Sicherheit

Customer privacy is important to us, and so is being transparent about how we collect, use, and share information. VSight invests in a privacy and security program to protect customers’ data. Building a robust privacy and security program is the first step to reinforcing customers’ confidence in how we value, treat, and protect their data. As VSight, we are committed to compliance with the General Data Protection Regulation ( GDPR). Our customers can trust that we have made GDPR a priority and have devoted significant resources toward our efforts to comply with GDPR. In compliance with the obligations deriving from the European regulation concerning the protection of personal data n. 679/2016, GDPR, and following changes, our site respects and protects the confidentiality of its visitors and users, doing all the possible and proportionate effort not to prejudice the users’ right. Here we outline measurements we have taken in order to meet security requirements that apply to our customers:

Authentication Security

Password Management
VSight Platform strictly enforces a set of password requirements to ensure security standards are met: Passwords must be a minimum of ____ characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols. Multiple logins with the wrong username or password will result in a security notification.

Two-factor authentication (2FA)
You can activate 2-factor authentication (2FA) for your account to secure it further. By activating two-factor authentication for VSight Platform, attackers are unable to access your account without possessing your physical device needed to complete the second factor.

API Security
All data transactions are encrypted (HTTPS). The encryption standard is TLS 1.2 key exchange (ECDHE_RSA with P-256) and cipher (AES_128_GCM).

Session Security

Session Timeout
Timeouts ensure that sessions in VSight Platform end when they are no longer in use after 10 minutes, preventing unauthorised access and reducing exposure to data breaches. Timeout can be optionally disabled.

Log Out
Logging out helps prevent other users from accessing the accounts without verifying their credentials. It also helps protect the current user’s access or prevent unauthorised actions on the current login session and is thus an important part of security.

Network Security

Protection
Cloud connectivity supports access via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. All media traffic is encrypted no matter the endpoint you use (web or mobile) or the session setup you choose (P2P or multiparty). That means that you are safe when using the VSight platform even if you use it in an open public hotspot. VSight media endpoints use the AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.

Security Awareness

We constantly monitor notifications from various sources and alerts from internal systems to identify and manage threats. We test all code for security vulnerabilities before release and regularly scan the network and systems. Test results are reviewed by our engineering team once the test is complete. If the test results identify a new or unknown risk, the results are logged in the internal issue tracking system and reviewed by our software engineering security panel. The software engineering group is responsible for addressing identified issues. If patches are required to mitigate risks, they shall be scheduled according to risk severity and in a manner to minimise service outages.

Employee Vetting

Background Checks
All customer data is stored in Google Cloud Platform securely, and Data Access audit logs are also configured. We limit access to business’ data to VSight personnel who need it to do their jobs; for example, when a customer service agent assists you in managing your data. Strong access controls are enforced by organisational and technical safeguards. And when we work with third parties, like customer support vendors, to provide VSight services, we conduct an assessment to ensure they provide the appropriate level of security and privacy needed to receive access to your business’ data.

Confidentiality Agreements
All VSight employees and suppliers sign a non-disclosure agreement. When the employee leaves the company access to all accounts is sealed, including code repository, company email, and bug systems.

Availability Controls

Disaster Recovery
In case of a disaster or emergency situation where VSight business systems and/or data are affected, we are responsible for establishing an emergency level of service starting by restoring critical services and recovering to normal operation. Also, at the secure data centres, the backup and recovery process includes data backing up regularly, and backups cloning over secure links. In addition, data is not transported offsite and are securely destroyed when retired.

Segregation Controls

User Roles
VSight platform provides user permission levels for specific roles to help you manage users easily while holding different sessions. If you invite multiple people to join a session, the platform gives you the flexibility to grant different levels of permission to each user.

Physical Security

• VSight platform is located in space at the high availability Google Cloud Platform (GCP). These facilities provide support, including, Physical and Environmental security.

• Also, our office facilities are secured by 24/7 guards, interior and exterior video surveillance, alarm systems, security gates, and doors equipped with access card readers or locks.

Location

User Roles VSight platform provides user permission levels for specific roles to help you manage users easily while holding different sessions. If you invite multiple people to join a session, the platform gives you the flexibility to grant different levels of permission to each user.

Private cloud or physical server integration

In case you additionally require the data to be stored on your own private cloud or physical server, VSight offers REST API and WebDav integrations upon request.

Links

VSight Data Security Overview:
https://app.vsight.io/security-information

Google Cloud Data Processing Amendment, that VSight utilises: https://gsuite.google.com/terms/dpa_terms.html

Statement from Google Cloud about the data:
“To put it simply, the data that companies, schools, and government agencies put into our systems are theirs. Whether it’s corporate intellectual property, personal information, or a homework assignment, Google does not own that data. That means two key things:
• We use your information for the purposes specified in your agreement, such as delivering you the service for which you pay. There are no ads in Google Cloud.
• You have control over your data. We provide you with tools to delete and export your data so that you can take your data with you at any time, use external services in conjunction with G Suite, or stop using our services altogether.”

For reference:
https://support.google.com/googlecloud/answer/6056650

General Compliance of Google Cloud (https://cloud.google.com/security/compliance/)
VSight uses Google Cloud Platform, which has:
• Cloud Computing Compliance Controls Catalog (C5)
• CSA STAR
• Spain Esquema Nacional de Seguridad (ENS)
• FedRAMP
• FIPS 140-2 Validated
• HDS • HITRUST CSF
• Higher Education Cloud Vendor Assessment Tool (HECVAT)
• Independent Security Evaluators (ISE) Audit
• IRAP (Information Security Registered Assessors Program)
• ISO 27001 , ISO 27017 , ISO 27018
• MTCS (Singapore) Tier 3
• OSPAR
• PCI DSS
• SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c)
• SOC 1 , SOC 2 , SOC 3
• TISAX
• U.S. Defense Information Systems Agency Provisional Authorization

Cloud in Frankfurt
https://cloud.google.com/about/locations/frankfurt