Data Security
Data Protection and Security Mechanisms
ISO 27001 and GDPR: Conscia is proud to maintain its ISO 27001 compliance for the last three years. ISO 27001 is an internationally recognized standard for managing information security. This compliance demonstrates our rigorous approach to securing data, managing risks, and ensuring the highest level of data protection. Additionally, we adhere to the General Data Protection Regulation (GDPR) protocols, ensuring robust privacy and data protection for our users, particularly in the European Union. This commitment to GDPR compliance reflects our dedication to upholding the privacy rights of individuals and handling data responsibly.
Enrcyption at Rest and in Transit: Conscia ensures the security of data through robust encryption practices. All data in transit to and from the DX Engine and DX Graph is encrypted with the industry-standard AES-256 algorithm, ensuring that sensitive information remains protected from unauthorized access or interception. This encryption applies to all data moving between our internal systems, backend integrations, and client interfaces.
All sensitive data such as Customer Secrets such as API tokens, usernames and passwords, etc to be used to connect to backend systems are encrypted at rest.
All credentials to the DX Engine and DX Graph itself are managed via Keycloak, which is a widely-used open-source identity and access management solution. Keycloak stores user credentials, such as passwords, in a secure manner. It hashes passwords, ensuring that they are not stored in plain text. This means even if the data store is compromised, the hashed passwords would not be immediately usable by an attacker.
Limiting Data Access: All DX Engine configurations are secured via robust access controls. Access is granted at the most granular level, i.e Components and Rules, which ensures that only the authorized members of the team are given access to certain resources.
Deployment on Security Compliant Infrastructure The DXO is deployed on the robust, industry-leading infrastructure of Amazon Web Services (AWS). AWS is renowned for its comprehensive compliance and security framework, adhering to global security standards. This infrastructure includes advanced safeguards and a multi-layered security model, providing a secure foundation for our services. By deploying on AWS, Conscia benefits from the stringent security measures, data protection protocols, and continuous compliance monitoring that AWS offers, ensuring the highest level of security for our clients' data and digital experiences.
AWS Foundational Technical Review Our deployment on AWS infrastructure is not only about leveraging its advanced security and compliance capabilities; it also involves our adherence to AWS's Foundational Technical Review (FTR). The FTR approval signifies that our DXO aligns with AWS's best practices for security, reliability, and operational excellence. This review process ensures that our services are architecturally sound and optimized for high performance on AWS. Being FTR approved and listed on the AWS Marketplace underscores our commitment to delivering a secure, efficient, and robust digital experience orchestration platform, providing our clients with the assurance of a solution that meets stringent AWS standards.
API Security
We employ a robust API token-based authentication system. When a client application requests access to the DXO (both DX Engine and DX Graph), it must provide a unique API token, which serves as a secure identifier and key. This token is generated and managed within our platform, ensuring controlled access. Each token is cryptographically strong, reducing the risk of unauthorized access through token forgery or interception.
Data Storage
There are three ways in which data may be stored within the DX Engine:
DX Engine Cache: Session-specific details, e.g., visitor ID, session status, etc., are stored in an internal cache. This cache is temporary and can be deleted through our Cache Invalidation API. The user has control over whether and how long to store any state in this cache, ensuring compliance with various data protection regulations.
DX Engine State: The state holds on to any information that you choose to hold on to during the session. The data within the State is available to all components in every orchestration flow defined within the application and hence is more versatile in its use than the cache. The Cache is limited to the response of a specific Component and the Component must be part of the orchestration flow in order for it to be able to access it. You should use Cache when you want to hold on to data from backends that are slow and you want to avoid sending unnecessary API requests to them. You should use State when several components within different orchestration flows need to be able to access and update the information within a session. An example would be items in cart, products viewed, categories clicked, etc.
DX Engine Logs: All data processed by the DX Engine is logged and stored for up to four weeks. When calling the DX Engine, you have the option to not store the DX Engine response in the logs via the responseLogged=false flag. These logs can be exported by Conscia upon request or on a schedule. You also have the option of routing the logs to your own logging service using the core capabilities of API orchestration.
DX Graph: Data in the DX Graph is also encrypted during transit and at rest. DX Graph uses asymmetric and symmetric encryption techniques to protect sensitive communications and large data volumes efficiently. Asymmetric encryption is utilized for secure communication and involves a pair of keys (public and private) for encryption and decryption, respectively. Symmetric encryption, on the other hand, uses a single key for both encrypting and decrypting data, making it suitable for processing large amounts of data quickly.
While Conscia equips the DXO with robust data security features, the ultimate responsibility for configuration and usage lies with you. The DXO data handling is determined by your setup, allowing you to selectively process information from various backend systems. This includes the option to exclude Personally Identifiable Information (PII) entirely, focusing only on necessary data for orchestrating digital experiences. In instances where PII is involved, such as when fetching customer data from a CRM, the DX Engine can facilitate its flow through the system. However, you can leverage the provided security mechanisms to prevent PII from being stored on our servers.
Complying with the General Data Protection Regulation (GDPR) involves both adhering to its requirements and communicating your practices to your users. Here's a suggestion for verbiage that could be included on your website:
Privacy and Data Protection – Our Commitment to GDPR Compliance
At Conscia, we are fully committed to upholding the highest standards of data privacy and security in line with the General Data Protection Regulation (GDPR).
Your Data, Your Rights: We respect your right to privacy and control over your personal data. Our Privacy Policy outlines how we collect, use, store, and protect your information.
Transparent Data Practices: We believe in transparency and are clear about the data we collect and how it is used to enhance your experience with our services.
Data Protection and Security: Safeguarding your information is our top priority. We employ robust security measures to protect your data from unauthorized access, alteration, or destruction.
User Consent and Control: We ensure that consent is sought where required, and provide easy options for you to manage your personal information and preferences.
Data Portability and Access: In compliance with GDPR, we provide mechanisms for you to access your data and, where applicable, to port it to other service providers.
Continuous Compliance: Our GDPR compliance is an ongoing effort, involving regular reviews and updates to our practices to stay aligned with legal requirements and best practices.