Cloud Security

Interact's cloud services use the latest technology and processes to ensure your intranet is secure.

Application Security

Security TrainingEvery 12 months our engineering and support departments participate in secure code training.
QADedicated security engineers who are part of our QA and Architecture departments perform reviews and test our code base for security vulnerabilities.
Isolated EnvironmentsDevelopment, testing and staging environments are separated physically and logically from the production environment. Customer data is never used in our development, testing or staging environments.
Security FrameworksWe use .Net security framework controls to limit exposure to exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), and many others.
Static Code AnalysisOur source code is regularly scanned for security issues and automatically refactored to best practices.
Penetration TestingIn addition to our internal security testing, we partner with NCC to perform extensive penetration tests across the application.
Vulnerability ScanningOur internal security team performs regular vulnerability scanning of the application and infrastructure.

Software Security Features

Authentication OptionsInteract supports multiple authentication options including Local Directory (username and passwords are stored within Interact) and SAML 2.0 SSO (e.g. ADFS, Okta, OneLogin).
SSOSingle Sign On (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. Interact shall only grant access to users that have been authenticated by you.
Secure Credential StorageDevelopment, testing and staging environments are separated physically and logically from the production environment. Customer data is never used in our development, testing or staging environments.
Security FrameworksWe use .Net security framework controls to limit exposure to exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi) and many others.
Static Code AnalysisOur source code is regularly scanned for security issues and automatically refactored to best practices.
Penetration TestingPenetration Testing
Vulnerability ScanningOur internal security team performs regular vulnerability scanning of the application and infrastructure.

Product Security Features

Access ControlAccess to data within Interact is governed by access rights. Access privileges can be configured and managed through the use of memberships and can be used to define granular access rights.
IP RestrictionsInteract can be configured to allow access from specific IP address ranges by an administrator.
Content Moderation & ApprovalInteract’s fine grain permission structure allows administrators who can author content within varied Content Areas and Categories. Interact can be configured in such a way that users must request approval before publishing their content.
Auto LogoutInteract can be configured to automatically log users out after a period of inactivity.
AuditingCreation and modification of data stored within Interact are recorded along with access logs for future auditing.
Exclusion by DefaultUpon creating new entities (e.g. Content Areas, Teams, Homepages) or enabling new features, users are excluded by default. This limits human error and mistakes by requiring the creating owner to specify who can access the entity and its contained content.

Encryption

At RestInteract encrypts customer data to AES-256 while at rest.
In TransitTransfer of data between Interact and you are encrypted using HTTPs and TLS.

Employee Security

Background ChecksInteract performs an extensive background check on all employees including a five year employment history, address history and education verification.
Criminal Record CheckEmployees with authorized access to production environments are required to undergo a criminal record check. UK employees are subject to the Disclosure Scotland process. While US employees are subject to a seven-year historical search of the County Criminal Courthouse Records.
NDAAll employees are required to sign Non-Disclosure and Confidentiality agreements.

Compliance

SOC 2 Type IIInteract Cloud infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards including SOC1, SOC2 and SOC3.
HIPAAInteract is able to provide HIPAA compliant hosting and can make its Business Associate Agreement (BAA) available for execution by subscribers. *HIPAA compliant hosting is not available on all plans and only available upon request
ISO 27001Interact Cloud infrastructure is designed and managed in alignment with security best practices including ISO 27001.
Safe HarborEU privacy laws forbids the movement of its citizens’ data outside the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The EU-US Safe Harbor agreement was established to protect EU citizens’ data is transferred from the EU and stored within US data centers. Interact operates multiple isolated instances hosted in both the EU (Ireland) and US (Virginia). Data is never transferred between the geo-locations and therefore data never leaves the EU.

Security Management

FrameworkInteract has an established information security management framework describing the purpose, principles, and basic rules for how we maintain trust. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.
TrainingInteract employees attend a Security Awareness Training at least once every 12 months. Our Security Team provide security awareness updates and refreshers throughout the year to various teams and departments.
PoliciesInteract has developed a comprehensive set of security polices which are made available to all employees. Policies are enforced through a blend of training, events and auditing.

Infrastructure Security

LocationInteract has multiple territories where information can be domiciled - including the EU, Australia and the USA - with multiple instances of Interact in each geo-location. Each territory has distinct local legal requirements and interconnectivity agreements in place which ensure that your content inherits the benefits of its host country. Customers can choose to locate their data in the EU-only, US-only, or Australia-only. Data always resides within its provisioned geo-location (EU and the USA) and cannot be transferred outside of its allocated area.
MonitoringInteract and AWS (our hosting provider) utilize a wide variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
Physical SecurityAWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
ArchitectureInteract is designed with multiple layers of protection, covering data transfer, encryption, network configuration, and application level control, all distributed across a scalable secure infrastructure.
Intrusion DetectionIntrusion Detection Systems (IDS) are deployed throughout the Interact infrastructure. The systems are configured to identify malware infections, attacks, system compromises, policy violations and other exposures.
Logical AccessAccess to the Interact production network is restricted to a small number of employees and is frequently monitored and audited.

Security Policies

Information Security PolicyPolicies that cover customer and Interact information include: device security, authentication requirements, acceptable usage of resources, data storage requirements, security access and issue handling.
Physical Security PolicyGuidelines detailing how we maintain a safe and secure environment for people and property at Interact.
Change Management PolicyPolicy for code review and managing changes that impact security by Interact developers to source code, system configuration and production releases.
Incident Response PolicyGuidelines for responding to potential security incidents, including assessment, communication and investigation procedures.
Physical production accessOur procedures for restricting access to the physical production infrastructure, including management review of employees.
Support PolicyAccess policies for our Service Desk on viewing, providing support or taking action with customer data.