Demandbase

SOC 2 Type II attestation report validating security, availability, and confidentiality controls over specified period. Available under NDA upon request from existing customers and qualified prospects through Trust Site portal.

Immediate access revocation to systems and offices upon employment or contract termination. Automated deprovisioning processes ensure prompt removal of credentials and physical access privileges across all platforms and facilities.

Business Continuity Plan maintained in connection with SaaS applications, reviewed, tested, and updated annually. Program ensures operational resilience across multi-region cloud infrastructure with documented recovery procedures.

Disaster Recovery Plan leveraging multi-region AWS and Google Cloud Platform infrastructure spanning multiple availability zones for redundancy, performance, and disaster recovery. Plan reviewed, tested, and updated annually.

Established incident management policy defining detection, analysis, containment, eradication, recovery, and post-incident activities. Proactive security investigations documented with customer notifications and transparent incident tracking via Trust Center portal.

Information Security Policies and Procedures reviewed and acknowledged by employees and contractors during onboarding and annually thereafter. Comprehensive policy framework governing organizational security practices and controls.

Comprehensive privacy policy detailing data collection, processing, and sharing practices with centralized Privacy Center providing access to privacy information and user rights. Updated privacy notice available with transparent data handling practices.

Comprehensive risk management process using Open Threat Taxonomy standard for risk assessment across physical, resource, personnel, and technical threat categories. Annual risk reviews with stakeholders, prioritized risk register, and executive-approved mitigation plans.

Security integrated into software development lifecycle with secure code training, security-focused design reviews, peer code review with security checklists, automated and manual security testing, and vulnerability management tracking.

All data stores encrypted via Amazon S3 encryption with AWS Key Management Service and Google Cloud Platform encryption through Google KMS. Encryption applied regardless of data classification with IAM roles for encrypt/decrypt permissions based on least privilege.

Data Processing Agreement required for technology companies with integrations or access to customer or company confidential data. DPA executed as part of onboarding and contract renewal process ensuring GDPR compliance.

Customer Data retained during relationship and up to 13 months following expiration or termination. Upon request, Demandbase deletes Customer Data within 30 days of written notification ensuring compliance with data retention requirements.

Background checks required for all employment offers and third-party contractors with potential data exposure. Checks completed prior to commencing engagement with Demandbase, ensuring personnel security standards across workforce.

Multi-factor authentication via identity provider required for all system access. Role-based access controls with periodic reviews, least privilege principles, and deny-all default configuration. Additional authentication layer for VPN and VPC access to AWS infrastructure.

Active threat monitoring with centralized security component monitoring and endpoint protection. Flow and event analytics with threat database correlation enabling real-time threat detection and response capabilities.

Mandatory security awareness and data privacy training during onboarding with annual refresher training for all employees and contractors. System access revoked for incomplete training. Comprehensive program managed by Security team.

Centralized log repository for production servers with monitoring tools analyzing network devices, security events, operating system events, resource utilization, user access audits, cloud infrastructure logs, and application operations events.

Transport Layer Security encryption for data in transit across untrusted networks using Demandbase security standard cipher-suites. Perfect forward secrecy and high entropy for session key generation ensuring unique keys per transport session.

Third-party risk management program requiring security questionnaires and Data Processing Agreements for all technology companies with integrations or customer data access during onboarding and contract renewal cycles.

Security issues triaged regularly, prioritized by severity, and tracked to remediation per published SLAs. Static and dynamic application security testing run regularly in production and development environments to detect and flag issues.

Cloud provider DDOS services and web application firewalls protecting application cloud infrastructure. AI-based threat detection with flow and event analytics correlated with threat databases providing comprehensive layered defense.

Annual penetration tests conducted by independent third-party assessors with continuous internal security testing throughout the year. All identified issues triaged, prioritized by severity, and remediated according to published SLAs. Attestation summaries available under NDA.