Trust Center

BranchUp Security Practices

Last updated: Jan 14, 2020

BranchUp maintains organizational and technical measures to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information BranchUp collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing BranchUp engages in.

Where used in this Security Practices document, “BranchUp Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the BranchUp Services (the “Agreement”). Capitalized terms not defined in this document have the meanings given to them in the Agreement.

Confidentiality

BranchUp maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorized Users make available via the BranchUp Services, and to prevent access to Customer Content by anyone who should not have access to it.

All of BranchUp’s employees are bound by BranchUp policies regarding the confidential treatment of Customer Content.

Personnel Practices

BranchUp employees receive security training during onboarding and on an ongoing basis. Employees are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services BranchUp uses in the delivery the BranchUp Services. Where applicable, including for particularly sensitive positions, BranchUp also conducts criminal background checks on employees before employment.

Additional Security Features

Access and System Logging

All systems used in the provision of the BranchUp Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.

Availability

BranchUp’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Terms of Service.

Disaster Recovery

When your use of the BranchUp Services requires BranchUp’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in BranchUp’s hosting provider’s data centers to ensure availability. BranchUp has backup and restoration procedures to allow recovery from a major disaster. Customer Content and BranchUp’s source code is automatically backed up on a nightly basis. BranchUp’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.

Network Protection

In addition to system monitoring and logging, BranchUp has implemented firewalls that are configured according to industry best practices, and ports not utilized for delivery of the BranchUp Services are blocked by configuration with our data center provider.

Host Management

BranchUp performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the BranchUp environment. BranchUp enforces screen lockouts and the usage of full disk encryption for company laptops.

Logging and Intrusion Detection

BranchUp maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the BranchUp Services. These logs are analyzed for security events via automated monitoring software, overseen by BranchUp’s security team.

BranchUp monitors the BranchUp Services for unauthorized intrusions using network-based and host-based intrusion detection mechanisms. BranchUp analyzes data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the BranchUp Services function properly.

Physical Security

BranchUp currently uses Amazon Web Services (AWS) for its production data centers to provide the BranchUp Services. AWS has been selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services’ certification and compliance, please visit the AWS Security website and the AWS Compliance website.

Product Design Security Practices

New features, functionality, and design changes go through a review process facilitated by BranchUp’s security team. In addition, BranchUp’s code is tested and manually peer-reviewed prior to being deployed to production. BranchUp’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.

Incident Management & Response

BranchUp maintains security incident management policies and procedures. BranchUp notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Content by BranchUp or its agents of which BranchUp becomes aware, to the extent permitted by law.

Scope

These security practices apply to the BranchUp Services defined in your Agreement with BranchUp, excluding the BranchUp Ads Services.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	session	This cookie is set by Wix and is used for security purposes.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-110105589-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
ifso_last_viewed	session	No description available.
ifso_viewing_triggers	session	No description
ifso_visit_counts	1 year	No description available.
wishpond	1 day	No description