Security at Contentsquare

View and download our security, privacy and legal documentation.

Cloud Security, Infrastructure and Architecture

Cloud Provider

Contentsquare leverages third-parties as cloud providers benefiting from state-of-the-art facilities and strict security controls in place.

The cloud provider manages the physical and environmental security of facilities and the logical security of high level services that Contentsquare relies on.

AWS EU pipeline: Production in AWS Ireland, Backup in AWS Stockholm.

AWS US pipeline: Production in AWS North Virginia, Backup in AWS Oregon.
a 2d icon of a padlock indicating security Azure EU pipeline: Production in Ireland and backup in Netherlands. 

Azure US pipeline: Production in Virginia and backup in Washington

Product Security

SDLC (Software Development Life Cycle)

Before deployment, new developments are qualified, reviewed and automatically tested through our code quality pipeline which validates that the version conforms with our standards in terms of functionality, code coverage, performance and security.

 
To protect against that, we have chosen to check ourselves the integrity of the Javascript Tag. Every 10 minutes, we are comparing the integrity of the Tag from multiple endpoints (after CDN from multiple locations, before CDN in S3 buckets) with a trusted value that is generated when we build the Tag. In case of mismatch an alert is directly sent to our on-call security team. We believe this is a better solution as we can actively monitor this scenario of attack and because we are not relying on client implementation/controls.

If your security policy requires to use Subresource Integrity to integrate the Contentsquare tracking tag on your application, you can deploy our tag using the SRI method we have developed.

Please note that the use of SRI will change the deployment of the tag and its updates.

While we acknowledge that SRI (sub-resources integrity) is a way to protect against these types of attacks, we have chosen another implementation for our default deployment.

We have chosen to check ourselves the integrity of the javascript Tag. We believe this is a better solution as we can actively monitor this scenario of attack and because we are not relying on client implementation / controls.

  • We change the Tag very often. SRI are not supported by all browsers and need to be activated by customers.
  • In case of Tag hijacking, we would have to wait for customers to give us feedback about SRI errors and would thus lose a lot of time.

Corporate Security

Security Organization & Governance

Contentsquare has an established function responsible for security and data compliance across the organization. Contentsquare security governance and ISMS closely follows ISO 27001 standard:

  • Annual risk analysis
  • Key Performance Indicators are issued quarterly to ensure that the ISMS is running efficiently
  • Dedicated security policies and procedures that cover all of the 133 controls of the ISO 27001 (reviewed annually)

People Security

At Contentsquare, security starts with its people. Contentsquare invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for security. Before hire, background checks (identity, education) are performed.

Confidentiality agreements signature and security training completion are deployed and required upon employees’ onboarding.

Corporate IT Security

Contentsquare commits to the highest standards of security. As such, IT corporate resources require an appropriate level of safeguards:

  • Corporate networks are fully segregated from production networks
  • Corporate networks are monitored by an Intrusion Detection System
  • Corporate networks and devices are analysed monthly with a vulnerability scanner
  • Laptops are pre-configured with an endpoint protection and antivirus software
  • Laptops hard-drives are encrypted at-rest
  • Clean desk policy

Technical Security Measures

Read our full Technical Security Measures for a deep dive into our our Cloud Security Infrastructure and Architecture.

Read More

View and download our security, privacy and legal documentation.

View more