This document covers the data security, retention and protections currently in place for the Siteimprove modules:
- Quality Assurance
- Search Engine Optimization (SEO)
To ensure service availability and security, Siteimprove has implemented the following data protection and monitoring controls:
- The Siteimprove Intelligence Platform is only accessible using HTTPS on TLS 1.2. If TLS 1.2 is not supported by the customer browser, the connection will be downgraded to TLS 1.1 or TLS 1.0. Prohibited protocols are SSLv3.0, SSLv2.0 and anything lower than that.
- Redundant firewalls and infrastructure are in place to protect the Siteimprove Intelligence Platform against hardware failure.
- All internal Siteimprove site-to-site communication is either encrypted or uses MPLS connectivity. Encrypted transit of crawling activities will use the protocols offered by the website (HTTP/HTTPS). If HTTPS is enforced, the data will be encrypted, from the customer website to Siteimprove’s infrastructure. Only client data scanned from an HTTPS-enabled site will be encrypted during transport. In case of intranets, the client data scanned over HTTP will still be encrypted over the internet due to the overlying VPN connection.
- The data in the Siteimprove Intelligence Platform is only available for authenticated users. Passwords are salted and hashed using SHA512.
- The Siteimprove Intelligence Platform is continuously monitored for service and hardware availability.
All customer data in the Siteimprove Intelligence Platform is backed up on a daily basis to a local server in the Siteimprove data center (Interxion). Once a week, a single full backup is copied from the data center to the off-site backup location.
Data storage locations and physical security
Interxion is the primary hosting location for the Siteimprove Intelligence Platform infrastructure. Interxion is located in Ballerup, Denmark. Only a limited number of named Siteimprove employees have physical access to the data center.
Interxion is a state-of-the-art data center provider with:
- Power delivery with 99.999% SLA
- Temperature and humidity are monitored 24x7 and is in line with ASHRAE recommendations
- Diverse ISP connectivity
- A very early smoke detection system is installed with direct lines to fire stations
- Automatic gas-based fire suppression systems
- Fire-retardant walls
- Trained security staff on site 24x7
- Five layers of physical security
- Access tokens in combination with biometric data and mantraps are used for data center entry
- CCTV video surveillance
Interxion has access procedures in place for personnel and goods entry and maintains an access log for all entry to the data center.
Interxion is an ISO 27001:2013(Information Security) and ISO 22301:2012(business continuity) certified data center provider. Interxion does also undergo a yearly SOC2 audit. Both the certificates and the audit report can be provided to customers, upon request.
Further information about Interxion can be found on their website.
The Siteimprove Headquarter is located in Copenhagen and is used for storage of off-site backups of the Interxion data center.
The backups are stored in the Siteimprove Headquarter data center, which has redundant cooling, UPS backup power with an attached diesel generator and a fire suppression system. The data center is only accessible by a few named Siteimprove employees using access tokens and any access to the data center is logged centrally.
Amazon Web Services (AWS)
AWS in Frankfurt, Germany is used by Siteimprove for storage of PDF and HTML files collected by the Quality Assurance service. It is also used for storage of Response website snapshots.
AWS is used for off-loading application servers located in Interxion. When certain thresholds are met, workloads are moved to AWS for processing, after which, the processed data is returned to Interxion.
AWS is considered one of the top providers of cloud services and hold several certifications. On a yearly basis, AWS are subjected to independent audits to maintain the certifications.
Temporary data storage
Siteimprove Response nodes and Analytics endpoints are located around the world for the sake of redundancy and to lower the latency to customer websites. The location details can be found in the Response and Analytics technical specification documents. These nodes do only hold the collected data temporarily, for a maximum of 48 hours, before it is sent to the designated backend for processing, storage, and presentation in the Siteimprove Intelligence Platform.
Siteimprove will store customer website data for the duration of the contractual agreement. When the contractual agreement with Siteimprove is terminated, the following will happen:
- The tables in the database, containing the customer results, history and specific customizations to the Siteimprove Intelligence Platform will be dropped
- Any collected HTML and/or PDF files will be deleted
- The customer data will be rolled out of the backup scheme after 30 days
Siteimprove will retain some customer information, after contract termination, such as name, title, e-mail address, physical address, phone number, etc.
This residual customer information* will be removed upon request, by contacting:
Worldwide (except EU): firstname.lastname@example.org
*all data will be removed, except data that is required to be retained by law and internal audit policies.