Security Overview for Interview Now Services

Effective Date: April 1, 2021

In this Security Overview for the Interview Now Services, references to “Interview Now” will refer collectively to Interview Now Inc., Interview Now at 2261 Market Street STE 5324 San Francisco, CA 94114 and its Affiliates. The terms “Customer” will refer to you, the Customer and its Affiliates.
Purpose. Interview Now is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for the Interview Now Services (collectively the “Services”). This Security Overview describes the minimum security standards that Interview Now maintains in order to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve, Interview Now continues to update its security program and strategy to help protect Customer Data. Interview Now reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. Any capitalized term not defined in this Security Overview will have the meaning given in the Agreement.
Services Covered. This Security Overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Services. Beta Offerings and any services provided by telecommunication providers involved in routing and connecting Customer communications are not covered by this Security Overview.
Security Organization & Program. Interview Now maintains a risk-based assessment security program. The framework for Interview Now’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data. Interview Now’s security program is intended to be appropriate to the nature of Interview Now Services, size and complexity of Interview Now’s business operations. Interview Now has a team that manages Interview Now’s security program. This team facilitates and supports independent audits and assessments by third parties. Interview Now’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response. Security is represented at the highest levels of the company, with Interview Now’s Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Interview Now employees for their reference.
Confidentiality. Interview Now has controls in place to maintain the confidentiality of Customer Data that Customer makes available to the Services, in accordance with the Agreement. All Interview Now employees and contract personnel are bound by Interview Now’s internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations.
People Security.
1. Employee Background Checks. Interview Now carries out background checks on individuals joining Interview Now in accordance with applicable local laws. Interview Now currently verifies the individual’s education and previous employment, and also carries out reference checks. Where local labor law or statutory regulations permit, and dependent on the role or position of the prospective employee, Interview Now may also conduct criminal, credit, immigration, and security checks
2. Employee Training. At least once a year, all Interview Now employees must complete the Interview Now security and privacy training which covers Interview Now’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Interview Now’s security team also performs phishing awareness campaigns and communicates emerging threats to employees.
Third Party Vendor Management.
1. Vendor Assessment. Interview Now may use third party vendors to provide Services. Interview Now carries out a security risk-based assessment of prospective vendors before working with those vendors to validate that prospective vendors meet Interview Now’s security requirements. Interview Now periodically reviews each vendor in light of Interview Now’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Interview Now ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors of Interview Now.
2. Vendor Agreements. Interview Now enters into written agreements with all of its Vendors which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Customer Data that these Vendors may process.
Security Certificates.
1. Heroku Cloud Platform Certifications. The Services use and leverage Heroku Cloud Platform. Interview Now uses and leverages Heroku’s ecosystem of cloud services known by providing a secure, scalable platform enabling companies to build, architect, deliver, monitor and scale innovative services. Information about Heroku Cloud Platform audit and certifications are available at Heroku Compliance website https://www.heroku.com/compliance and the Heroku section in Salesforce Services Audit and Certification website https://trust.salesforce.com/en/trust-and-compliance-documentation.
2. Twilio Certifications. The Services use and leverage Twilio Cloud Communication Platform. Interview Now uses and leverages Twilio Cloud Communication services known as an industry leader in providing highly scalable, secure and reliable programmable cloud communication services (authentication, messaging, voice and video). Information about Twilio audit and certifications are available at Twilio Security website https://www.twilio.com/security.
3. AWS Certifications. The Services use and leverage AWS data centers. Interview Now uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable. Information about AWS audit certifications are available at AWS Security website https://aws.amazon.com/security and AWS Compliance website https://aws.amazon.com/compliance.
Architecture and Data Segregation.
Interview Now Services. The cloud communication platform for the Interview Now Services is hosted by Heroku Cloud Platform (“Heroku”), Twilio Cloud Communication Platform (“Twilio”) and Amazon Web Services (“AWS”). The current location of the Heroku cloud infrastructure used in providing Interview Now Services is located in the United States. The current location of the Twilio cloud communication infrastructure used in providing Interview Now Services is located in the United States. The current location of the AWS data center infrastructure used in providing Interview Now Services is located in the United States. Interview Now’s production environment within Heroku and AWS, where Customer Data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC).Further information about security provided by Heroku is available from the Heroku Security, Privacy and Compliance webpage at https://devcenter.heroku.com/categories/security. Further information about security provided by Twilio is available from the Twilio security webpage available at https://aws.amazon.com/security. In addition, the overview of Twilio’s security process is available at https://www.twilio.com/security#twilio. Further information about security provided by AWS is available from the AWS security webpage available at https://aws.amazon.com/security/. In addition, the overview of AWS’s security process is available at https://aws.amazon.com/whitepapers/overview-of-security-processes/. Interview Now separates Customer Data using logical identifiers tagging all communications data with the associated Customer ID to clearly identify ownership. Interview Now’s Services are designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer’s communications cannot be accessed by another customer.
Physical Security. Heroku cloud services and AWS data centers that host Interview Now Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. More details about the physical security of AWS data centers used by Interview Now for the Interview Now Services, are available at https://aws.amazon.com/whitepapers/overview-of-security-processes/.
Security by Design. The Interview Now Security Development Lifecycle (TSDL) standard defines the process by which Interview Now creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). Interview Now security engineers perform numerous security activities for the Services including:
- internal security reviews before products are launched;
- periodic penetration tests performed by independent third-party contractors; and
- conduct threat models for the Interview Now Services including documenting any detection of attacks.
Access Controls.
1. Provisioning Access. To minimize the risk of data exposure, Interview Now follows the principles of least privilege through a team-based-access-control model when provisioning system access. Interview Now personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password, multi-factor authentication and be connected to Interview Now’s Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. Interview Now logs high risk actions and changes in the production environment. Interview Now leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
2. Password Controls. Interview Now’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with special characters. For the Interview Now Services, password requirements include a 8 character minimum, with at least three of the following characteristics: upper case letter, lower case letter, number, special character. When a Customer logs into its Interview Now account, Interview Now hashes the credentials of the user before it is stored.
Change Management. Interview Now has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment. Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.
Encryption in Transit. For the Interview Now Services, Interview Now’s cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Customer and Interview Now’s cloud infrastructure. For the Interview Now Electronic Mail Services, Interview Now utilizes opportunistic TLS to transmit Customer’s emails. This means that if Customer opts to use TLS, such email is encrypted end-to-end on the wire provided that the recipient’s email service provider supports TLS.
Vulnerability Management. Interview Now maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Interview Now uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Interview Now’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested and applied proactively. For the Interview Now Services, operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Interview Now cluster over a predefined schedule. For high-risk patches, Interview Now will deploy directly to existing nodes through internally developed orchestration tools.
Penetration Testing. Interview Now performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Results of penetration tests are prioritized, triaged and remediated promptly by Interview Now’s security team.
Security Incident Management. Interview Now maintains security incident management policies and procedures in accordance with NIST SP 800-61. Interview Now Security Incident Response Team (IN-SIRT), assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Interview Now retains security logs for 180 days. Access to these security logs is limited to IN-SIRT. Interview Now utilizes Heroku, Twilio, AWS platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Service attacks (DDoS) attacks.
Discovery, Investigation and Notification of a Security Incident. A “Security Incident” has the meaning given in the Addendum section below, or which is incorporated into the Agreement. Upon discovery or notification of any Security Incident, Interview Now will:
- promptly investigate such Security Incident;
- to the extent that is permitted by applicable law, promptly notify Customer. Customer will receive notification via email to the owner of the Interview Now account. Refer to the Agreement and the Security Overview Addendum section for additional information on Customer notification and follow on steps.
Resilience and Service Continuity. Interview Now infrastructure for the Interview Now Services uses a variety of tools and mechanisms to achieve high availability and resiliency. For the Interview Now Services, Interview Now’s infrastructure spans multiple fault-independent Heroku and AWS availability zones in geographic regions physically separated from one another. For the Interview Now Services, there are manual or automatic capabilities to re-route and regenerate hosts within Interview Now’s infrastructure. Interview Now’s infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. Interview Now leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data centers. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, then these specialized tools will increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Interview Now will also be notified immediately and have the ability to take prompt action to correct the cause(s) behind these issues if the specialized tools are unable to do so.
Backups and Recovery. Interview Now performs regular backups of Interview Now account information, call records, call recordings and other critical data using Heroku and Amazon cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.

ADDENDUM

I. Definitions

“Customer Account Data” means personal data that relates to Customer’s relationship with Interview Now, including the names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data Interview Now may need to collect for the purpose of identity verification, or as part of its legal obligation to retain subscriber records.

“Customer Content” means (a) personal data exchanged by means of use of the Services, such as text, message bodies, voice and video media, images, email bodies, email recipients, and sound, and (b) data stored on Customer’s behalf such as communication logs within the Services.

“Customer Usage Data” means data processed by Interview Now for the purposes of transmitting or exchanging Customer Content, including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.

“Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, and Sensitive Data, as defined in this section.

“Privacy Policy” means the then-current privacy policy for the Services available at https://interviewnow.io/privacy-policy.

“Security Controls” means the terms set forth in the Agreement outlining Interview Now’s technical and organisational measures to protect Customer Data, or, if the Agreement has no such terms, then the Interview Now Security Overview

“Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law relating to privacy and data protection.

“Services” means, collectively, the Interview Now Services.

“Interview Now Services” means the products and services provided under a Interview Now account that are used by Customer, ordered by Customer under an Order Form, or offered on a trial basis or otherwise free of charge. The Interview Now Services generally consist of: (a) platform services, namely access to any application programming interface branded as “Interview Now” and, where applicable, and (b) connectivity services, that link the Interview Now Services to the telecommunication providers’ networks via the Internet.

II. Security

Security Incident Notification. Interview Now will provide notification of a Security Incident in the following manner:

- Interview Now will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after, Interview Now’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data;
- Interview Now will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data; and
- Interview Now will notify the email address of Customer’s administrator account.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.