Security Overview

Introduction

Vtiger information and information systems are valuable assets and must be protected. This is achieved by implementing proper security frameworks for managing risks to Vtiger and ensure business continuity by preventing security incidents and reducing their potential impact.

Organizational Security

Policies and procedures are defined and implemented across domains and business processes. The policies are Used to test controls and to protect the confidentiality, availability and integrity of Vtiger information and information resources.

Employee Vetting

Each employee is vetted before they formally join the company. Vtiger employs external third-party vendor to accomplish background verification which includes vetting of criminal records, previous employment records if any, and educational background

Training and awareness

Security awareness content is created and circulated within different teams to ensure that employees of Vtiger are aware of information security policies, emerging threats and common attack vectors. In addition to this security awareness sessions are conducted to raise awareness about the threats, security practices and company policies.

Physical Security

Vtiger's corporate security is responsible for protecting Vtiger assets in physical locations. Vtiger monitors the premises with CCTV cameras, back-up footage is available up to a certain period, depending on the requirements for that location. The access to the premises is granted upon use of Biometric and Keycards identification.

In case of cloud resources (like AWS, DigitalOcean, OVH ) cloud ISPs are responsible to secure the assets and maintain proper security controls. More details on how ISP’s security controls can be found here.

Operational Security

These practices focus monitoring real time communication systems for active threats and procedures to keep information systems protected.

Logging & Monitoring

Infrastructure and applications are monitored 24X7 with proprietary and enterprise tools. We monitor internal traffic in our network, and usage of devices and terminals. We record event logs, audit logs, fault logs, administrator logs, and operator logs and these logs are analyzed for anomalies and incidents. These logs are stored securely in an isolated capacity.

Vulnerability Assessment

Vtiger also employs a security team to discover and address vulnerabilities within our software, as well as incentivizing our members of the broader software security community to identify and report vulnerabilities.

Backup

Vtiger takes database and file backups of every customer instance every day. This backup is stored on a separate server to protect against the risk of hardware failure. In the case of such a failure, data and service access can be restored within 8 hours.

Security Patches

Vtiger performs preventative maintenance to protect against any potential vulnerabilities by deploying patches as and when they are developed internally or otherwise become available.

Data Security

Data is key to the business and to maintain confidentiality, availability and integrity of the data all the time, we follow strict guidelines that revolve around our architecture, development and operations.

Engineering practices

Engineering teams follow secure coding guidelines, as well as manual review/ screening of the code before it is deployed in the production.

The secure coding guidelines are based on OWASP standards and implemented accordingly to protect against common threats and attack vectors (like SQL injection,Cross site scripting) within the application layer.

Data Isolation

Vtiger follows multi tenant architecture, hence every instance has their own separate space allocated to them. These instances are unaware of every other instance and hence running separately.

Encryption

In Transit

All data transferred between your browser and Vtiger’s servers are secured with industry standard TLS 1.2/1.3. This includes webapps, API, mobile Apps and IMAP/POP/SMTP email client access.

We have enabled secure configurations like perfect forward secrecy (PFS) and HTTP Strict Transport Security header (HSTS) to all our web traffic, this mandates browser to connect only via encrypted communication channel.

 At Rest

Storage disks of all the servers are encrypted using Disk level Encryption.

Customer data using sensitive fields is encrypted using 256-bit Advanced Encryption Standard (AES), we use AWS Key Management Service (KMS) for Key management.

Backups are encrypted using AES-256 at AWS S3.

Data retention and deletion

We retain customers data as long as they are active subscribers of the service, in case of the cancellation or inactivity following rules ensures data disposal.

For trial accounts that do not start a paid subscription, data is deleted 12 days after the trial ends.

For paid accounts that are canceled, data is deleted 90 days after the account’s cancellation date.

For paid accounts that have a payment failure, the account will be suspended within 15 days, and closed after 90 days. All data will be deleted 1 week after account closure.

For free accounts, data is deleted after 60 days of account inactivity.

Billing data used for invoice generation is retained for 7 Years for business purposes.

Data Location

Vtiger’s servers are located in the United States, European Union (Ireland, Frankfurt), Australia, Singapore, Japan and India. The server on which your data is stored depends upon the region in which you are located at the time at which you start your free Vtiger trial.

Incident Management

Process that describes the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. If not managed, an incident can escalate into an emergency, crisis or a disaster.

Reporting

Dedicated teams are responsible to look at different incidents occurring within the environment that applies to you, we follow the mandatory actions of handling and reporting it. We track the root cause of the problem and take precautionary measures to avoid this in the future. Further measures and controls are put in place to mitigate similar situations.

Breach Notification

If a breach is discovered at the service level, Vtiger will alert it’s customers and the concerned authorities within 72 hours of the discovery.