For a virtual experience to be truly jaw-dropping, it needs to come with airtight security. After all, we want you to be fully confident that our platform is as secure as can be—especially while you’re busy thinking about delighting and engaging your audience through Welcome’s platform.It’s an understatement to say that protecting your data is a top priority for us. In this guide, we'll walk you through the basics of security as it relates to Welcome, from data management to compliance.
The Welcome platform comes with the following security features unique to our product to provide you with top-notch security.
We only allow access to events from secure browsers: Chrome, Firefox, Edge, or Safari.
Event registration and authentication are required prior to entering into an event.
Allowlist features are available to only allow entry to an event from specific predefined domains.
Participants can be banned from events if they’re misbehaving.
Our chat functionality is encrypted from end-to-end.
Worry not—your data is secure with us. Here are the measures we take to safeguard your data, all day every day.
All data at rest and in-transit, including any access to Welcome resources, is encrypted.
Full-disk encryption is enabled for all Welcome devices.
Web-based administrative access is required to be encrypted through SSL/TLS of the admin page of the infrastructure console.
A secure data deletion process is in place for the removal of data at rest.
Staying ahead of any potential threats starts with the first line of defense: securing the network perimeter.
Annual penetration tests, formal cryptography policies, and password policies are in place to protect against threats from outside system boundaries.
Firewalls are used to filter unwanted traffic, deny all traffic that is not explicitly allowed, and deny public traffic for administrative services such as SSH.
Our infrastructure is secured via industry-standard best practices.
Our application is hosted on Heroku and AWS. Both vendors have a rigorous security program in place.
Information on AWS’s security and compliance program can be found here. It includes SOC 2, PCI DSS Level 1, FedRAMP, NIST, and HIPAA, among others.
An overview of Heroku’s security posture can be found here. Heroku’s security assessments and compliance include SOC 2, PIC, and Sarbanes-Oxley.
Annual third-party penetration tests of our application are conducted, and findings are triaged and addressed in a timely manner.
We ensure formal credential key management, firewalls, MFA on accounts used to access sensitive systems, password policies, use of strong SSL/TLS ciphers, and unique IDs being used to access corporate network, production machines, network devices, and support tools.
At Welcome, we take pride in maintaining internal access security from cradle to grave.
When it comes to people security, we run background checks to screen employees before hiring, and require security awareness training as part of the onboarding process to help new hires understand the ins and outs of their security responsibilities.
Prior to issuing system credentials and granting system access, we require that new internal and external users are registered and authorized. When a user’s access is no longer authorized, the access credentials are removed, naturally.
Access requires approval and given as necessary per job function of the individual per principle of least privilege.
We regularly conduct user access reviews–which includes the evaluation of user roles, privileges, and credentials–to ensure that access to our systems is appropriate.
Access is removed in a timely manner upon termination.
What’s the use in a platform that's not properly up and running when you’re trying to produce a stellar virtual experience? That’s why we’re committed to being as transparent as possible when it comes to the performance and availability of our systems. You can always see what’s going on with our servers in real time, along with all previous incidents, on our status page.
End User Communications
Certifications & Compliance
SOC 2 Type II + HIPAA
Don't just take our word for it: Find out what our auditors have to say. We’re currently working on getting all the right third-party seals of approval on the security of our platform—here’s the latest on where we’re at in the SOC 2 and HIPAA compliance process.
The American Institute of Certified Public Accountants’ (AICPA) SOC 2 reporting framework is the gold standard for security, confidentiality, and availability of Software-as-a-Service companies. Having their seal of approval means that you can trust that we’re handling your data safely by following trusted industry standards.
As such, we are currently undergoing a SOC 2 Type II audit and anticipate having a report available in April 2021, as soon as our auditors give us their final sign-off.
We’re also actively working to provide a HIPAA mapping, which provides assurance for our healthcare-minded clients by letting you know how our controls relate to HIPAA security rules.
If your organization requires documentation in the meantime, please contact us at firstname.lastname@example.org or through your Sales rep and we'll be happy to provide a letter of attestation from our auditors.
Welcome relies on third-party data processors, or subprocessors, to help our platform run efficiently. Our security team carefully evaluates each vendor’s security and confidentiality practices, ensuring that they have relevant security documentation and compliance reports.
The following table lists the legal entities we work with, along with the specific activities they support and server locations.