upscope security detail document
TRANSCRIPT
Upscope [Security Detail Document] / [07/07/2021]
Upscope Security Detail Document
Upscope [Security Detail Document] / [07/07/2021] 2
Contents Infrastructure
On-premise
On-premise architecture
Data service on premise + Upscope cloud
Data service on premise + Upscope API
Data service on premise only
Deployment
Installation and Updates
Pricing
Logs
Activity log
Session log
Action log
Agent Usage
Team Management
Log In
User Permissions
Remote Log Out
Data
Data Masking
Data processing - What data does Upscope store?
Never sent to Upscope
Sent to Upscope for processing (edge)
Cached by Upscope for 24 hours (edge)
Stored by Upscope for 7 days (edge)
Stored by Upscope until the account is deleted (USA)
Stored by Upscope indefinitely (USA)
Compliance
HIPAA
GDPR
Upscope [Security Detail Document] / [07/07/2021] 3
Infrastructure
Upscope keeps data about your account and data about your customers completely separate. Our main datacenter in AWS’s US East (N. Virginia) region handles agent authentication, user management, and billing features. Your agents' co-browsing session data will be stored in one of our edge locations, whichever is closest to the agent by geography by default or from the list of Upscope AWS Regions you have to choose from. AWS region options include: Always choose fastest region, United States only, EU only, United Kingdom only, Canada only. This ensures your agent data never leaves the proper jurisdiction and the co-browsing experience is as fast as possible.
On-premise If your company has stringent data protection policies and you can't allow customer data to leave your infrastructure, you have the option of deploying Upscope on premise.
On-premise architecture Our on premise solution is designed to maximize security while reducing the amount of components needed to run the service.
Data service on premise + Upscope cloud Upscope's data service is designed to handle all user data including keeping track of who is online and allowing co-browsing between visitor and agent.
Upscope [Security Detail Document] / [07/07/2021] 4
Due to it being the only component which touches user data, it is the only one you'll need to run in your own infrastructure to maintain a high standard of security. With our on premise + cloud solution, you can ensure no user data touches our system while still benefiting from our dashboard which includes agent authentication, live chat integrations, SSO, agent management and more.
Data service on premise + Upscope API Our middle ground solution allows you to host all user data in your own infrastructure and make use of our API to authenticate agents. This enables you to allow user-to-user co-browsing. Using this solution has the advantage of still being able to use our dashboard to manage your account.
Data service on premise only Our data component is completely independent from the rest of our system, therefore you are able to host the component in your private cloud and authenticate agents through a JWT. This solution enables you complete control over authentication and user data.
Deployment You can run our on-premise service by downloading our server binaries or through Docker . If you have a large number of visitors (i.e. 5000 + concurrent), you might need to run multiple servers behind a load balancer and connect them with a Redis instance or cluster.
Upscope [Security Detail Document] / [07/07/2021] 5
Installation and Updates We publish an update to the application every 4 weeks, and support the last 2 versions. Security updates are provided in a timely manner. An update command is included in the package. Downtime for updates is typically less than 5 seconds and does not interrupt active screenshares.
Pricing Please get in touch with our team for our on-premise pricing.
Upscope [Security Detail Document] / [07/07/2021] 6
Logs
Activity log
A record of any admin changes to the Upscope application and agent activities while co-browsing with visitors.
What is recorded in the activity log:
• Setting changes • Co-browsing session • Adding or removing team members • Assigning or removing user permissions
Upscope [Security Detail Document] / [07/07/2021] 7
Session log Interaction Record of each co-browsing session that includes agent notes about the co-browse event.
Screen share log shows:
• Visitor and Agent • IP address • Length of session • Which tools were used • Agent notes taken during the interaction
Upscope [Security Detail Document] / [07/07/2021] 8
Action log By default displayed on web chat through the integration along with screen shots. Using the REST API you can push these into your in-house systems.
Agent Usage Backtrack to specific dates to see who has co-browsed and how long for.
Reporting view to see individual and collective data on:
• User adoption • Co-browse event count • Agent total amount of time • The number of visitors co-browsed with • Total number of users who co-browsed
Upscope [Security Detail Document] / [07/07/2021] 9
Team Management
Log In
There are 3 options for logging in: Email Send a teammate a login email, this is secure as only you and your company have access to your account. SSO SAML2.0 SSO and MFA available for team owners and co-browsing agents Password Set your personal password
User Permissions Assign roles, data permissions and detailed viewable access to every agent and team owner. The following permissions can be enabled/disabled for users:
• View visitor list • Co-browse • Settings access • Manage team • View logs • Manage billing • Console access • Able to delete visitor data • View usage
Upscope [Security Detail Document] / [07/07/2021] 10
Remote Log Out
Log users out from the team members admin view.
Upscope Cloud is AWS auto scale enabled
Data centers in 7 (and growing) AWS locations including:
• N.Virginia, US East-1 • Frankfurt, Germany • Oregon, US West-2 • London, UK • Montreal, Canada • São Paulo, Brazil • Singapore
Most web visitor and co-browsing agent information is stored / transferred through one of our edge (edge) locations around the world. This makes the experience faster. Unless you restrict which areas we should use, we'll always pick the location closest to the visitor. Account information is typically stored in our main datacenter in N. Virginia (USA).
Upscope [Security Detail Document] / [07/07/2021] 11
Data
Data Masking
Hide information from the agent during a session.
The customer data doesn’t leave the visitor’s browser and doesn’t touch our servers or the agent’s browser so there is no possibility for the agent to access it. Fully encrypted, Upscope packs the data on the customer side and unpacks the data on the agent side based on the individual agent profile permissions. For sensitive text fields on customer side, Upscope converts that customer text as asterisks in the agent view. Entire sections of page content can be masked (e.g. Social Security Number or customer login credentials) the agent sees a masked section or grey redacted field.
Upscope [Security Detail Document] / [07/07/2021] 12
There are two ways of masking:
• Hide a single element by attaching a #no-upscope class to the element. • Hide one element across the whole platform, add the name of the
element to the element masking setting in Upscope
Data processing - What data does Upscope store?
Never sent to Upscope
Doesn't leave the customer browser and doesn't touch Upscope servers.
Name Description
Visitor page content The content of your visitor’s webpage until screen sharing is initiated and is authorized by the visitor
Visitor page views A breakdown of the pageviews by your visitors
Masked information Any page content masked with the no-Upscope CSS class or specified in your general settings
Cookies and browser storage
Your visitors’ cookies or browser storage content
Visitor console content If console access is enabled, the content of your visitor’s console until screen sharing is initiated (if console access if disabled, the data does not leave the visitor’s browser even while screen sharing)
Upscope [Security Detail Document] / [07/07/2021] 13
Sent to Upscope for processing (edge)
Cached by Upscope for 24 hours (edge)
Stored by Upscope for 7 days (edge) This data is stored by Upscope for 7 days after it is collected if we enable debugging for your account to troubleshoot problems.
Name Description
Visitor page HTML The HTML content of your visitor’s webpage after screen sharing is initiated until it is stopped
Console content during session
If console access is enabled, the content of your visitor’s console after screen sharing is initiated until it is stopped
Agent events All agent instructions such as highlight, scroll and clicks
Chat content If integrated with Drift or Intercom, the content of your conversations or your CRM users’ details
Name Description
Publicly available files The content of any publicly accessible asset on your website (e.g. stylesheet, image, font, etc.)
Name Description
Browser events List of events to and from the user’s browser without the content. (e.g. we might store a “sent page content” event, without the content of the page)
Upscope [Security Detail Document] / [07/07/2021] 14
IP address The visitor’s last IP address
Page timestamp The visitor’s last page view timestamp
Page URL The visitor’s last page view URL
Visitor location The visitor’s country and city (derived from the IP address, not GPS information)
Device information The visitor’s device information, such as browser and device type
Visitor presence Whether the visitor is currently online
Unique ID Optionally, the visitor’s unique ID from your system, provided by you or one of our live chat partners
Visitor ID Optionally, the visitor’s list of identities (such as their name or email), provided by you or one of our live chat partners
Only if you have the screenshot feature enabled: If you have enabled the “history collection” feature, we will collect details of the visitor journey and store them on the visitor’s browser until they open a live chat conversation, or until the saving is triggered through our JavaScript SDK. The following data is then stored for 30 days or until the visitor is manually deleted. Screen shots of visitor page
A picture of the page as seen by the visitor at the time the screenshot is taken (data redaction still applies, multiple screenshots could be saved)
Visitor events Details of the visitor’s journey such as clicks, things typed in fields, and other data sent through the JavaScript SDK
URL history URL’s of the last few page views of the visitors
Upscope [Security Detail Document] / [07/07/2021] 15
Stored by Upscope until the account is deleted (USA)
This data is deleted if you decide to stop using Upscope and delete your account.
Stored by Upscope indefinitely (USA)
This data will be retained by Upscope indefinitely unless required to delete it by law.
Name Description
Agent information All your agents names, emails, phone numbers, IP addresses and all changes to each of their accounts. If the agents are part of multiple teams, this data will be retained as part of the other team
Screen share history All your screen share history, including timestamp, Upscope visitor ID, visitor unique ID (unless it looks like an email). No screen share content is logged.
Account changes All the changes made to your account settings
Name Description
Billing history Your billing history, such as all payments made
Billing details Your billing details, such as everything that you’d see on an invoice
Correspondence with us All of your, and your agents, communications with Upscope including emails and chat conversations
Upscope [Security Detail Document] / [07/07/2021] 16
Compliance
HIPAA
Signed BAAs We meet all the key physical, technical and administrative requirements of HIPAA including having signed BAAs with all key 3rd party providers. Data storage and transmission Upscope’s servers are run via AWS in their secure North Virginia data centre. You only transmit data only while screen sharing. We only store metadata about your users such as their location, IP address, last activity timestamp, and optionally their identity. No page content is ever sent to our server unless screen sharing is initiated. Hide sensitive parts of the page Easily hide sensitive parts of the page or specific form fields (such as SSN or credit card information) by selecting the element to hide in our dashboard. Portions of the page hidden with Upscope never leave the user's browser. Remote control limited to the browser Unlike other screen sharing systems where the user has to install software or at the very least an extension, Upscope allows your agents to control the user's browser (limited to clicks and scrolls) with no installs required, making the experience safer and smoother for both agent and user. Enforced SSL All your user's data is only transmitted via secure SSL connections. Immutable Audit logs Every action your team takes on Upscope (except for screen sharing session details) is recorded and accessible in the admin console. Each log item contains a hash of the previous entry to prove no item is changed or removed.
Upscope [Security Detail Document] / [07/07/2021] 17
Access Controls Upscope provides role based access controls for restricting which personnel can conduct screen sharing sessions with users.
GDPR
Upscope acts as both a data controller with regards to data about our own customers, and as a data processor with regards to data about your end users. Your end users' data By installing Upscope on your website, we collect some information about your end users. This is limited to metadata such as their IP address, page url, and timestamps. The data is automatically deleted permanently after 30 days of inactivity, or whenever you ask us to delete it through a dedicated page. Do we share information with 3rd party data processors? We don't share your end user's data with 3rd party data processors. The data and our servers are hosted by AWS and MongoDB, Inc. Our customers' data By creating an Upscope account or visiting our website, we collect data about you, your company and your computer. This data is used for access control, marketing and business intelligence purposes. What personal information do we store? When you create an account, we store information such as your name, email address, phone number in our data center. The same data is also collected for all the team members you invite to your Upscope account. All your activity on Upscope is stored indefinitely within your Audit Log. This can only be deleted by contacting our team.
Upscope [Security Detail Document] / [07/07/2021] 18
Do we share information with 3rd party data processors? Our customer's data will be shared for processing with the following companies:
• Intercom, Inc. • AWS, Inc. • Stripe, Inc. • Xero Ltd • ChartMogul Ltd • Sentry, Inc.
Information might also be collected by:
• Google, Inc • New Relic, Inc
Privacy policy, DPO and breaches We've updated our privacy policy including assigning a data protection officer and the procedure for notifying customers of any breach. We'll notify customers of any major changes to the privacy policy. You can find our terms and conditions and privacy policy here https://upscope.io/legal/