Security at Welcome

For a virtual experience to be truly jaw-dropping, it needs to come with airtight security. After all, we want you to be fully confident that our platform is as secure as can be—especially while you’re busy thinking about delighting and engaging your audience through Welcome’s platform.It’s an understatement to say that protecting your data is a top priority for us. In this guide, we'll walk you through the basics of security as it relates to Welcome, from data management to compliance.

Security Features

Our Platform

The Welcome platform comes with the following security features unique to our product to provide you with top-notch security.

  • We only allow access to events from secure browsers: Chrome, Firefox, Edge, or Safari.
  • Event registration and authentication are required prior to entering into an event.
  • Allowlist features are available to only allow entry to an event from specific predefined domains.
  • Participants can be banned from events if they’re misbehaving.
  • Our chat functionality is encrypted from end-to-end.

Data Security

Worry not—your data is secure with us. Here are the measures we take to safeguard your data, all day every day. 

  • All data at rest and in-transit, including any access to Welcome resources, is encrypted.
  • Full-disk encryption is enabled for all Welcome devices.
  • Web-based administrative access is required to be encrypted through SSL/TLS of the admin page of the infrastructure console.
  • A secure data deletion process is in place for the removal of data at rest.

Network Security

Staying ahead of any potential threats starts with the first line of defense: securing the network perimeter.

  • Annual penetration tests, formal cryptography policies, and password policies are in place to protect against threats from outside system boundaries.
  • Firewalls are used to filter unwanted traffic, deny all traffic that is not explicitly allowed, and deny public traffic for administrative services such as SSH.

Infrastructure Security

Our infrastructure is secured via industry-standard best practices.

  • Our application is hosted on Heroku and AWS. Both vendors have a rigorous security program in place.
  • Information on AWS’s security and compliance program can be found here. It includes SOC 2, PCI DSS Level 1, FedRAMP, NIST, and HIPAA, among others.
  • An overview of Heroku’s security posture can be found here. Heroku’s security assessments and compliance include SOC 2, PIC, and Sarbanes-Oxley.
  • Annual third-party penetration tests of our application are conducted, and findings are triaged and addressed in a timely manner.
  • We ensure formal credential key management, firewalls, MFA on accounts used to access sensitive systems, password policies, use of strong SSL/TLS ciphers, and unique IDs being used to access corporate network, production machines, network devices, and support tools.

Access Security

At Welcome, we take pride in maintaining internal access security from cradle to grave.

  • When it comes to people security, we run background checks to screen employees before hiring, and require security awareness training as part of the onboarding process to help new hires understand the ins and outs of their security responsibilities.
  • Prior to issuing system credentials and granting system access, we require that new internal and external users are registered and authorized. When a user’s access is no longer authorized, the access credentials are removed, naturally.
  • Access requires approval and given as necessary per job function of the individual per principle of least privilege.
  • We regularly conduct user access reviews–which includes the evaluation of user roles, privileges, and credentials–to ensure that access to our systems is appropriate.
  • Access is removed in a timely manner upon termination.

Availability

What’s the use in a platform that's not properly up and running when you’re trying to produce a stellar virtual experience? That’s why we’re committed to being as transparent as possible when it comes to the performance and availability of our systems. You can always see what’s going on with our servers in real time, along with all previous incidents, on our status page.

End User Communications

It’s our job to keep you in the loop. All external parties receive clear communications regarding our internal security. This includes our company commitments, a formalized Privacy Policy and Terms of Service, customer data policies, a formal disclosure process, and communication of the system and its boundaries.

Certifications & Compliance

SOC 2 Type II + HIPAA

Don't just take our word for it: Find out what our auditors have to say. We’re currently working on getting all the right third-party seals of approval on the security of our platform—here’s the latest on where we’re at in the SOC 2 and HIPAA compliance process.

  • The American Institute of Certified Public Accountants’ (AICPA) SOC 2 reporting framework is the gold standard for security, confidentiality, and availability of Software-as-a-Service companies. Having their seal of approval means that you can trust that we’re handling your data safely by following trusted industry standards.
  • As such, we are currently undergoing a SOC 2 Type II audit and anticipate having a report available in April 2021, as soon as our auditors give us their final sign-off.
  • We’re also actively working to provide a HIPAA mapping, which provides assurance for our healthcare-minded clients by letting you know how our controls relate to HIPAA security rules.
  • If your organization requires documentation in the meantime, please contact us at security@experiencewelcome.com or through your Sales rep and we'll be happy to provide a letter of attestation from our auditors.


GDPR

If your organization works in the European Union, have no fear: Welcome is GDPR-compliant. The ways in which we collect and process data are aligned to General Data Protection Regulation (GDPR) guidelines, so you can rest assured that our platform is a-ok to use in the EU. Our Privacy Policy, Data Processing Addendum, and overall security processes were all written with the GDPR in mind.

Subprocessors

Welcome relies on third-party data processors, or subprocessors, to help our platform run efficiently. Our security team carefully evaluates each vendor’s security and confidentiality practices, ensuring that they have relevant security documentation and compliance reports.

The following table lists the legal entities we work with, along with the specific activities they support and server locations.

Contact

If you have any questions or comments about the way we handle security or compliance, contact security@experiencewelcome.com.

Stay connected

Signup to receive updates about Welcome
Success! You're now in the loop.
Something went wrong while submitting your email
Product
All-hands
Book a demo
Contact us
Company
Our story
Press
Events
Jobs
We're hiring
2021 Welcome, Inc. All rights reserved
Privacy Policy
Terms of Service