect, process and store.

Webtrends Optimize maintains coverage to insure against major risks. Policies include errors and omissions liability, commercial general liability, auto liability, commercial umbrella liability, workers’ compensation and employer’s liability, fiduciary liability, directors’ and officers’ liability, and crime bond. Insurance companies, which management believes to be financially sound, provide coverage. Coverage is maintained at levels which Webtrends Optimize considers reasonable given the size and scope of its operations.

3  SECURITY POLICIES & ORGANISATION OF INFORMATION SECURITY
3.1 Policies

Webtrends Optimize information security management system is based on ISO 27002. Webtrends Optimize maintains a general Information Security Policy, updated annually, that explicitly addresses the confidentiality, integrity and availability of client data and information technology resources, and details employee’s responsibilities and managements’ role.

Comprehensive technical policies govern various aspects of Webtrends Optimize SaaS Operations and corporate, which policies define security measures appropriate to the sensitivity of the data processed.

Policies are approved by senior management, communicated to all affected Personnel to whom the policies apply, and clearly state the consequences of non-compliance. All employees must review and sign Webtrends Optimize’ Information Security Policy during onboarding.

3.2 Information and Communication

Webtrends Optimize utilises various methods of communication, including email and the corporate intranet to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies. SaaS Operations has dedicated intranet sections to publish information relevant to the SaaS production staff, such as technical materials, policies, procedures, and calendars.

Update of key documents such as policies require email notification to the affected staff.

3.3 Information Security Coordination

Webtrends Optimize has adopted a decentralised approach to information security. Webtrends Optimizes IT Director coordinates all security and privacy activities within Webtrends Optimize. Responsibilities of this position include:

• Driving security initiatives
• Policy review
• Security planning and program management
• Review effectiveness of the security program
• Coordinate Webtrends Optimize security incident response plan
• Perform annual security and privacy assessment and reviews

Implementation of security controls rests with the management of each relevant function. Webtrends Optimize separates its SaaS Solutions production network and all associated functions from the general corporate IT. Webtrends Optimize IT Director is responsible for policies and security implementation within the SaaS environment.

3.4 Segregation of Duties

Only authorised personnel can administer systems or perform security management and operational functions. Authorisation for and implementation of changes are segregated responsibilities wherever appropriate to the organisation.

4  HUMAN RESOURCES SECURITY
4.1 Employee Screening

Webtrends Optimize has background checks performed on all employees at the time of hire (to the extent permitted by law), and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. Webtrends Optimize policy prohibits employees from using confidential information (including Client Data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.

An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Webtrends Optimize.

Background checks are performed by a reputable third party company for all full time and temporary employees.

Background checks differ by geography to account for local laws. In all cases, they include criminal checks, education and employment reports.

4.2 Terms of Employment

Webtrends Optimize operates an onboarding process including at a minimum the following steps:

• Communication to the new employees of policies, code of conduct and behavioral standards.
• Employee signature of the employment agreement (which includes a confidentiality agreement) and Webtrends Optimize Information Security Policy.
• Background checks (subject to local laws).

General information security responsibilities are documented in Webtrends Optimize Information Security Policy, which all employees must sign as part of their onboarding.

4.3 Training

General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.

Development and SaaS Operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.

4.4 Termination of Employment

Webtrends Optimize maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of any and all Webtrends Optimize and Client assets, disables or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. Webtrends Optimize uses pre-defined checklists to help ensure the consistency and completeness of the termination process.

5  ASSET MANAGEMENT

All data collected by Webtrends Optimize on behalf of its clients is the property of the respective clients and classified as highly confidential under Webtrends Optimize information classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.

Webtrends Optimize generally performs no additional encryption on data collected and stored within the Webtrends Optimize SaaS production environment. Content for delivery onto clients’ web page by Webtrends Optimize is encrypted both at rest and in transit.

5.1 Client Data Location

All client data is processed and stored in the Europe. Collected client data transits temporarily through Webtrends Optimize data collection centers in the United States, Europe, and Asia  for optimal performance based on the visitor’s location and the regional option selected by the client.

5.2 Media Handling

Webtrends Optimize Information Security Policy prohibits copying client data on removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes and with the express authorisation from the client. This authorisation can be contingent on encryption being used.

All personnel who handle storage media used in the Webtrends Optimize SaaS solutions must comply with Webtrends Optimize SaaS Operations Data Handling Policy.

Webtrends Optimize’ decommissioning procedures are designed to prevent access to client data by unauthorised persons. Webtrends Optimize follows NIST Guidelines for Media Sanitization (Special Pub 800-88) to destroy data. All printed Confidential Information, including Client Data, is disposed of in secured containers for shredding.

Webtrends Optimize deletes all client data, other than backup copies held for disaster recovery purposes, on a scheduled basis following termination of contract.

6  ACCESS CONTROL & PHYSICAL SECURITY

Webtrends Optimize IT Director manages access control policies and procedures for the corporate network, and manages access control policies and procedures for the SaaS production network.

6.1 User Access Management

Accounts on Webtrends Optimize SaaS production network, including for network administrators and database administrators, are mapped directly to employees using unique identifiers based on employee names. Microsoft’s Active Directory enforces uniqueness. Generic administrative accounts are not used. Upon notification by HR as part of the formal termination notification process, all physical and system accesses are immediately adjusted to the new role or revoked both on Webtrends Optimize Corporate network and in Webtrends Optimize SaaS Solutions production network.

All accesses to Webtrends Optimize SaaS Operations network must be submitted by the requestor’s manager to the change management meeting. After review and approval, the request is logged for implementation.

Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other passwords threats.

Webtrends Optimize periodically reviews employee access to internal systems. Reviews ensure that employees’ access rights and access patterns are commensurate with their current positions.

6.2 User responsibilities

Webtrends Optimize Information Security Policy requires employees to notify corporate IT immediately if they believe that the security of their password has been compromised. Employees must abide by all Webtrends Optimize policies, including all sections of the Information Security Policy.

6.3 System and Application Access Control

Authentication and robust access controls ensure that all clients’ confidential information is secured against unauthorized access. Users of Webtrends Optimize SaaS Solutions must be authenticated before they can access their data, and rights associated to their credentials control access to the logical structures containing their data.

Accesses to resources are controlled by explicit rights in all environments. Employees are given appropriate accounts on systems which they are authorised to access following the “least privilege” principle. Generally, access controls are provided by Microsoft’s Active Directory services and appropriate configuration of the operating system, file system and application settings.

Access to client data is limited to legitimate business need, including activities required to support clients’ use of the SaaS Solutions. Employees may only access resources relevant to their work duties. Processes ensure that any production data used by Webtrends Optimize Technical Support for testing (always with client consent) is automatically deleted after 14 days.

6.3.1 Data Access by Clients

Client end users are authorised only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.

Client end users are identified with a username and password. They authenticate to the system over an HTTPS connection.

6.3.2 Access control to program source code

Write access to Webtrends Optimize SaaS production source code is limited to the engineering staff. Anti-malware scans are performed during all build processes.

7  PHYSICAL AND ENVIRONMENTAL SECURITY

Webtrends Optimize SaaS Solutions infrastructure is physically separated from Webtrends Optimize corporate facilities and managed by an independent SaaS Operations team. Webtrends Optimize SaaS Solutions infrastructure uses Infrastructure-as-a-Service (IaaS) providers.

Access to all facilities is controlled by electronic key systems. Employees are educated about good practices to ensure physical security. Corporate headquarters have security guards on site 24 x 7 as well as CCTV monitoring, and all visitors must register and be accompanied during visits. Additional electronic access controls restrict access to critical areas to authorised personnel only.

8  SAAS OPERATIONS SECURITY

Webtrends Optimize SaaS Solutions infrastructure is managed by a team separate both from corporate IT and from development, and employs industry best practices such as default deny rules for firewalls, intrusion detection systems and automated patch management.

8.1 Documented Procedures

Webtrends Optimize maintains documented procedures that include at a minimum:

• security control measures for all systems in the environment;
• hardening – disabling of all non-essential processes and ports, removing all default users;
• patches deployed promptly on all applicable systems per manufacturer recommendation, and no more than within 30 days for critical security patches;
• change management procedures; and
• incident detection and management.

8.2 Change Management

Webtrends Optimize maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team. All key business owners such as Technical Support, Engineering, DevOps, Security, and SaaS Operations are represented at the daily change management meeting.

All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.

Webtrends Optimize relies on well-defined processes, disciplined execution and continual training of staff. Webtrends Optimize operates an automated code deployment and configuration management system for its SaaS Solutions infrastructure.

All critical decisions must be approved by Webtrends Optimize IT Director

Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the SaaS environment to attacks, compromise the privacy and confidentiality of client data, or disrupt the availability of the SaaS Solutions.

Both scheduled and emergency changes are tested in separate environments, reviewed and approved by SaaS Operations, Engineering and Technical Support before deployment to the production environment. Emergency changes must be peer reviewed and may be initially made without formal authorisation. The Change Management process requires that all emergency changes must be documented and reviewed at the next Change Management meeting.

8.3 Capacity Management

Provisioning, configuration, and management software is used to maintain network configuration information and to catalog changes. Applications configuration is stored in a redundant location.

8.4 Separation of development, testing and operational facilities

All systems used for the Solutions are managed by the Webtrends Optimize SaaS Operations team, which is separate (both from a network domain perspective, and from a staffing perspective) from corporate network resources. All access is limited to the least privilege needed and requires authentication. Access logs are reviewed at least quarterly.

Administrative access to SaaS Operations resources is limited to SaaS Operations personnel and authentication requires a separate set of credentials.

Promotion of code from engineering into production is controlled by the change management process, and the SaaS Operations team manages all deployments into the production environment. Testing, other than deployment validation, is prohibited in the production environment.

8.5 Protection against Malware

Webtrends Optimize deploys anti-malware software with automatic scanning and update on all workstations; installs anti-malware software on all Windows external-facing web servers with weekly scans; and scans all deployed code for malware.

Systems are scanned continuously. Updates are managed and pushed out via workstation/server policy management. Definitions are automatically updated. Employees cannot disable the solution. Where optimal performance precludes active scanning, anti-virus scans are scheduled weekly.

Webtrends Optimize uses a leading commercial solution for email security, including incoming and outgoing filtering for spam, phishing attacks and malware.

8.6 Data Backup

Webtrends Optimize stores all client data in the SaaS production environment on fully redundant storage systems, and utilises either a multi-tiered backup approach. Backups are stored in secure containers and transferred offsite weekly for storage in a secure, environmentally controlled, reputable third party data archive facility. Only Webtrends Optimize SaaS Operations employees have access to backup media.

Container lists are logged by the backup storage provider as they rotate offsite and backup sets within containers are maintained by SaaS Operations. All backup media are tracked within the backup software and matched to each job processed. Backup media is barcode-labeled for tracking.

8.7 Logging and Monitoring

Webtrends Optimize maintains audit information and logs for all information technology resources, applications and network accesses, monitors these logs for abnormal pattern and unauthorised access attempts, and maintains defined processes for security alerting, escalation and remediation. Logs are centralised in a limited-access system that prevents deletion and changes.

24×7 monitoring of critical network events with intrusion detection system (IDS) and log aggregation with industry standard enterprise application management solution gives Webtrends Optimize SaaS Operations the ability to identify and address any unauthorised access to assets (including access to client data) within the SaaS production network, and perform trend analysis and risk assessment. This includes outside threats as well as internal users as the SaaS infrastructure is behind firewalls in both cases. Alerting is in place to notify Webtrends Optimize SaaS Operations team of any issue.

Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected client.

8.8 Technical Vulnerability Management

Webtrends Optimize subscribes to manufacturers and independent security notification services to monitor potential external threats.

Manual and automated vulnerability testing are performed during the development process. Webtrends Optimize engages an independent third party security firm annually to conduct a vulnerability scan of all external-facing (public) infrastructure devices and application penetration test of its Solutions.

Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.

8.8.1 Hardening Controls

Specifically regarding ensuring that applications remains configured to build standards, Webtrends Optimize SaaS Operations uses automated tools and documented procedures to build and configure all network equipment, systems and servers from predefined build configuration procedures in accordance with good industry practices such as NIST. All systems, platforms and applications are configured to minimize security risks. Specifically:

• Webtrends Optimize follows manufacturers hardening recommendations and documented standard operating procedures;
• Webtrends Optimize disables unnecessary ports, protocols, services and features;
• Only necessary components, scripts, drivers, web services are included and enabled;
• Only enable hardware ports as needed;
• All new systems are deployed with most recent patches;
• Password parameters are configured to comply with Webtrends Optimize standards; and
• All systems are monitored and protected with anti-malware software.

8.8.2 Patch Management

Webtrends Optimize operates a commercial patch management solution to maintain network device, system, OS and application level security patches. Reviews performed on a regular basis ensure patching is consistent and current based on industry standards. Webtrends Optimize deploys security patches released by the vendors as necessary to development, testing, and production systems after validation in pre-production environment.

Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible, based on Webtrends Optimize review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications, storage), its relevance (i.e. is the service being patched enabled in the environment) and threat severity (likelihood x impact).

9  COMMUNICATIONS SECURITY
9.1 SaaS Network Security Management

Network-based intrusion detection systems (IDS) monitor network traffic and activity for intrusion and Webtrends Optimize SaaS Operations personnel leverages multiple network and application monitoring tools to continuously scan for errors or suspicious activities. Webtrends Optimize hosted environment is completely separate from Webtrends Optimize corporate environment. Access is restricted to SaaS Operations personnel, and authentication requires a separate set of credentials.

Comprehensive and centralised system and application logging and monitoring facilitate alerting, trend analysis, and risk assessment. A network configuration management tool tracks and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely communication of security incidents through the management chain and ultimately to any affected client.

With fault tolerance and redundancy as guiding principles, Webtrends Optimize deploys appropriate, modern, and warranty-backed servers to host the application and database environment for SaaS Operations. In addition, Webtrends Optimize SaaS Solutions infrastructure includes a mix of redundant data storage arrays, near line backups and off-site backups for client data.

9.2 Segregation in Networks

Webtrends Optimize production infrastructure uses separate segments for the web and storage layers with a multi-perimeter stateful firewall configuration between the Internet and the demilitarized zone (DMZ). Data storage and processing servers have no externally exposed services.

9.3 Information Transfer

Webtrends Optimize clients access the Webtrends Optimize environment via the public Internet. All data transfers from Webtrends Optimize SaaS Solutions must use secure protocols; all data transfers to Webtrends Optimize SaaS Solutions default to secure protocols.

9.4 Confidentiality and Non-Disclosure Agreements

All Webtrends Optimize employees must sign Webtrends Optimize confidentiality agreement at the time they join the organisation. Upon termination, employees are provided another copy of their agreement.

Webtrends Optimize requires a non-disclosure agreement or confidentiality clauses in all contracts of third parties accessing computing facilities or information assets as well as prior to sharing or providing access to any confidential information outside of Webtrends Optimize, whether verbally or in writing.

10   SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
10.1   Security Requirements

Webtrends Optimize development methodology uses security significant requirements and threat modeling to ensure security concerns are considered and addressed during design.

10.2   Security in Development and Support Process

Webtrends Optimize follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology.

Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our main test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation, and recovery testing.

Webtrends Optimize uses defense in depth best practices and validates them using both internal and third party security vulnerability scans.

Code reviews are part of the application development process. The internal quality assurance function also exhaustively tests all application end-points for vulnerabilities, including those identified in OWASP Top Ten.

The development process includes a review of all embedded third party components to ensure that security updates are incorporated. Use of open source software is subject to technical and legal review and approval.

11   SUPPLIER RELATIONSHIPS

Webtrends Optimize may use contractors for development and testing tasks. These individuals work under the direct supervision of Webtrends Optimize employees and may have access to client data where contractually permitted.

Webtrends Optimize doesn’t give suppliers direct access to client data or network/equipment management responsibility. 

Webtrends Optimize uses exclusively world renown third party suppliers with stellar background, such as Microsoft (for cloud infrastructure)

Webtrends Optimize reviews SOC2 reports and/or ISO certification of its infrastructure providers to confirm their adherence to industry standard security and operational requirements.

12   INCIDENT PROCESS

Webtrends Optimize has developed a robust Security Incident Response Process (SIRP) to address security and privacy related events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.

The SIRP core team is composed of senior employees with an executive sponsor reporting directly to Webtrends Optimize CEO. This team is deployed and disbanded for each event and meets periodically in the absence of events for training and process maintenance. The SIRP process identifies key roles to facilitate the effective coordination of Webtrends Optimize response to a security incident, and defines a secure methodology for the confidentiality of all information and communication.

Incidents are triaged in three impact categories, each with different response levels:

• Severity 1 – Critical incidents involving a successful breach trigger the immediate deployment of the process.
• Severity 2 – Significant incidents involving an unsuccessful breach attempt trigger the deployment of the process within business work hours.
• Severity 3 – Benign incidents such as probes not requiring change to systems do not trigger the deployment of the team, but are logged and a retrospective is performed as part of the next SIRP meeting.

The SIRP process is based on industry standard best practices and methodology. It specifies roles and responsibilities as well as priorities for each of the six phases:

• Identification – Alerts may come from a variety of sources, typically our Technical Support, IT and SaaS Operations teams, or automatically from monitoring systems. These teams are trained in the identification and escalation processes.
• Triage – The team evaluates the criticality of the incident based on defined guidelines, logs the incident and triggers the formal deployment of the SIRP if necessary.
• Containment – The first goal of the SIRP team is to prevent the situation from getting worse and keep client data safe. During this phase, the team isolates compromised systems and starts planning for the following phases.
• Eradication – Once the situation is under control, the SIRP team moves to mitigate the impact of the incident and resolve the immediate situation. It identifies the root cause of the incident and prepares for the recovery by documenting known facts and identifying impacted clients, if any.
• Recovery – The recovery phase starts as soon as possible, but may require the eradication phase to be complete. Systems are returned to normal operation, patches or configuration changes are applied, documentation is finalised and communications go out to necessary parties.
• Retrospective – This critical phase allows Webtrends Optimize to learn from the incident. Documentation of the incident as well as the response process are reviewed to identify, define and deploy needed improvements to process, policies, system configurations, etc.

Security incidents are managed by Webtrends Optimize Security Incident Response Process team. All communications with clients in case of security or privacy incident will be through our support team, using Webtrends Optimize Portal at https://status.webtrends-optimize.com (client users can subscribe to the Slack feed for push notification) and agreed upon contacts.

Webtrends Optimize Technical Support team will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or privacy breach or by a DR event, but in any event within 24 hours for significant events and within 2 business days for non-critical events.

13   BUSINESS CONTINUITY & DISASTER RECOVERY
13.1   Disaster Recovery Plan

Webtrends Optimize maintains and tests a business continuity plan (BCP) and disaster recovery (DR) plan that prioritises critical functions (such as data collection) supporting the delivery of its Solutions to its clients. Under such a plan, the disruption resulting from a complete site outage at a data collection center would be limited to single geographic region and would only last for a few minutes while traffic gets automatically rerouted. Webtrends Optimize retains DR archives of Client Data for up to two years after the backup. Webtrends Optimize SaaS Operations team performs a comprehensive annual risk assessment.

13.2   Monitoring and Communication

We establish continuous monitoring of each system, throughout the application, and in each location where data is stored and moved. Monitoring is a critical component of everything we do.

A system-level failure, for any component in the Webtrends Optimize SaaS solutions environment, is easily identified and resolved through Webtrends Optimize 24×7 SaaS Operations Center. When monitoring detect a failure, failed systems are automatically removed from the production environment, and the SaaS Operations team is alerted and resolves the issue or escalates to the appropriate vendor as needed.

13.3   Risk Assessment

Webtrends Optimize BCP & DR planning take into account all relevant threats as well as the criticality of each part of the SaaS Solutions. Webtrends Optimize SaaS Solutions disaster recovery strategy focuses on the following priorities:

1. Protection of client’s website
2. Maintaining uninterrupted data collection
3. Protection of client’s website visitors from adverse impact
4. Limiting data processing and access disruption

13.4   Testing Disaster Recovery Plans

Webtrends Optimize takes advantage of the distributed architecture of its SaaS Solutions to exercise critical aspects of its disaster recovery routinely when significant organisational or environmental changes are necessary. Other less critical aspects such as events affecting data storage are tested less frequently.

Disaster recovery plans for the most critical parts of the solution (data collection) are exercise quarterly at minimum, and tabletop exercises performed annually for the data processing functions.

13.5   Redundancy

Webtrends Optimize maintains Client Data within the Solutions production environment on fully redundant or replicated storage systems, utilises a multi-tiered backup approach, and transfers backup media in locked containers for storage in a secured offsite location.  Webtrends Optimize SaaS Solutions extends redundancy beyond storage through the entire infrastructure, from load balancers and processing engines, to power and telecommunication providers. Specifically:

• Webtrends Optimize data collection environment (the most critical part of the infrastructure) is architected for high availability. Webtrends Optimize leverages global load balancing and multiple data centers in North America, Europe and Asia to ensure uninterrupted data collection.
• Each data collection instance is independent and scaled to accordingly. Unavailability of any data collection instance does not result in any data collection failure as the other data collection instances automatically adjust and are scaled to absorb the load from the failed instance(s).
• A full data collection data center failure is automatically resolved. If our sophisticated monitoring detects a failure of a data center, internet traffic is automatically re-routed to the remaining data centers. This allows Webtrends Optimize SaaS Operations team to troubleshoot the issue with the failed data center, escalate as needed to the appropriate vendor(s), and resolve the issue. All of this occurs without client impact, and all data is collected as expected.
• A failure in the primary Webtrends Optimize SaaS solutions processing centre may involve some manual intervention on the part of the Webtrends Optimize SaaS Operations team depending on the level of severity and complexity of the issue. In the unlikely event of complete data center failure, the SaaS Operations team has instructions and recovery steps to bring the solution back online in the most expeditious manner at an alternate data center.

14   COMPLIANCE

Webtrends Optimize complies with statutory and regulatory requirements, and uses reasonable efforts to comply with applicable industry standards.

14.1   Compliance with Legal Requirements

For personal data that is subject to the EU Data Protection Directive:

• Privacy Shield Self-Certification. Webtrends Optimize self-certifies that: (i) it complies with the U.S.-EU Privacy Shield principles and meets the requirements of the U.S.-EU Privacy Shield framework; and (ii) all Client Data transferred from the EU to the U.S. will be processed in accordance with those requirements.
• S.-Swiss Safe Harbor Self-Certification. Webtrends Optimize self-certifies that: (i) it complies with the U.S.-Swiss Safe Harbor principles and meets the requirements of the U.S.-Swiss Safe Harbor framework; and (ii) all Client Data transferred from Switzerland to the U.S. will be processed in accordance with those requirements.

Webtrends Optimize is a data processor in the definition set out by the European Data Protection Directive 95/46/EC.

14.2   Independent review of information security

In addition to thorough internal quality assurance testing, Webtrends Optimize runs a monthly security scan of the SaaS production environment and engages annually a reputable third party security firm to conduct a comprehensive application penetration test and network vulnerability scan of Webtrends Optimize SaaS Solutions.

The primary objective of these scans and tests is to gain independent third-party validation of Webtrends Optimize security stance and provide actionable recommendations for mitigation of any risks that may have been identified.

Both white box and black box testing are used to assess both the strength of the environment through a penetration test, and the defenses against known application vulnerabilities using guidelines from OWASP.

All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process