As businesses grow and scale, they need to continue to earn and build on that trust in every way they can – but with rapidly expanding tech stacks, it’s not just their own company policies they need to monitor, it’s those of every company they partner with.

Your data is our most critical asset. At AudioStack, we protect it throughout its lifecycle with robust security practices, tailored role-specific staff training, and rigorous compliance with regulations. We handle the security of your data so that you can focus on acquiring, engaging, and retaining your customers.

We leave no stone unturned when it comes to data privacy

AudioStack is a data processor, and we take the utmost care of any data we touch. We’ve seen over 3 billion end user records and over 640 million conversations to date, facilitated between businesses and their users – that’s a lot of data!

We take care of your data from ingestion to deletion. In this post we’ll tell you about how we protect your data during:

• Storage, processing and transmission

• Access

• Expiry and deletion

Processing, storage, and transmission

Summary:

• We do regional hosting in EU

• Data is encrypted at rest and in transit with 256 bit encryption

• We only share data with the vendors listed in our www.audiostack.ai/legal 

Since data is our key asset, we only trust it to be handled by third party service providers who meet and maintain our standard of security. Before a vendor is procured, our IT, legal, and security teams review their security and data privacy practices in full. The only vendors who have access to your data are in our official subprocessor list.

We build our services with disaster recovery in mind. All of our infrastructure and data are spread across three AWS availability zones and will continue to operate should any one of those fail.

Data is kept safe at rest and in transit. All data sent to or from AudioStack through our API and our application endpoints are encrypted using TLS v1.2. This means we only use strong cipher suites and have features, such as HSTS and Perfect Forward Secrecy fully enabled. We also guarantee encryption at rest, using an industry-standard AES-256 encryption algorithm for all customer processor data.

Data access

Access to customer data is limited to authorized employees who require it for their job. It’s granted only when needed, with expiry where possible. When expiry isn’t available, tool owners review and baseline access quarterly.

We leverage an Identity Provider to provide and restrict access to all key corporate and production applications. We implement a Zero Trust system architecture which mandates biometric authentication on company-managed devices, ensuring access to all cloud services is adequately protected.

Employee security

We enable and empower our employees to make secure decisions with our product and customer data every day, through a combination of training and compliance-related governance.

Training

All employees complete Security and Privacy Awareness training annually, and we employ quick, engaging Slack training courses throughout the year to keep people’s security knowledge front of mind. We supplement company-wide training with role-specific training for high risk groups like Customer Support and Engineering.

We conduct phishing tests for all employees on a rolling basis and are happy to report a >96% pass rate for our whole organization, with supplementary training where needed.

Control access to your workspace

Summary:

• We employ least privilege for all AudioStack employees on all systems, with quarterly access reviews and baselining for all tools processing your data

• We have role-specific training and phishing tests to prepare our staff

• We also have enterprise level app features that give you this level of control over the data in your workspace

We’ve talked about us accessing your data but what about your team? AudioStack employs enterprise application features to give you granular control over access (by your teammates and users) and deletion of data.

You can control access to your workspace with SAML SSO and two-factor authentication. Once your teammates are inside your organisation, you can use granular controls to specify who has access to what.

Data expiry and deletion

Summary:

• We comply and help you comply with the EU’s GDPR 

• We map all our data flows

• We have organisation deletion immediately on request or after 13 months of inactivity

• Visitor data expires after 9 months

We took significant efforts to align with the GDPR before its introduction in 2018, focusing on rigorous data mapping efforts, training, updates to documentation, and data retention reviews for every piece of data we store and process. We create a culture where every employee understands the importance of a data asset – and its classification – so that we build a secure data ecosystem for you. We also have an appointed Data Protection Officer inside our Legal team to guide our data protection efforts.

We don’t keep data we don’t need. We expire inactive workspaces after 13 months and website visitor data after nine months.

If your users request a GDPR DSAR user deletion and you perform that in AudioStack, we begin processing that deletion immediately and automatically. The same applies if you choose to delete your AudioStack workspace and all associated data.

Compliance: Don’t just take our word for it 

Compliance is a major focus for us at AudioStack and we dedicate an entire team within our wider Engineering team (not to mention our Legal team), to ensure that we adhere to global standards that protect customer data.

To that end, we pursue the highest standards of industry-recognized accreditation so that all our customers, big and small, can have trust in our policies and procedures. All of our security compliance reports and certifications are available on request. 

SOC 2

AudioStack  undergoes yearly audits and maintains SOC2 Type 2 compliance focusing on the Security and Availability trust service principles. These audits provide an industry-wide recognition that companies conform to the American Institute of Certified Public Accountants (“AICPA”) SOC2 standard, which measures security and availability and serves as assurance that your data is being managed in a controlled and audited environment.

GDPR compliance

As a European HQ’d company we’ve been following GDPR since day one. Here’s what we’ve done:

• Built new features to enable our customers to easily meet their GDPR obligation

• Updated Data Processing Agreements 

• Appointed a Data Protection Officer

• Coordinated with vendors around GDPR compliance

• Reinforced and added to security measures regularly

But we didn’t stop there – we’re always looking for ways to improve. We’re vigilant and continuously scan for vulnerabilities, misconfigurations and threats, which may put your data in jeopardy.

The AudioStack application and infrastructure is looked at in detail by security researchers on a rolling basis. We supplement our static and dynamic code testing with twice yearly penetration tests and a public ‘bug bounty’ program. Our pentest reports are available upon request to all existing and prospecting customers.

We’re constantly on the lookout for ways to bring our data privacy and compliance standards to new heights and strengthen our data protection policies. Our commitment to our customers’, and their customers’ data, is why companies of all sizes put their trust in us.

Something we’re missing? Let us know what you’d like to see by emailing security@audiostack.ai.