Security and Compliance

Do you have an information security policy (ISP) ?
Yes, our ISP establishes the general framework that enables us to ensure the protection of the data entrusted to us. It is communicated to all our staff.
It is updated at least once a year and made available to our clients on request.

Do you have any security certifications?
We are ISO 27001 certified.
Moreover, our storage and information processing infrastructure is fully hosted by ISO 27001 and SOC 2 certified cloud service providers.

Is there a specific contact person to deal with security issues?
Our support team answers all questions, including security issues. Depending on the scope of the security issue to be addressed, This team is then responsible for referring these issues to internal experts. We have interlocutors for the following four areas of expertise :

• Physical security of employees
• Workplace security and working methods
• IT development security and infrastructure
• Legal security

If you want to report an incident, we have a dedicated email address: security@abtasty.com

Have you identified your main security risks? What measures have you taken to reduce them?
To ensure the highest possible level of security for our customers, we decided to implement an Information Security Management System (ISMS) in accordance with the ISO 27001 standard.
We regularly carry out a risk analysis of our information system in which each identified risk is addressed and included in our risk treatment plan.

Security indicators allow us to control and monitor the level of identified risks until they reach an acceptable level.

Is your staff made aware of information security?

When they join AB Tasty, all our employees are made aware of and trained in the company’s culture and working methods. We systematically present our IT charter, which summarizes all the rules and best practices in terms of information security. We also remind them of these security rules in newsletters sent by the AB Tasty IT team.

Are all the people who have access to your clients’ data subject to a confidentiality clause?

All our employees are subject to a confidentiality clause in their employment contract. We also have all our partners who may have access to confidential data sign a non-disclosure agreement.

Do you have any sanctions for non-compliance with security rules?

Our IT charter, which summarizes all the security rules applicable in the company, is appended to AB Tasty’s internal regulations and is therefore enforceable against all our staff. A disciplinary process is provided for in the event of a breach of security rules.

Is the connection to the AB Tasty platform secure?

Yes, all connections to our platform are made in HTTPS via the TLS 1.2 protocol. It is also possible to activate multi-factor authentication (MFA). A code sent by SMS will be requested from users to log in to their account.

What is the password policy?

The user authenticates with a login/password pair. The password must meet the following complexity requirements :

• Be at least 12 characters long
• Contain at least 1 upper case, 1 lower case, 1 number or special character
• Be changed on first login

The password is stored in our database in a hashed and salted form, we never store the password in clear text. Even in the event of a data leak, the password cannot be read or reused by a malicious person.

Is it possible to authenticate through an identity federation solution?

Yes, our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.

What are the different user profiles? How are their access rights managed?

Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorization model. There are 4 user statuses:

• Admin: has full rights to the account
• User: can view and edit all campaigns but does not have access to account management settings
• Creator: can see all campaigns and can update non-sensitive information. However, this profile cannot play/pause a campaign or delete data from that campaign
• Viewer: can see all campaigns but cannot update them

Who can access the data collected by AB Tasty solution?

We apply a very strict access policy regarding data access (principle of least privilege). At AB Tasty, only our devops team can access the data collected by our solution.

How do you ensure that only specifically authorized persons access the data?

Access rights to data are given in name only: we always know the identity of the person authorized to access the data from a user account. The rights granted to users are regularly updated; a review is carried out at least once a quarter.

Do you keep data access logs?

Yes, we keep a record of all data access.

Is access to AB Tasty’s premises restricted to authorized persons?

Access to AB Tasty’s premises is controlled by an electronic badge access system, assigned by name.

Is visitor access monitored?

Access to visitors is strictly controlled. Their identity is checked, their presence on the site is recorded in a register, they are given a visitor’s badge and they are constantly accompanied.

Is the premises access monitored ?

An anti-intrusion alarm system is installed. It is remotely operated by a specialized security company.

Have you established security rules to maintain the confidentiality of information in the workspace?

AB Tasty enforces the “clean desk” policy. No physical media (paper, removable drives, printouts) are left on desks, in meeting rooms or on the printer in the absence of the owner. Confidential paper documents are kept in a secure cabinet and shredded if they are to be disposed of. No screens or boards are visible from a window outside the premises.

How do you protect your technical premises (computer rooms)?

All IT infrastructure is hosted in data centres managed by our ISO 27001 and SOC 2 certified cloud service providers.

Is the data encrypted?

All the data we collect is encrypted in transit (via TLS 1.2) and at rest (in AES-256).

Is the data separated from that of other customers?

All data collected on our clients’ sites is stored in a dedicated database to prevent unauthorized access.

How long do you keep the data collected on your clients’ sites?

In accordance with the provisions of the GDPR and e-Privacy, we retain the data collected for a maximum period of 25 months. It is automatically deleted after this period.

Do you offer an export function for the data?

Test campaign data can be exported in .csv format directly from the AB Tasty platform by users only.

If the service is discontinued, what guarantees do you offer regarding the return and deletion of your customers’ data?

Our clients have the possibility to export the data of their test campaigns directly from the application at any time during the contract period.
At the end of the contract, we automatically delete the user accounts from our platform and put the campaigns on hold.
Our customers have the possibility to make a request for deletion of the data to legal@abtasty.com.

What guarantees do you provide on the availability of services?

AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service.

How can one check that you are fulfilling your commitments?

You can check the status of our services in near real time on a dedicated web page: https://status.abtasty.com

Is the data backed up?

We make a daily backup of all data generated by visitors to your site(s), with a retention period of 7 days.

Are the backups secure?

Backups are systematically stored on a different site from the production data, encrypted and their access is strictly limited.

Are restoration tests carried out regularly?

We regularly perform restoration tests on our test environments.

Do you have a disaster recovery plan?

We have a disaster recovery plan in place. The backups and redundancy of our infrastructure enable us to ensure the availability of our services in the event of a disaster.
In addition, our entire IT infrastructure is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified. They themselves have a disaster recovery plan.

Have you defined targets for maximum allowable downtime and maximum allowable data loss (RTO RPO) ?

The maximum allowable downtime and maximum allowable data loss is defined in the AB Tasty Disaster Recovery Plan.

Do you regularly test your DRP?

We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly and allow us to ensure the availability of our services in case of a disaster.

How do you ensure that changes to the source code of your solution do not introduce bugs or security holes?

The development cycle of our solution follows a continuous integration and deployment approach. This approach allows us to ensure continuous monitoring of changes to the source code, from the integration and testing phase all the way through to deployment in production. All modifications to the source code are systematically reviewed by at least two developers and unit tests are used to ensure that the code is executed correctly.

Do you use secure development frameworks?

We use the symfony and react development frameworks, in versions that are systematically maintained in operational security conditions.

Is your team of developers trained in secure development?

Our developers are made aware of and trained on the security flaws presented in the OWASP TOP 10. A training platform is available to our teams, where they can train on the subjects of their choice, including training on secure development.

How do you protect yourself against malware?

All our systems are protected by daily updated antivirus software.
Our IT team monitors current cyber security issues and the main security flaws that can impact our IT systems.
We monitor the status of our computers and systems and systematically apply the available security patches.
All software authorized in production is maintained in operational security condition by its publisher.
When a security vulnerability is reported to our teams, either through our security monitoring or through external audits, it is corrected as soon as possible.

What system and network events do you log?

We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc).

How long are the logs retained?

We keep the logs for 12 months.

Who can access the logs?

Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as investigative material in the event of a security incident or as evidence in any proceedings.

How do you ensure the security of your production environments?

Our IT infrastructure is an “as code” infrastructure. All resources (servers, network instances, security groups, firewall rules, etc.) are described in configuration files, which allows us to automate the deployment of our solutions and ensure a high level of availability for our customers.
This reduces the risk of human error or misconfiguration. As the infrastructure code is versioned, it is possible to go back in time in case of a deployment error.
We also constantly monitor the status of our instances in production using dedicated dashboards (via the Grafana tool).
Finally, all communication flows within our production environments are encrypted.

How do you ensure the security of maintenance and administration operations in your production environments?

Maintenance and administration of our production environment is carried out solely by our devops staff.

Access to the administration interfaces is always protected, either by an administration bastion or by a double authentication system.

Confidentiality and integrity of administration operations are ensured by the implementation of strong encryption protocols (SSL/TLS).

Are your external providers subject to security and confidentiality clauses?

All our service providers are subject to confidentiality clauses (Non-Disclosure Agreement). In addition, in the case of sensitive services or if the service provider must have privileged access, specific security clauses are included in the contract.

Are your providers subject to special monitoring?

When the service requires access to our information system, this access is monitored and limited in time.

Contracts with our most sensitive suppliers include security and auditability clauses. We regularly check the compliance of our suppliers and service providers with their contractual commitments.

Do you have a procedure in place in case of a security incident affecting your customers?

We inform you of any security incident that could impact you directly or indirectly. We have defined a security incident management procedure to prepare us as well as possible for this eventuality.

How and when do you communicate about security incidents?

In the event of a security incident affecting you, we will notify you of the incident as soon as possible, using the contact details you provided and identified as your point of contact when you signed the contract.

How can I reach your security team to discuss a security incident?

You can report any event or anomaly that may have an impact on data security to the following email address: support@flagship.io

Do you have your information system regularly audited?

As part of our ISO 27001 certification, our information security management system is fully audited every 3 years. A follow-up audit is also carried out every year.

Is the security of your solutions regularly tested?

Twice a year, we conduct penetration tests to uncover potential security vulnerabilities in our systems and software solutions. When such flaws are discovered, we provide the necessary security patches as soon as possible.

Do you communicate audit results or reports?

We will provide intrusion test certificates if you request them.

Do your customers have the possibility to perform or have performed security audits and penetration tests on their own initiative?

The terms and conditions for carrying out security audits and penetration tests at the client’s request are determined contractually. In all cases, these can only be carried out with our prior agreement and on a scope which, by nature, excludes our hosts.

What regulations do you have to comply with regarding the security of personal data?

We are subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and/or when applicable to the business relationship, the Personal Data Protection Act 26 of 2012 (PPDA) and/or the California Consumer Privacy Act (CCPA).

What are your responsibilities with regard to the personal data collected on your clients' sites?

In providing its service, AB Tasty acts as a processor of personal data and acts on behalf of its clients, who remain the data controller, as defined in Article 4 of the GDPR.
As a subcontractor, AB Tasty undertakes to:

• process personal data only for the sole purpose(s) for which it is outsourced.
• host personal data in the European Union or in North America or in APAC territory.
• ensure the confidentiality of personal data.
• take into account, with regard to its tools, products, applications or services, the principle of personal data protection at the conception stage and the principle of personal data protection by default.
• notify the customer of any personal data breach as soon as possible.
• keep a record of all categories of processing activities carried out on behalf of its clients.
• provide its customers with the necessary documentation to demonstrate compliance with its obligations under the GDPR.
• to assist its clients to comply with the obligations set out in the regulations applicable to the protection of personal data, in particular to respond to requests to exercise the rights of the persons involved.

What personal data do you collect on your clients' sites?

• The IP address of the Visitors to the Customer's Connected Medium(s): this data allows the geolocation, on a city scale, of the Visitors to the Customer's Connected Medium(s).
• The ID: this is the unique ID allocated to each Visitor when a web page is loaded, based on a date, a time and a random 5-digit value; this data makes it possible to record the technical and behavioural information of the Visitors which is linked to the machine used by the Visitor, the browser used by the Visitor and the physical actions carried out by the Visitor, (e.g. using a keyboard, a computer mouse or other tools on a touch-sensitive keyboard), and to carry out a statistical analysis of the behaviors of the Visitors of the Customer's Connected Media
• The data, some of which may be of a personal nature, collected by the Client and to which the Client gives AB Tasty access.

How long do you keep the personal data collected?

• The IP address of visitors to the Client's Connected Media is not stored; it is immediately (in real time) and permanently deleted by AB Tasty after the campaign results have been obtained.
• The ID is automatically deleted after a maximum period of 13 month.
• The personal data to which the Client has given access to AB Tasty associated with technical and behavioral statistical information are automatically deleted after a period of 25 months.

Where is personal data hosted?

Personal data is hosted in the European Union or in North America or in the APAC region, as detailed below. It is not transferred by AB Tasty or its subcontractors.

What is the list of your subcontractors under the GDPR?

• European Union

• North America

• APAC territory

What security measures are in place to ensure the protection of personal data?

AB Tasty has put in place several security measures to ensure the confidentiality, integrity, availability and resilience of systems and services concerning the processing of personal data.

You can visit the web page dedicated to the security practices implemented by AB Tasty here.

Do you have the Visitors' consent to process the personal data collected?

As AB Tasty acts as a subcontractor on your behalf, it is not its responsibility to obtain the consent of Visitors. This responsibility rests with you in your capacity as data controller.

You can however, from your user interface, make AB Tasty execution dependent on your consent management system. So, if you use cookies, js variables, or an external tool (like Didomi) to manage the consent of your visitors, you will be able to block AB Tasty from being triggered for those visitors who refused their consent.

Have you defined a procedure to allow the owners of personal data to exercise their rights of access, modification, deletion, restriction, etc.?

It is your responsibility to collect requests to exercise the rights of the persons involved. AB Tasty undertakes to provide you with all necessary assistance to enable you to fulfil this obligation. If the persons involved make requests to AB Tasty to exercise any of their rights, AB Tasty undertakes to send these requests directly to you. AB Tasty cannot, under any circumstances, be responsible for the management of exercise requests or for informing the persons concerned in the context of the provision of the AB Tasty service.

Do you have a procedure in place in case of a personal data breach?

Yes, as a personal data processor, AB Tasty is required to alert and assist its clients in the event of a personal data breach to enable them to fulfil their obligations under the GDPR.

I would like to contact your Data Protection Officer (DPO), what are their contact details?

AB Tasty's Data Protection Officer is the law firm ALGANCE AVOCATS, 5 Rue de Logelbach, 75017 PARIS, in the person of Christophe Lévy-Dières, lawyer at the Barreau de Paris.

Phone: +331 44 94 00 00
E-mail: dpo@abtasty.com