Constant Contact® Information Security Program
Constant Contact maintains a world-class information security program that is independently assessed to meet or exceed industry best practice security controls. Constant Contact’s cybersecurity ecosystem is purpose built on the principals of “defense in depth” in order to provide the most effective approach for safeguarding system and information assets. Constant Contact’s primary objective is to achieve a high bar of excellence in the marketplace by following the law, adhering to regulations, maintaining reasonable security measures and protecting the rights and freedoms of consumers.
Last modified: January 25, 2022
Constant Contact (“we,” “us” or “Constant Contact”) has implemented internal policies and controls to try to ensure that customer data is protected and only accessed by authorized Constant Contact employees in the performance of their duties. Where Constant Contact engages third parties to process customer data on its behalf, they do so in accordance with our written instructions under a duty of confidentiality, and they are required to implement appropriate technical and administrative measures to ensure the data is secure.
More specifically, Constant Contact maintains: confidentiality by ensuring that only people who are authorized to use the data can access it; integrity by ensuring that data is accurate and suitable for the purpose for which it is processed; and availability by ensuring that authorized users are able to access and use the data they need for authorized purposes in a timely and reliable manner.
Constant Contact takes an enterprise approach to security that monitors controls at different layers throughout the organization, including physical security, network security, host security, software development security, and user account security, each as further discussed below.
Physical Security
Physical access to Constant Contact’s hosting environment is restricted to specific individuals and uses multiple levels of security as follows:
Constant Contact servers and infrastructure are located in secure data centers where access is limited to authorized personnel and badge access or biometric authentication (e.g., hand scanners and fingerprint IDs) are required to access the facilities.
Constant Contact servers are isolated and secured within the data center in areas dedicated to Constant Contact equipment only; these areas are not shared with third parties.
Access to data centers and hosting systems are regularly reviewed by Constant Contact’s data center operations team to assure that only authorized users have access.
7×24 security guards perform random checks of the data center to ensure physical security controls have not been compromised.
Network Security
Constant Contact requires that network communications adhere to the principles of data confidentiality, integrity, and availability discussed above.
Constant Contact’s hosting environment is protected from the public Internet and corporate Local Area Network (LAN) via multiple next-generation firewalls and is monitored by an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
Constant Contact requires that information is handled with appropriate levels of encryption in accordance with our policies and standards and to comply with applicable laws.
Customer Hosted Environment Security
Constant Contact performs industry-standard security hardening efforts -- more specifically, critical systems are hardened and configured per industry best practices as defined by the Center for Internet Security (CIS).
Constant Contact regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Constant Contact environment, they are tested and deployed in a timely manner.
Customer hosting systems and services are routinely monitored for integrity and availability. Operations staff review alerts generated by monitoring systems and respond promptly.
Customer hosting systems are monitored 24×7 for malicious activity.
Administrative access to Constant Contact’s infrastructure is limited strictly to authorized users with multi-factor authentication. Individual usernames and passwords are required for machine and data access.
Constant Contact adheres to strong password guidelines, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.
Development Security
Internally developed code is subject to Constant Contact’s secure coding guidelines, which includes testing of functionality and business logic, and for security flaws. In addition, our Change Management Policy ensures that code deployed to the production environment has been appropriately tested, reviewed, and approved.
We train our engineers in secure coding and architectural design patterns such as those outlined in the OWASP Top 10, CIS Critical Security Controls, and NIST frameworks.
As part of Constant Contact’s ongoing PCI compliance, we regularly undergo security reviews, including external and internal scanning for vulnerabilities on an ongoing basis. All vulnerabilities discovered are reviewed by internal security and addressed in accordance with the level of severity.
User Account Security
User-level access to Constant Contact services is provided via a username and password selected by the end user. Constant Contact enforces strong passwords and also offers Multi Factor Authentication (MFA) to its customers, which is strongly recommended for the security of your data.
Passwords and credit card numbers are encrypted.
User account setup, maintenance, and termination are under the control of the end user.
Incident Management
Constant Contact has a documented Cybersecurity Incident Response Plan and 24x7 security monitoring.
The Cybersecurity Incident Response Plan undergoes annual tabletop testing and is updated as necessary.
Personnel Security
Constant Contact employment offers are contingent upon successful completion of a criminal background and reference checks where allowed by law.
Upon commencing employment, all Constant Contact employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to Constant Contact’s commitment to security and confidentiality.
Constant Contact’s information security awareness and training programs require employees to complete annual security refresher training.
Patch Management
Where feasible, system components and software are protected from known vulnerabilities by applying the latest vendor-supplied security patches.
Constant Contact systems are routinely updated per vendor recommendations and industry standards.
Virus/Malware Management
Constant Contact uses up to date virus scanning software for detecting currently known malware.
Malware definitions are updated daily and installed as required.
Operations teams monitor the Constant Contact hosting environment 24×7 for malware infections.
Questions
You can reach out with any questions you have here.