Reply.ai Security Whitepaper

Updated: Aug 2, 2018

Introduction

Reply is committed to providing not only a fully-featured end-to-end customer experience platform, but also to making sure your data is secure. Protecting customer data is one of our most important responsibilities.

We’re committed to being transparent about our security practices and helping you understand our approach.

Personnel security

Reply’s personnel practices apply to all members of the Reply workforce. That includes all employees and independent contractors who have direct access to Reply’s internal information systems.

All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

Upon termination of work at Reply, all access to Reply systems is removed immediately.

Security and privacy training

All workers with access to customer personal data are required to complete a training course of privacy and security training.

Workers are required to report security and privacy issues to appropriate internal teams.

Dedicated security professionals

Reply has defined roles and responsibilities to delineate which roles in the organization are responsible for operating the various aspects of our Information Security Management System (ISMS).

At the center of administering our ISMS is Reply’s Security Team. Reply has appointed a Chief Security Officer (CSO) with overall responsibility for the implementation and management of our ISMS.

The CSO is supported by the other members of Reply’s Security Team, which currently consists of three people, focusing on security and good practices on our company.

All members of Reply’s Security Team are active participants in the larger information security community to improve the overall state of the art of information security and to maintain their own expertise.

Policies and standards

Reply maintains a set of policies, standards, procedures and guidelines (“Security Documents”) that provide the Reply workforce with the “rules of the road” for operating Reply’s ISMS. Our security documents help ensure that Reply customers can rely on our workers to behave ethically and for our service to be operated securely. Security documents include, but are not limited to:

  • Fair, ethical, and legal standards of business conduct
  • Acceptable uses of information systems
  • Practices for worker identification, authentication, and authorization for access to system data
  • Use of encryption
  • Description, schedule, and requirements for retention of security records
  • Planning for business continuity and disaster recovery
  • Classification and management of security incidents
  • Use of service organizations

These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Audits, compliance, and 3rd party assessments

Reply operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards.

Audits

Reply evaluates the design and operation of its overall ISMS for compliance with internal and external standards.

Reply engages credentialed assessors to perform external audits at least twice per year. Audit results are shared with senior management and all findings are tracked to resolution.

Penetration testing

Reply engages independent entities to conduct regular application-level and infrastructure-level penetration tests.

Results of these tests are shared with Reply management.

Reply’s Security Team reviews and prioritizes the reported findings and tracks them to resolution.

Legal compliance

Reply employs dedicated legal and compliance professionals with extensive expertise in data privacy and security.

These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements.

Reply also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and de nes standards for meeting those goals.

Secure by design

SDL

Reply assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Reply undertakes an assessment to qualify the security risk of the software changes introduced.

This risk analysis leverages both the OWASP Top 10 and the experience of Reply’s Product Security team to categorize every project as High, Medium, or Low risk. Based on this analysis, Reply creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Reply web application, Reply’s Security Team operates continuous automated static analysis using advanced tools and techniques. Significant defects identified by this process are reviewed and followed to resolution by the Security Team.

Protecting customer data

The focus of Reply’s security program is to prevent unauthorized access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

All features provided by the Reply platform are developed with security in mind. Exposed API endpoints are protected by secure token authentication, and the most restrictive security settings are applied for all our web applications.

Data encryption in transit and at rest

Reply transmits data over public networks using strong encryption. This includes data transmitted between Reply customers and the Reply service.

Reply supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols and AES256 encryption.

Data at rest in Reply’s production network is encrypted using industry standard encryption technology. This applies to all types of data at rest within Reply’s systems—relational databases, file storage, database backups, etc.

The Reply service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Reply service. These service providers are responsible for restricting physical access to Reply’s systems to authorized personnel.

Each Reply customer’s data is hosted in Reply’s infrastructure. Reply uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

Reply divides its systems into separate networks to better protect more sensitive data.

Systems supporting testing and development activities are hosted in a separate network from systems supporting Reply’s production website. Customer data submitted into the Reply services is only permitted to exist in Reply’s production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Reply’s production environment from open, public networks is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of Reply’s service to its users are open at Reply’s perimeter. Changes to Reply’s production network configuration are restricted to authorized personnel.

In Reply’s hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls.

Classifying and inventorying data

To better protect the data in our care, Reply classifies data into different levels and specifies the labeling and handling requirements for each of those classes.

Reply’s ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process.

Authorizing access

To minimize the risk of data exposure, Reply adheres to the principle of least privilege: workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.

To ensure that users are so restricted, Reply employs the following measures:

  • All systems used at Reply require users to authenticate, and users are granted unique identifiers for that purpose.
  • Each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Workers may be granted access to a small number of internal systems, such as the corporate Reply instance, by default upon hire. Requests for additional access are approved by the responsible owner or manager.

Authentication

Where possible and appropriate, Reply uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token.

The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements). Reply requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

System monitoring, logging, and alerting

Reply monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure.

Administrative access, use of privileged commands, and system calls on all servers in Reply’s production network are logged.

Reply’s Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modi cation and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel.

Alerts are examined and resolved based on documented priorities.

Endpoint monitoring

Reply workstations run a variety of monitoring tools that may detect suspicious code or unsafe con gurations or user behavior.

Reply’s Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

Responding to security incidents

Reply has established policies and procedures for responding to potential security incidents. All incidents are managed by Reply’s dedicated Computer Security Incident Response Team.

Reply defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Data and media disposal

Customer data is removed immediately upon deletion or message retention expiration if specified on the contract.

Backups are destroyed within 30 days. Reply follows industry standards and advanced techniques for data destruction.

Reply defines policies and standards requiring media be properly sanitized once it is no longer in use. Reply’s hosting provider is responsible for ensuring removal of data from disks allocated to Reply’s use before they are repurposed.

Protecting secrets

Reply has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.

Controlling change

To minimize the risk of data exposure, Reply controls changes, especially changes to production systems, very carefully.

Reply applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, Reply’s production network is subject to additional safeguards against malware.

Server hardening

New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying Reply’s custom configuration settings to each server before use.

File change management

Reply maintains the configuration of its production servers by using a configuration management system that runs frequently to check that only the authorized version of key files are deployed. This system will overwrite files found on servers that don’t match the correct version stored in a change controlled repository.

Disaster recovery and business continuity

Reply utilizes services provided by its hosting provider to distribute its production operation across separate physical locations.

These four locations are within one geographic region, but protect Reply’s service from loss of connectivity, power infrastructure and other common location-specific failures.

Production transactions are replicated among these discrete operating environments, to protect the availability of Reply’s service in the event of a location-specific catastrophic event.

Full backups are saved to this remote location once per day and transactions are saved continuously. Reply tests backups at least quarterly to ensure they can be correctly restored.

3rd party suppliers

To run its business efficiently, Reply relies on sub-service organizations. Where those sub-service organizations may impact the security of Reply’s production environment, Reply takes appropriate steps to ensure its security posture is maintained.

Reply monitors the effective operation of the organization’s safeguards by conducting reviews of its service organization controls before use and at least annually.

Conclusion

We take security seriously at Reply. Safeguarding this data is a critical responsibility we have to our customers, and we work hard to maintain that trust.