How we protect the data of our customers and their visitors
In the pursuit of our mission to challenge the status quo of the workplace, we started right at the beginning of that workplace: the front desk. Specifically, the paper log book at the front desk. You know, that binder that has the exact names, emails, phone numbers, sometimes drivers license numbers, and who knows what else from every single visitor that’s ever been inside the building you’re visiting. It’s just out there, open to everyone, to just browse through. It is that systematic mishandling of personal and private information that was a key reason I started this company back in 2013.
On a daily basis, we help over 10,000 offices keep their visitors’ information safe and secure from prying eyes. That’s our job—Envoy Visitors is a security and compliance service. Yes, we also try to bring a simple, modern, more convenient experience, but at the core of it, privacy and security are paramount.
It is for this reason we invest a lot in protecting that information. I’d like to share some of the ways we do this:
- SOC 2 Type II certification. In 2018, Envoy received its SOC 2 Type II certification. It’s a component of the American Institute of Certified Public Accountants, whose goal is to make sure that systems are set up that assure security, availability, processing integrity, confidentiality, and privacy of customer data. Please reach out to us for our report.
- GDPR compliance. We have spent significant efforts to ensure we are in compliance with the General Data Protection Regulation (GDPR). This European standard is designed to modernize laws that protect the personal information of individuals. It also boosts the rights of individuals and gives them more control over their information.
- Data encryption. Data storage is encrypted at rest using encrypted AWS RDS databases. In transit, we use techniques like certificate pinning and HSTS to ensure all TLS connections are secure.
- Dedicated security team. We’ve invested in specialized talent in data protection so you don’t have to. This comes with a team structure and processes that include weekly cross-functional meetings to evaluate our data protection protocols and adapt to any new circumstances. This specialized team ensures that every feature we build is compliant with the highest security standards.
- Regular third-party audits. We are regularly audited by dozens of enterprise customers on a yearly basis for security vulnerabilities and internal processes and policies. These audits have never revealed any critical issues. Whatever issues do come up, though, we of course address with haste.
- Public bounty program. We’ll soon be opening a public-facing vulnerability disclosure and bounty program to systematize our involvement with outside cybersecurity professionals. We want to make it easy for researchers such as IBM X-Force Red to communicate with us about things they discover––even if discovered bugs are write-only or only impact analytics libraries. No potential vulnerability is too small, and we have dedicated staff ensuring fixes are deployed swiftly.
- Honest revenue model. We are a business-to-business enterprise software-as-a-service solution. We make revenue by selling subscriptions to the service we offer. We never have and never will sell customer or visitor data. Our customers pay us so we can build and operate the service. It’s a simple, honest system.
It’s through steps like the above that we’ve maintained a record of never having had visitor data accessible, at all, in any way, to anyone not authorized. We’re incredibly proud of our programs, but we’re always looking to improve. If you’re an engineer looking for a place to learn and help, please consider joining us!
The workplace is evolving, and more and more of it is becoming digitized and connected online. Data protection and strong attention to data privacy is and should be a key part of this. Not all online services are equal in how they protect customer data, but here at Envoy I’m proud to say we do our part in investing heavily in it. If you have any questions or want to know more about our programs, please don’t hesitate to contact us: [email protected].
Founder and CEO, Envoy