Vieu Security Policy and Practices

Data security

  • Access monitoring: Vieu has enabled logging on all critical systems. Logs include failed/successful logs, application access, administrator changes, and system changes. Logs are ingested by our observability and security incident event management (SIEM) solution for log ingestion and automated logging/alerting capabilities.
  • Backups enabled: Vieu is hosted by AWS and stores customer data using a combination of databases. By default, AWS provides durable infrastructure to store important data and is designed for durability of 99.9% of objects. Automated backups of all customer and system data are enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data, and are monitored and alerted.
  • Data erasure: Vieu customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Vieu customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements. Please refer to our Privacy Policy and Data Processing Addendum for more information.
  • Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Vieu’s internal networks, at rest in Cloud storage, database tables, and backups.
  • Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.
  • Physical security: Vieu leverages Amazon Web Services (AWS) to host our application and defers all data center physical security controls to them. Please refer to AWS’s physical security controls here.

Application security

  • Code analysis: Vieu security and development teams conduct threat modeling and secure design reviews for new releases and updates. After code completion for significant feature launches, we perform code audits, code reviews, and conduct security scans for our codebase.
  • Software Development Lifecycle (SDLC): Vieu uses a defined SDLC to ensure that code is written securely. During the design phase, secure design reviews are performed for new releases and updates. After code completion for significant feature launches, we perform code audits, work with vendor companies or drive an internal penetration test, and conduct security scans for our codebase
  • Vulnerability & patch management: Externally and internally-facing services are patched on a regular schedule. Any issues that are discovered are triaged and resolved according to the severity within Vieu’s environment.

Security profile

  • Data Access Level: Internal (i.e. Vieu employees will only ever access your data for the purposes of troubleshooting problems or recovering content on your behalf.)
  • Third Party Dependence: Yes - please refer to our list of subprocessors in the Data Processing section.
  • Hosting: Vieu is hosted on one Amazon Web Services (AWS), one of the major cloud service providers. Vieu also uses GCP’s firebase for authentication and Azure for several AI capabilities.

Corporate security

  • Employee training: Security training is required during the employee onboarding process, and annually thereafter. Employees also must read and acknowledge Vieu’s Code of Conduct and the Security policy.
  • Incident response: Vieu has an incident management plan which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed and tested annually at least.
  • Internal assessments: Internal security audits are performed at least annually at Vieu.
  • Internal SSO: Multi-factor authentication (MFA) is required for all Vieu employees to log into Vieu’s identity provider.

Access control

  • Data access: Vieu internally leverages the principle of Least Privilege for access. Access is granted based on job function, business requirements, and a need to know basis. Access reviews are conducted on a set frequency to ensure continued access to critical systems are still required.
  • Logging: Vieu leverages a SIEM solution for log ingestion and automated logging/alerting capabilities. Logs are ingested from critical systems and alerting rules are utilized to ensure security event alerts are generated where/when necessary.
  • Password Security: Vieu requires MFA to be enabled for any and all systems that provide the option for MFA). When such delegation is not possible, Vieu maintains a stringent internal password management policy including complexity, and length.

Infrastructure

  • Anti-DDoS: Vieu leverages third party applications for DDoS protection.
  • Data Center: Vieu is hosted on AWS, who handles physical security to data centers. Please refer to AWS’s security documentation here.
  • Infrastructure Security: Vieu’s infrastructure is hosted in a fully redundant, secured environment. Vieu’s customer data is hosted by AWS. AWS maintains a list of reports, certifications, and third party assessments to ensure best security practices. For more information on AWS compliance, please see here.
  • AWS infrastructure is housed in an Amazon controlled data centers throughout the world, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. More information on AWS data centers and their security controls can be found here.
  • Separate Production Environment: Customer data is never stored in non-production environments. Customer accounts are logically separated in our production environment. We have separate development, testing and production environments.

Network security

  • Firewall: Vieu office networks are configured with a network firewall. WAN-accessible network services are not to be hosted within the office environment.
  • IDS/IPS: Vieu utilizes a mix of both network and host-based IDS/IPS type systems part of a broader defense-in-depth approach to securing the organization. This includes monitoring for suspicious activity through a combination of signature-based and anomaly-based detections.
  • Security Information and Event Management (SIEM): Vieu utilizes a SIEM solution for incident and event management. Event notifications are communicated to our security staff in real-time.

Product security features

  • Domain Management (AKA Tenant Management): Domain refers to the email address domain associated with a Vieu account. Domain verification allows tenant owners to claim ownership over a domain, which will unlock domain management settings.
  • SAML Single Sign-On (SSO): Vieu provides Single Sign-On (SSO) functionality for Business and Enterprise customers to access the app through a single authentication source.
  • Manage Permissions: Vieu allows owners to control their permission levels to ensure that users are viewing and interacting with your accounts exactly the way you want them to.
  • Manage Team Spaces: Account owners can get an overview of all accounts in their account, modify their settings, and access additional management tools.