Security and Governance
Defined Security Policies
Convene has documented security policies and procedures in place to ensure the confidentiality, availability, and integrity of the system. All employees are trained and oriented to strictly adhere to these policies.
Designated Security Team
Under the supervision of the Azeus Chief Security Officer, Convene has a security team assigned who is responsible for ensuring staff compliance with security policies and procedures, protecting customer data, and regularly reviewing the effectiveness of security policies and procedures.
Convene’s data processing procedures are compliant with the GDPR and are overseen by a Data Protection Officer.
Business Continuity Measures
Convene’s Business Continuity Plan ensures that support services operate continuously in order to serve all customers at all times.
- Daily Automated Backups*
Customer data is automatically backed up daily to ensure system integrity.
- Availability Zones and Data Redundancy*
Convene leverages AWS’ (Amazon Web Services) availability zones in its cloud infrastructure to restore services during disaster situations to ensure high reliability and availability. These data backups are copied to another AWS location within the same region and remain encrypted are stored using Amazon Web Services S3 (Simple Storage Service).
- Disaster Recovery*
The Convene System Team conducts annual Disaster Recovery drills to test and improve the Disaster Recovery plan so that the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are met.
In line with the Incident Response Plan, Convene has an incident detection mechanism in place. Alerts are monitored 24/7 by the Support Team and are forwarded to the Systems Team for immediate resolution. A ticketing system is in place to provide a guided mechanism for tracking, handling, and documenting system incidents until closure. Users can report these via chat, email, or phone. In the event of a security incident, Azeus immediately notifies customers and remedies the situation to stop any further impact and to restore any lost customer data or information.
Convene’s servers regularly undergo several security tests and are hardened following security benchmarks from the Center for Internet Security.
- Internal Security Testing and External Penetration Testing*
The Convene infrastructure is regularly tested and scanned for vulnerabilities by the Convene Systems Team, and is subjected to external penetration testing by independent third parties. Customers may also request for a copy of the results or perform their own security testing and pass their findings to Convene.
- Application Development
Convene was designed, developed, and tested for vulnerabilities against the Open Web Application Security Project (OWASP) Top 10 and Common Vulnerabilities and Exposures program. Convene’s System Team works with the Security Team to perform scans immediately after every major release and implement patch management procedures for critical vulnerabilities (Example: Spectre 2018). The teams make sure that security is integrated into the software development lifecycle from development to production.
- AWS Vulnerability Scans*
Using a variety of scanning tools, AWS performs regular vulnerability scans on the host operating system, web application, and databases in the AWS environment. The AWS security teams are subscribed to news feeds for applicable vendor flaws, and also proactively monitor the vendor’s website and other relevant outlets for new patches.
*Security Measures are for Convene Cloud Environments only.
- Security Awareness Training
New staff members are required to undergo a security awareness training that discusses common security attacks, social engineering tactics, detection and prevention of attacks, and procedure for reporting.
- Role-specific Security Training
Convene developers and system engineers regularly undergo training so that they are updated on industry-standard security practices.