Data center and network security
Sunshine Conversations services are hosted on Amazon Web Services. As such, Sunshine Conversations inherits the control environment which Amazon maintains and demonstrates via SSAE-16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers.
Logical access to the Sunshine Conversations production system is restricted by an explicit need-to-know basis, utilizes least privilege. It is frequently audited and monitored and is controlled by our production and security teams. Premises are monitored and access is logged.
Sunshine Conversations encrypts all customer data, both in transit and at rest. Communications between you and Sunshine Conversations servers are encrypted via HTTPS and Transport Layer Security (TLS) industry best-practices.
Best practices and education
We implement industry best practices to ensure the confidentiality and integrity of your data.
Incident response plan
We have implemented a formal procedure for security events and have educated all our staff on our policies.
All new employees on teams that have access to customer data (such as technical support and engineers) undergo criminal history and background checks prior to employment.
All new hires are screened through the hiring process and required to sign non-disclosure and confidentiality agreements.
Security and privacy training
All new employees attend a security training during the onboarding process. In addition, all employees must take the Zendesk Security and Privacy training once a year, which covers the information security policies, security best practices, and privacy principles.
We ensure best practice to meet industry-based compliance.
SOC 2 Type 2
As of March 31 2020, Sunshine Conversations has completed its SOC 2 Type 2 audit for the Security and Availability Trust Services Principles. Our SOC 2 Type 2 report is available upon request and subject to NDA. For more information, contact us at firstname.lastname@example.org.
Privacy Shield Certification
Sunshine Conversations complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and from the Switzerland.
Sunshine Conversations has designed its Privacy Program based on European, Canadian and US privacy laws to ensure that no matter where they are located, customers using our platform will be able to comply with any privacy framework, including the GDPR.
All payment instrument processing is outsourced to Stripe, making Sunshine Conversations not subject to PCI compliance obligations.
Investing in your privacy
We understand the privacy commitments you make to your customers, employees, and users.
Internal processes and audit
Our Chief Privacy Officer works with our developers to make sure we comply with applicable international privacy laws.
Service data processing
We primarily process personal data on behalf of our customers. Our privacy practices are outlined in the privacy statement for service data.
European Union Data Hosting
Customers with strict data residency requirements have the option of having their data hosted, stored and backed up entirely within the EU. Available upon request. Learn more.