Policies and Logging. The Braze Services are operated in accordance with the following procedures to enhance security: ● User passwords are never transmitted or stored in clear text ● Braze uses industry-standard methods to determine password validity ● API key information for third-party services provided by the customer are encrypted for storage ● Braze keeps audit logs for all access to production servers ● Server access is controlled via public key access, instead of passwords, and only permitted while on VPN that requires multi-factor authentication ● Logs are stored in a secure centralized host to prevent tampering ● Braze application and ssh audit logs are stored for one year ● Passwords are not logged under any circumstances ● Access to Braze mail and document services is only allowed on approved mobile devices that have automated security policies enforced, such as encryption, autolock and passwords ● All access to customer dashboard accounts by Braze Employees must be done through an internal service that is accessible via a 3-factor VPN only ● As part of Xxxxx’s Employee Information Security Policy, employees may not store any Customer Data on removable media
Policies and Logging. The ET Services are operated in accordance with the following procedures to enhance security: • User passwords are never transmitted unencrypted. • User access log entries will be maintained, containing date, time, URL executed or identity ID operated on, operation performed (viewed, edited, etc.) and source IP address. • Logs will be stored in a secure centralized host to prevent tampering. • Passwords are not logged under any circumstances. • Watchdog Behavioral Monitoring Program alerts ET Security to anomalous behavior within the ET Services.
Policies and Logging. The Service is operated in accordance with the following procedures to enhance security: User passwords are stored using a one-way hashing algorithm (SHA-256) and are never transmitted unencrypted. User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or XXX (Port Address Translation ) is used by Customer or its ISP. If there is suspicion of inappropriate access, SFDC can provide Customer log entry records to assist in forensic analysis. This service will be provided to Customer on a time and materials basis. Logging will be kept for a minimum of 90 days. Logging will be kept in a secure area to prevent tampering. Passwords are not logged under any circumstances. Certain administrative changes to the Service (such as password changes and adding custom fields) are tracked in an area known as the “Setup Audit Log” and are available for viewing by Customer’s system administrator. Customer may download and store this data locally. SFDC personnel will not set a defined password for a User. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting User. Intrusion Detection. SFDC, or an authorized third party, will monitor the Service for unauthorized intrusions using network-based intrusion detection mechanisms. User Authentication. Access to the Service requires a valid User ID and password combination, which are encrypted via SSL while in transmission. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state. Security Logs. SFDC shall ensure that all SFDC systems, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable the security audits referred to herein.
