Five to Nine Security Overview

Introduction

Five to Nine is a leading SaaS company dedicated to streamlining and scaling event programs effortlessly on a single platform. Our solution empowers event organizers to easily create and manage events, measure the impact of their events through surveys and analytics, and seamlessly integrate with the tools employees are already using.Ensuring the highest level of data security is our top priority. Safeguarding your sensitive information and establishing a secure environment for every user are non-negotiable principles at the core of our operations. This document outlines our commitment to ensuring the highest standards of data protection, regulatory compliance, and proactive security measures across all aspects of our operations.

Key Highlights

  • We’ve earned the SOC 2 Type II certification based on our rigorous controls to safeguard your data and we are in full support of the General Data Protection Regulation (GDPR)

  • We use AWS as our cloud data center, which is SOC 2 Type II and ISO 27001 certified

  • Rigorous data classification, data deletion, and data protection policies are in place to ensure the confidentiality, integrity, and availability of your data

  • Data transmission is protected via HTTPS encryption (via TLS 1.2) for data in transit to or from the application

  • Data integrity measures are in place to prevent corruption of customer data due to malfunctioning within the application or its supporting servers

  • Measures are in place to encrypt data in-transit and at-rest. In addition Five to Nine uses data filtering and pseudonymisation when sharing customer data with sub-processor

  • We continuously scan our applications for vulnerabilities, using a combination of static source code analysis and dynamic testing

  • All engineering employees are trained in security practices and are responsible for maintaining service health

Information Security Policy

This section provides an overview of how Five to Nine prioritizes the security of your data. We have implemented robust physical and logical controls to ensure the safety of your information. In the following paragraphs, we will explain our approach to protecting your data, including physical access controls, logical and data access controls, network security, application security, operational security, and our commitment to compliance, certifications, and personnel security. We understand the importance of safeguarding your data and are dedicated to maintaining a secure environment for our customers.

Physical Access Controls

Cloud Data Centers

Five to Nine utilizes Amazon Web Services (AWS) originating in the us-east-1 region (North Virginia) to provide cloud infrastructure and hosting services. By utilizing AWS, Five to Nine is able to take advantage of their advanced security controls and monitoring tools.

Physical Access Control

Amazon Web Services is SOC 2 Type II and ISO 27001 certified. AWS maintains on-site security, CCTV monitoring, and physical access controls 24 hours a day, 7 days a week.

Logical and Data Access Controls

Engineering Personnel

Five to Nine’s engineering department is responsible for the ongoing monitoring of security infrastructure, review of provided services, and incident response. All engineering employees are trained in security practices and are responsible for maintaining service health.

Authorization Management

Five to Nine personnel with access to customer data or infrastructure management are required to authenticate themselves via local access controls with multi-factor authentication in order to access services. Any access to customer data by a Five to Nine employee is logged in real time, with oversight from the Head of Engineering. Additionally, Five to Nine has implemented these data access measures:

  • Data Classification, Data Deletion, and Data Protection Policies: Five to Nine’s internal data access processes and policies are designed to limit access to only those with a legitimate business purpose, control how information is transferred/stored based on the nature of the information, and prevent inappropriate access to systems with customer data.

  • Access Management: Five to Nine employs a centralized access management solution to control personnel access to production servers. Network based authentication systems are utilized by Five to Nine to grant access only to approved employees for specific purposes as described by the System Access Control Policy. Five to Nine requires the use of unique user IDs, strong passwords, multi-factor authentication, and access lists where available to access servers. Five to Nine personnel are granted access based on: the authorized employee’s job title & responsibilities, job duty requirements necessary to perform authorized tasks based on least privilege, and a need to know basis.

  • Access Controls: Security events for usage of Five to Nine’s application as well as access to cloud services, including login failures, use of privileged accounts, changes to access models or file permissions, changes to user permissions or privileges are logged on the relevant systems. Logs are generated through monitoring and alerting systems in AWS, and are held for up to a year depending on the system.

Network Security

Intrusion Detection

Intrusion detection is designed to provide insight into ongoing attack activities and provide detailed information to respond to incidents. The intrusion detection measure used by Five to Nine include:

  • Controlling the size and shape of Five to Nine’s attack surface through preventative measures

  • Employing intelligent detection controls at data entry and egress points

  • Employing technologies that automatically remedy or prevent certain dangerous situations

Data Transmission

Five to Nine utilizes HTTPS encryption (via TLS 1.2) for data in transit to or from the application. Clear text HTTP connections are disabled and automatically redirect to a secure connection.

Application Security

Software Development

Five to Nine utilizes static code analysis in addition to manual code review to increase the security of code used to provide the application. Any code change is reviewed and approved based on peer review prior to staging the code. All development for the application is done as described in the Software Development Lifecycle Policy document.

Standards Compliance

Five to Nine utilizes static code analysis in addition to manual code review to increase the security of code used to provide the application. Any code change is reviewed and approved based on peer review prior to staging the code. All development for the application is done as described in the Software Development Lifecycle Policy document.

Data Integrity

Measures are in place to prevent corruption of customer data due to malfunctioning within the application or its supporting servers. These include: patch management, change control procedures, QA testing prior to release, ACID compliant databases, and logging of all changes to production systems.

Data Confidentiality

Five to Nine has implemented measures to encrypt data in-transit and at-rest. In addition Five to Nine uses data filtering and pseudonymisation when sharing customer data with sub-processors.

In-application Security

Five to Nine offers additional application security measures including multi-factor authentication, single sign-on, role based access permissions, segregation of duties, logical separation of customer data, and exportable event logs.

Operational Security

Redundancy

Five to Nine infrastructure systems are designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. To provide this redundancy, Five to Nine utilizes an elastic compute infrastructure and multiple availability zones to spread data and processing operations to sustain function of the application in the event of failure.

Server Operating Systems

Five to Nine uses the AMI Linux server operating system provided by Amazon Web Services. AWS employs a team of security professionals who are responsible for continual hardening and mitigation of known vulnerabilities within their operating system image. Data in the application’s production environment is stored using whole disk encryption following the AES256 standard.

Business Continuity

Five to Nine replicates critical data over multiple systems and locations to help protect against accidental destruction or loss of data. Customer data is backed up daily and backups are encrypted following the AES256 standard. Five to Nine has implemented and regularly tests its business continuity plan and disaster recovery plan.

Customer Data

Data Storage and Separation

Customer data is stored in a multi-tenant environment on public cloud servers. Five to Nine logically separates customer data at the application and API layers, and conducts tests regularly to confirm logical separation is maintained.

Data Minimization

At the customer’s request, Five to Nine will provide information on the types of data to be collected through normal usage of the application. In addition, Five to Nine will keep data only as long as necessary in accordance with the Data Deletion Policy.

Data Retention and Deletion

Five to Nine provides customers the ability to request data deletion by emailing customersuccess@fivetonine.co with clear and concise documentation on the data that needs to be deleted. Customer data will be retained as long as the account is in an active contract with Five to Nine. When a customer account becomes inactive, customer data is retained for 365 days after which point it is permanently deleted. Backup data is stored in AES256 encrypted format and is retained for 7 days.

Data Portability

Five to Nine makes available to customers the ability to export certain data elements directly via Five to Nine’s external API endpoints. Five to Nine can assist with special data export requests (e.g: legal holds and legal exports) made to the customer support representative assigned to the customer.

Localized Data Hosting

By using the application, the customer consents to storage of Customer Data in the United States or as noted elsewhere by Five to Nine’s sub-processors.

Pseudonymisation and Encryption

Five to Nine will ensure data is encrypted in transmission to and from the application. In addition, Five to Nine will keep all data encrypted at rest with Whole Disk Encryption using the AES256 standard. In addition, Five to Nine employs data filtering and fuzzing with all egress points used to share data with Five to Nine’s sub-processors.

Restore Data from Data Loss

Five to Nine’s relational databases and cache data stores are automatically backed up in a secure fashion daily. Should data loss occur, Five to Nine will be able to recover data contained in these backups.

Data Breach Management

If Five to Nine becomes aware of a data breach, Five to Nine will notify customers of the data breach within a period not to exceed 48 hours from confirmation of the data breach. Five to Nine will take reasonable steps to minimize harm and secure customer data. Notification(s) of any data breach will be communicated to customers, users, and the public.

Personnel Security

Background Checks

Five to Nine conducts employee background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Employee Training

Five to Nine employees are required to sign a confidentiality agreement, undergo security training, and complete additional requirements appropriate to their role.

Employee Code of Conduct

Five to Nine employees are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

Authorized Sub-processors

Prior to onboarding sub-processors, Five to Nine conducts a selection process to evaluate the sub-processors’ security, privacy, data protection, and confidentiality practices and to assess that sub-processors provide a level of security, data protection, and privacy appropriate to their access to data and the scope of the services they are engaged to provide.

Privacy Policy

At Five to Nine, we deeply value your privacy and are committed to protecting and using the personal data we collect about you in a responsible manner. Our Privacy Policy outlines how we safeguard and utilize your personal information when you use our platform and engage with our services.

As a user, you can trust that we prioritize the security and confidentiality of your data, and we adhere to the principles outlined in our Privacy Policy to ensure your privacy is respected at all times. Rest assured that your personal data is handled with the utmost care and in compliance with applicable regulations.

If you would like to learn more, please view our privacy policy.

More Information

If you would like to learn more about our security policy and additional documents, please contact us via email. Please note that, in order to access more detailed documents and policies, you may be required to sign a Non-Disclosure Agreement (NDA).