Introduction
Snap Recordings offers professional voice-over recordings and messaging technology for telephony, with enterprise grade audio management and AI powered message creation tools. We provide the best quality professional voice overs and enterprise-grade messaging applications with an easy-to-use engine to manage the experience through our proprietary SaaS platform. Because of our flagship service, we view the protection of our data and that of our customers as a critically important component of our success. We are committed to transparency when it comes to sharing the approach we take to achieve data security.
This security overview is meant to showcase the initiatives we have in place to maintain a robust security posture throughout our organization in order to protect our sensitive data and that of our customers, as well as how we maintain application integrity. Each section outlines a different aspect of the Snap Recordings security program and reflects our current state.
Organizational Security
Snap Recordings maintains an industry-leading security program that is based on the fundamental concept of layered security, which means that we incorporate security at every layer of our organization to compound our effectiveness in securing our organization, which inadvertently ensures we protect our customers' data. Our security program is based on a variety of frameworks, including: NIST Cyber Security Framework (CSF), GDPR, and AICPA's SOC2 Trust Service Principles.
Our security efforts are led by our executive management team, who spearhead the implementation and maintenance of all security policies, controls, and procedures. They are not operating in a silo, of course, and are supported by Snap Recordings's IT and Engineering Teams. Our team is dedicated to focusing on everything from our cloud security architecture to our application security and our vulnerability monitoring & management (all of which are described in greater detail below)
The entirety of Snap Recordings's security program is managed via documented policies and procedures, which are maintained by our IT team and continuously updated as needed to reflect what is being accomplished in the IT environment.
Maintaining Website Integrity & Protecting Customer Data
Snap Recordings’s flagship service is to provide professional message production & technology for telephony. Due to the nature of our business, we work with enterprise organizations globally. Although the data we collect is largely considered not to be sensitive or proprietary, application integrity is still treated as paramount to our success and that of our customers.
The main focal point of Snap Recordings's security program is, simply put, to protect customer data from unauthorized access and to ensure the service we create for them is never compromised. As such, our IT team works with all members across the organization to implement various control initiatives in order to mitigate the risks that impact our organization specifically, to implement industry-leading best practices, and to continuously update our procedures in order to improve our security and our understanding of threats.
Secure Development Practices
Snap Recordings provides a web software service as part of our offering to customers. As such, we invest heavily in a secure development lifecycle as we make changes in our cloud environment. We work diligently to ensure that all changes are designed and tested rigorously in a non-production environment prior to making it to a production environment. We also have mechanisms in place to check for vulnerabilities in our services within our production environment, which are triaged and resolved in a timely manner. All of our processes are documented and strict segregation of duties is maintained across our development, test and production environments to ensure that unauthorized changes don't occur. Finally, Snap Recordings has monitoring mechanisms in place to identify all changes that are moved to production, which are periodically audited to confirm appropriateness.
Encryption
Snap Recordings maintains stringent encryption standards for our services in order to protect sensitive data as it is in transit and while being stored in our cloud environment (at rest):
- All data transmitted between Snap Recordings’s service and our clients is being protected by strong encryption methods. Snap Recordings has incorporated the latest recommended encryption methods to protect all web traffic to our websites, including TLS 1.2 protocols and AES 256 encryption.
- Any production data stored in Snap Recordings’s cloud environment is encrypted using FIPS 140-2 compliant encryption standards. Our encryption methods incorporate all facets of Snap Recordings’s cloud systems – relational databases, production backups, key management system, etc. Snap Recordings leverages a key management solution to store encryption keys on a secure server that is segregated from our other resources.
Snap Recordings customer websites (and subsequent data) are hosted in our shared infrastructure but are logically separated from other customer instances. We have redundancies and advanced storage methods to ensure that website integrity is maintained and can be recovered quickly as needed. Because Snap Recordings leverages the power of our cloud service provider, our services are hosted in the world’s most secure cloud data centers with advanced protections around physical hardware and infrastructure. Better yet, encryption practices are managed by Snap Recordings so that no vendor, including our cloud service provider, has access to customer data.
Network Security
Due to the nature of our IT environment, Snap Recordings’ services are entirely cloud-hosted. Snap Recordings has designed development and test environments that are completely separate from our production infrastructure. Snap Recordings maintains robust configuration management procedures within our cloud environment to ensure that our entire production environment is hardened and aligns with industry best-practices. This includes measures such as disabling open ports, removing vendor accounts, disabling root accounts, and more. We also apply a baseline configuration image to production servers in order to maintain consistently great security.
While Snap Recordings provides website services that are accessible to many people globally, we still ensure that only the servers that are needed to provide our services are public-facing. For Snap Recordings’ internal access, all cloud admins are restricted to specific devices and must connect via an encrypted connection. Furthermore, all system calls are monitored and recorded to ensure integrity and prevent unauthorized access.
Finally, Snap Recordings maintains various mitigation techniques to prevent DDoS attacks and has the ability to quickly migrate a website to a different server in the event of such an attack.
Endpoint Security
Snap Recordings issues corporate laptops to employees and prohibits the use of personal devices to conduct job responsibilities unless explicitly approved. Every device used by an employee must meet minimum security standards outlined by IT. Snap Recordings also enforces encryption on all workstations, as well as strong password parameters. Furthermore, Snap Recordings uses Sophos as our state-of-the-art antivirus program to monitor continuously for malicious files or unauthorized software. The use of mobile devices is limited to only approved personnel and must also be controlled within our EMM solution.
Access Control
Snap Recordings recognizes that Identity and Access Management (IAM) is one of the most fundamental components of a good security program. As such, we have established procedures and technologies throughout our environment to ensure that the right people have access to the right systems at the right time.
New Access
Snap Recordings has adopted the strategy of least privilege for all access granted in our organization. Each user is assigned an email account that serves as their identity for many of our systems and is associated with a unique, complex password. Where feasible, privileged admins leverage SSO capabilities. Furthermore, role-based privileges are incorporated into our cloud environment to ensure that access is appropriate at all times. In the event of a termination, Snap Recordings removes the user from all systems immediately to mitigate the risk of unauthorized access. Finally, all users are reviewed at least annually across all systems to ensure that their access and permissions remain appropriate.
Access Authentication
In addition to the Single Sign On (SSO) capabilities that have been established across the organization, Snap Recordings employs Multi-Factor Authentication (MFA) for all systems that contain sensitive data or for password managers that house logins to our critical systems, including the cloud environment and subsequent client environments. Our MFA mechanisms enforce a separate device to validate secondary authentication. Snap Recordings also leverages private keys to further protect customer instances in our cloud environment.
Password Management
The Snap Recordings Security team requires that approved password managers be used for all privileged admin accounts. This ensures that we can enforce components like unique, complex passwords and to prevent password reuse.
Monitoring and Logging
Snap Recordings ensures that monitoring mechanisms and logging capabilities are enforced throughout our IT environment, both for our internal users and for inbound traffic navigating to customer websites. Using advanced tools in our cloud environment, Snap Recordings is able to keep track of administrative access, system calls, and production-level commands. The analysis of these logs is conducted in an automated fashion to ensure that Snap Recordings catch the events that matter and can detect potential issues in real-time. All logs are recorded and maintained in a separate environment than our customer data and are retained for one (1) year.
Data Retention and Disposal
Snap Recordings protects customer data throughout its entire lifecycle and has mechanisms in place to remove customer data in a timely manner upon expiration guidelines set forth by our customers or when a contract has ended. Data is also deleted periodically from our production systems, as backups are maintained. Due to the fact that Snap Recordings leverages cloud servers, removal of data from disks is a shared responsibility of the vendor, who follows strict guidelines based on NIST standards.
Disaster Recovery and Business Continuity
Since Snap Recordings’ services to customers are completely cloud-hosted, our hosting provider distributes our operational production environment across multiple physical instances. Snap Recordings also has the ability to distribute across different locations across our cloud region in order to maintain redundancy throughout our production environment. Due to these measures, Snap Recordings inherently has protections in place against loss of connectivity, power outages, destruction of a physical location, etc. This allows us to replicate customer environments easily to avoid downtime with the services that we provide. Snap Recordings also maintains full backup copies of our production services, which are updated daily. Finally, Snap Recordings conducts periodic tabletop exercises to test our Disaster Recovery plan as well as our backup recovery capabilities.
Incident Response
Snap Recordings maintains a living Incident Response Plan that includes policies and procedures that would be enacted in the event of an incident. Our security team is dedicated to monitoring and responding to incidents in real-time, and lessons learned from any incidents that have occurred are recorded and used to improve our procedures. The Snap Recordings system sends out automatic notifications to customers in the event of a successful scheduled install or failed install, with necessary information about the results. Snap Recordings also maintains a communication schedule to alert the relevant parties in the event of an incident that may detrimentally impact their environment.
Snap Recordings’ security team tests our Incident Response plan at least annually and records the results in order to continuously improve.
Vendor Management
While Snap Recordings strives to provide as many services as possible through proprietary applications, we leverage vendors in certain facets of our IT environment in order to offer a better service to our customers. In any event where a vendor will gain access to our critical systems and data, Snap Recordings establishes stringent agreements and conducts a vendor risk assessment to validate the vendor’s security posture prior to granting them access. These assessments occur on an annual basis for as long as we do business with the respective vendors.
Don't hesitate to contact us with questions/clarification requests
security@snaprecordings.com
