Outfield Security Summary

1. Our Commitment To Security

Outfield is a web and mobile cloud application used worldwide by enterprises, teams, and individuals to improve their outside sales and field marketing operations. Outfield is constantly working to preserve our industry leading security program and remain current with state of the art security practices. Here at Outfield, we are committed to inspiring trust and protecting the privacy of our customer’s data so our customers can concentrate on their business. It is this commitment that motivates our decision making every day and our team holds this responsibility in the highest regard.

2. Data Security Practices

2.1 Organizational Structure

Each organization on the Outfield platform is segregated from other organizations and cannot interact with other organizations or users in other areas of the application. This restrictive system is designed to prevent security and privacy issues. Customer data may be further segregated into an independent database or an independent environment at an additional cost.

2.2 User Level Permissions

Selecting team data that each user or set of users can see is one of the key decisions that affects your data security. Outfield recommends finding a balance between limiting access to data versus the convenience of data access for your team members. As such, you as an admin can effectively limit the risk of stolen or misused data. Outfield provides an adaptable and layered data permissions architecture that allows you to expose different data to different sets of team members. Thus, users can execute their job functions without seeing data they don't need to see. Use organization-wide permission settings, user roles, and user level rules to specify the particular records that users can view, create, edit, and delete. Additionally, you as an admin have the ability in Outfield to deactivate and/or delete your individual team members at any time, giving you control over each user’s access to team data as a whole.

2.3 User Authentication

User authentication prohibits unauthorized access to your team data on Outfield by making sure each signed in user is who they say they are. Each user in your organization is able to access their team with a unique email and password that must be entered each time a user signs in. Outfield issues a session cookie to record encrypted user authentication information for the duration of an individual session. Furthermore, multi factor authentication (MFA) can be enabled for additional security for an individual user or required for all users within an organization.

2.4 Application Level Features

Outfield’s applications encourage users to carry out secure behavior while using our features wherever possible. For example, when completing activity on the Outfield mobile apps, our auto-save feature continuously saves all changes to a draft in real-time. This functionality means that users are not tempted to use a separate (and perhaps insecure) application to write out longer text segments and copy/paste it into Outfield. Additionally, users often want to show an activity on a one-time basis to someone who is not on their team. Rather than having to copy/paste data, Outfield allows them to generate a private & unguessable link to that particular activity for this use case, which is a far more secure alternative. The Outfield development team is constantly working on ways to improve our features to encourage secure behavior and we actively encourage our customers to submit their ideas for consideration.

Customized data security options are also available via an Outfield SaaS agreement upon request.

3. Security Assessments & Compliance

Outfield’s security program as a whole is audited quarterly. Outfield’s data hosting system is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). Outfield’s data management system is GDPR and CCPA compliant. Outfield’s payment processing infrastructure is PCI Level 1 compliant for encrypting and processing customer credit card payments.

3.1 Data Centers

Outfield’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manage risk and undergo recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

3.2 Payment Processing

Outfield’s payment processing infrastructure is PCI Level 1 compliant for encrypting and processing customer credit card payments. This is the most stringent level of certification available in the payments industry. All card numbers are encrypted with AES-256.

3.3 Data Management

The General Data Protection Regulation (GDPR) is a new European privacy regulation which replaces the EU Data Protection Directive called Directive 95/46/EC. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. We are big fans of GDPR here at Outfield because we think it gives individuals important rights over their data. Outfield is committed to always operating in the best interests of our customers and this includes compliance with GDPR. Outfield's policy regarding GDPR compliances can he viewed at https://www.outfieldapp.com/gdpr

4. Penetration Testing & Physical Security

4.1 Penetration Testing

Outfield's infrastructure, application, and operations are manually penetration tested on a continual basis. The results are constantly reviewed with the assessors, risk ranked, and assigned to the appropriate team.

4.2 Physical Security

Outfield utilizes ISO 27001 and FISMA certified data centers managed by Amazon. AWS data centers are located in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled.

5. Network Security

Firewalls are used to restrict access to systems from external networks and internally between systems. All access is denied up front and only explicitly allowed ports and protocols are allowed based on need. Each system is assigned to a firewall security group based on the system’s function. To reduce risk, security groups restrict access to only the ports and protocols required for a system’s exact function. Host-based firewalls restrict applications from creating localhost connections over the loopback network interface to additionally isolate applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.

Outfield's infrastructure also provides DDoS mitigation, IP/MAC/ARP spoofing protection, packet sniffing protection, port scanning protection, and more.

6. Application Scanning & Security

7.1 Vulnerability Scanning and Protection

Our continuous vulnerability scanning infrastructure not only uses runtime monitoring for threats and anomalies, but also enables protection across an extensive array of attack vectors such as mixed content protection (assets encryption), data encryption strength (TLS), cookie tampering protection, blocking reflected XSS, restricting the browser from loading unapproved external assets, cookie exposure protection, real-time XSS protection, real-time SQL injection protection, network services filtering, real-time DDoS protection, iframe rendering protection, MIME confusion protection, account takeover protection, and more. Furthermore, because Outfield can identify vulnerabilities in real-time, instant notifications with full stack traces and severity levels will alert our team when security incidents occur. Outfield’s risk management system then integrates the results to produce the level of risk and required remediation time frame for the appropriately assigned team.

7.2 Encryption

All sensitive data transferred to and from the Outfield platform is encrypted using industry leading security standards and token-based authentication. Outfield uses a 2048 bit Industry Standard SSL Certificate with 99.9% browser compatibility and 128/256 bit encryption. Passwords are encrypted using a password hashing function and thus the password itself is not stored. Backups are stored in an AES-256 encrypted buckets.

8. Backups

8.1 Application

Application data is automatically backed up as part of the deployment process on secure, access controlled, and redundant storage. These backups are used to automatically bring the application back online in the event of an outage.

8.2 Database

Customer data in the database uses Continuous Protection to keep data safe. Every change to your data is written to write-ahead logs, which are shipped to multi-datacenter, high-durability storage. In the unlikely event of unrecoverable hardware failure, these logs can be automatically 'replayed' to recover the database to within seconds of its last known state. We also provide you with the ability to backup your database to meet your own backup and data retention requirements.

8.3 Configuration and Meta-information

Configuration and meta-information is backed up every minute to the same high-durability, redundant infrastructure used to store database information. These frequent backups allow capturing changes made to the running application configuration added after the initial deployment.

8.4 Recovery

From our instance images to our databases, each component is backed up to secure, access-controlled, and redundant storage. Databases can be recovered to within seconds of the last known state, restoring system instances from standard templates, and deploying applications and data. In addition to standard backup practices, our infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.

9. Additional Information

Incident Response

Outfield adheres to the GDPR’s requirement that notification occurs no later than 72 hours after breach awareness. Outfield’s comprehensive Data Breach Response Plan is available upon request.

Disaster Recovery

Our platform automatically restores applications and databases in the case of an outage. The platform is designed to dynamically deploy applications, monitor for failures, and recover failed platform components including applications and databases. Outfield’s comprehensive Disaster Recovery Plan is available upon request.

Privacy

Outfield has a published privacy policy that clearly defines what data is collected and how it is used. Outfield is committed to customer privacy and transparency. For more information on privacy, view our privacy policy.

Employee Screening & Policies

As a condition of employment all Outfield employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies and training.

Contact

Our detailed Data Security Policy & Practices, Business Impact Analysis, Data Breach Response Plan, Business Continuity Plan, Disaster Recovery Plan, and other security policies and plans are available upon request. If you have any questions or feedback, please reach out to our support team by email at [email protected].