Updated 07/24/24
Our Company and Products
Founded with a vision to empower marketing professionals and agencies, Exponexa is dedicated to helping our clients surpass their success benchmarks. Our mission is to enhance automation, improve communication, and boost scalability in a user-friendly manner, consistently providing innovative updates that reflect these priorities.
Our AI-powered all-in-one sales, marketing, and customer relationship management (CRM) platform offers a plethora of features essential for agencies and marketers. This comprehensive software solution provides limitless opportunities for our customers to set and achieve ambitious sales goals, supported by our team of experts.
Exponexa Security and Risk Focus
Exponexa’s primary security focus is to safeguard our customers’ data. We have invested heavily in appropriate controls to protect and service our customers, including dedicated corporate, product, and infrastructure security programs. Our Legal Team, in collaboration with other departments, oversees the implementation of these programs.
Our Security and Compliance Objectives
We have developed our security framework using best practices for the SaaS industry. Our key objectives include:
Exponexa Security Controls
To protect the data entrusted to us, Exponexa employs multiple layers of administrative, technical, and physical security controls throughout our organization. Below are some of our most frequently asked questions about these controls.
Cloud Hosting Provider
Exponexa does not host any product systems or data within its physical offices. We outsource hosting of our product infrastructure to leading cloud infrastructure providers such as Google Cloud Platform Service sand Amazon Web Services. Our product infrastructure resides in the United States. We rely on Google’s and AWS’s audited security and compliance programs for the efficacy of their physical, environmental, and infrastructure security controls.
Network and Perimeter
Exponexa's cloud hosting providers' infrastructure enforces multiple layers of filtering and inspection on all connections across our web application, logical firewalls, and security groups. Network-level access control lists prevent unauthorized access to our internal product infrastructure and resources. By default, firewalls are configured to deny network connections that are not explicitly authorized. Changes to our network and perimeter systems are controlled by standard change control processes, and firewall rule sets are reviewed periodically to ensure only necessary connections are configured.
Configuration Management
Automation drives Exponexa’s ability to scale with our customers’ needs, and rigorous configuration management is integral to our daily infrastructure processing. Our product infrastructure is a highly automated environment that expands capacity as needed.
Our Cloud Hosting Provider's server instances are tightly controlled from provisioning through deprovisioning, ensuring deviations from configuration baselines are detected and reverted at a predefined cadence. If a production server deviates from the baseline configuration, it will be overwritten with the baseline within 30 minutes. Patch management is handled using automated configuration management tools or by removing non-compliant server instances.
Logging
Actions and events within the Exponexa application are consistently and comprehensively logged. Exponexa's Cloud Hosting Providers' logs are indexed and stored in a central logging solution. Security-relevant logs are also retained, indexed, and stored to facilitate investigation and response activities. The retention period of logs depends on the nature of the data logged. Write access to the storage service where logs are stored is tightly controlled and limited to a small subset of engineers who require access.
Alerting and Monitoring
Exponexa's Cloud Hosting Provider invests in automated monitoring, alerting, and response capabilities to continuously address potential issues.
Web Application Defenses
All customer content hosted on our platform is protected by our Cloud Hosting Provider's firewall and application security. The monitoring tools actively monitor the application layer and can alert on malicious behavior based on behavior type and session rate. The rules used to detect and block malicious traffic are aligned with best practice guidelines documented by the Open Web Application Security Project (OWASP), specifically the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, ensuring continuous availability of customer websites and other parts of the Exponexa products.
Vulnerability Management
Exponexa's Cloud Hosting Provider manages a multi-layered approach to vulnerability management, using a variety of industry-recognized tools and threat feeds to ensure comprehensive coverage of our technology stack. Vulnerability scans are configured to scan for vulnerabilities regularly, using adaptive scanning inclusion lists for asset discovery and the latest vulnerability detection signatures. We perform annual penetration tests against our applications and infrastructure to identify vulnerabilities that may present security-related risks. Relevant findings are assessed, and mitigations are prioritized accordingly.
Data Classification
Per Exponexa’s Terms of Service, our customers are responsible for ensuring they only capture appropriate information to support their marketing, sales, services, content management, and operations processes. The Exponexa products should not be used to collect or store sensitive information, such as credit or debit card numbers, financial account information, Social Security numbers, passport numbers, financial, or health information except as otherwise permitted.
Tenant Separation
Exponexa provides a multi-tenant SaaS solution where customer data is logically separated using unique IDs to associate data and objects to specific customers. Authorization rules are incorporated into the design architecture and validated continuously. Additionally, we log application authentication and associated changes, application availability, and user access and changes.
Encryption
All data is encrypted in transit with TLS version 1.2 or 1.3and 2,048-bit keys or better. Transport layer security (TLS) is also a default for customers who host their websites on the Exponexa platform. We leverage several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices and are encrypted at rest.
System Reliability and Recovery
Exponexa is committed to minimizing system downtime. All product services are built with redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers. All web, application, and database components are deployed with a point-in-time recovery.
System Backups
Systems are backed up regularly by our Cloud Hosting Providers with established schedules and frequencies. Seven days’ worth of backups are kept for any database, ensuring easy restoration. Backups are monitored for successful execution, and alerts are generated for any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily to the local region. Monitoring and alerting are in place for replication failures and are triaged accordingly.
Physical Backup Storage
As we leverage public cloud services for hosting, backup, and recovery, Exponexa does not implement physical infrastructure or physical storage media within its products. We do not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
Customer Data Backup Restoration
Exponexa customers do not have access to the product infrastructure in a way that would allow a customer-driven failover event. Disaster recovery and resiliency operations are managed by our product engineering teams. In some cases, customers can use the recycle bin to directly recover and restore contacts, opportunities, custom fields, custom values, tags, notes, and tasks up to 30 days after deletion. Changes to web pages, blogposts, or emails can be restored to previous versions using version history. For customers who wish to additionally back up their data, the Exponexa platform provides many ways to ensure data security.
Product User Management
The Exponexa products allow for granular authorization rules. Customers can create and manage users in their portals, assign appropriate privileges, and limit access as they see fit.
Product Login Protections
The Exponexa products allow users to log in to their accounts using the native Exponexa login. This login enforces a uniform password policy requiring a minimum of 8 characters, including a combination of lower and upper case letters, special characters, and numbers. Users cannot change the default password policy. Customers who use Exponexa’s built-in login are protected by two-factor authentication for their accounts.
Access to Production Infrastructure
User access to internal data stores and production infrastructure is strictly controlled.
Access to Customer Portals
By default, Customer Support, Services, and other customer engagement staff can obtain limited access to parts of your Exponexa account to assist you. When accessing a portal, Exponexa employees cannot perform high-risk actions such as:
User logins, employee access, security activity, and content activity are logged.
Background Checks and Onboarding
Exponexa employees undergo a third-party background check before formal employment offers. Reference verification is performed at the hiring manager's discretion. Upon hire, all employees must read and acknowledge Exponexa’s Employee Handbook and Code of Conduct, which define their security responsibilities in protecting company assets and data.
Policy Management
To keep all employees aligned with data protection, Exponexa documents and maintains written policies and procedures. Specifically, we maintain a core Written Information Security Policy, covering topics such as data handling requirements, privacy considerations, and disciplinary actions for policy violations. Policies are reviewed and approved at least annually.
Security Awareness Training
Exponexa employees must complete Cyber Safety training upon starting their employment, with annual training thereafter. The Cyber Safety training includes phishing awareness.
Vendor Management
Exponexa may leverage third-party service providers to support product development and internal operations. We ensure our vendors have appropriate security and privacy controls in place as part of our contractual relationship with them. We also maintain a list of our sub-processors within our Data Processing Agreement.
Sensitive Data Processing and Storing
Please refer to our Terms of Service and Privacy Policy for additional information on how and why we process data. Please note that, while Exponexa customers may pay for services by credit card, Exponexa does not store, process, or collect credit card information submitted to us by customers, and we are not PCI-DSS compliant. We leverage PCI-compliant payment card processors to ensure that our payment transactions are handled securely.
Privacy
As described in our Privacy Policy, we do not sell your personal data to third parties. The protections described in this document and other safeguards that we have implemented are designed to ensure that your data remains private and unaltered.
Data Retention and Data Deletion
Customer data is retained for as long as you remain an active customer. Current and former customers can make written requests to have certain data deleted, and Exponexa will fulfill those requests as required by privacy rules and regulations. Exponexa retains certain data, like logs and related metadata, to address security, compliance, or statutory needs. Exponexa does not currently provide customers with the ability to define custom data retention policies.
Privacy Program Management
Exponexa’s Legal Team collaborates with our engineering and product development teams to implement an effective privacy program. Information about our commitment to the privacy of your data is described in greater detail in our Privacy Policy and Data Processing Agreement.
Breach Response
Exponexa will notify customers as required by law if it becomes aware of a data breach that impacts your personal data.
GDPR
Exponexa aims to provide features that enable our customers to easily achieve and maintain their GDPR compliance requirements. Please refer to our GDPR page for more information. While Exponexa seeks to enable your GDPR compliance efforts, using the Exponexa product alone does not make you GDPR compliant.
Document Scope and Use
This document is intended to be a resource for our customers. It is not intended to create a binding or contractual obligation between Exponexa and any parties, nor to amend, alter, or revise any existing agreements between the parties. Exponexa is continuously improving the protections that we have implemented, so our procedures may be subject to change.
Contact Us
Questions about this document? We want to hear from you! You can reach us at contact@exponexa.com.
Exponexa empowers you to automate follow-ups,
personalize every touchpoint, and keep every conversation moving forward effortlessly.
.svg){kind=small}
.svg)