Which compliance certifications or standards does Envisio hold?
Envisio meets the following compliance requirements:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
- Certified by HostedScan and DataDog AppSec
What is the architecture and design of your security infrastructure?
Envisio is a cloud-based software solution that enhances administrative functions and delivers services efficiently over the internet.
- Envisio application servers and database servers are hosted on Heroku
- Envisio offers hosting on Heroku US and optional Canadian Data hosting if requested
- Multi-tenant application
- Available on computer, tablet and mobile devices
- Web-based SaaS (Software as a Service) application that runs in latest release web browsers (Chrome, Edge, Firefox, Safari)
- Can integrate with Single Sign On (SSO) using SAML 2.0
- Have an open API
- Envisio endeavors to provide 99.9% uptime with respect to the Purchased Services in each calendar month during the Term, excluding:
- (a) any scheduled maintenance times;
- (b) factors outside Envisio’s reasonable control; and
- (c) downtime related to the Customer’s or third party’s hardware, software, or services.
How do software upgrades impact the workflow?
Envisio upgrades enhance functionality, security, and performance while minimizing customer interruption.
- Upgrades to the application follow a monthly cycle. Communication with customers around the upgrade is provided through our release notes, available through our Knowledge Base, as well as through announcements and walk-throughs in the application when the release is launched. Depending on the nature of the release, system administrators will also receive release notification emails in advance of the release.
- Upgrades occur at the same time for all customers.
- Envisio has a sophisticated testing process for software development which includes the sign off from Envisio’s Chief Product Officer and VP of Software Development.
How are security incidents communicated and handled?
Envisio effectively addresses and resolves incidents, such as security breaches or service disruptions, to minimize impact and ensure uninterrupted delivery of essential services.
There are several ways to get support for using Envisio, including online knowledge base articles and videos, technical support, consulting support, and community support options. The Customer Success Team technical and consulting support is available during our regular business hours on weekdays that are not legal Canadian holidays.
Regular business hours are listed below for the time zone in which your organization is located:
- 9:00 am EST until 8:00 pm EST
- 8:00 am CST until 7:00 pm CST
- 7:00 am MST until 6:00 pm MST
- 6:00 am PST until 5:00 pm PST
Process for in the event of a security or data breach: If there are security breaches, it will be reported internally via our VP of Software Development to our CPO, COO, and CEO. Communication follows immediately with customer project managers and system administrators via phone calls and emails.
Scheduled downtime communication: We communicate scheduled downtime via email and in-app messages. We give users at least a week’s notice before scheduled downtime.
How is data protected and secured?
Envisio ensures the protection and integrity of sensitive information through robust measures, such as encryption, access controls, and regular audits, to safeguard against unauthorized access and maintain privacy and confidentiality.
- Data recovery: Continuous Protection keeps data safe on Heroku Postgres. Every change to your data is written to write-ahead logs, which are shipped to multi-datacenter, high-durability storage. In the unlikely event of unrecoverable hardware failure, these logs can be automatically ‘replayed’ to recover the database to within seconds of its last known state. We also provide you with the ability to backup your database to meet your own backup and data retention requirements. For additional technical information see: https://devcenter.heroku.com/articles/pgbackups
- Data backup: Data is backed up daily and maintained for a period of seven weeks.
- Database backup: Files are stored on AWS S3 (US-EAST-1 region). Please refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for more details.
- Database servers: Envisio’s Postgres Database service is provided by Heroku which is always tenanted and segregated for additional protection. Envisio’s Postgres Database service is provided by Heroku. Please refer to the “Data Security” section from https://www.heroku.com/policy/security for more details.
- Data ownership: Every customer has a separate, unique private instance. Customers own all data and have the option of exporting the data at any time. Following the termination of services, the customer has 60 days to retrieve their data and any reports without additional cost, provided the customer’s account is in good standing.
- Cyber security controls: Heroku and AWS offer platform-level and infrastructure level security checkups and security patches, respectively. Envisio uses third-party tools (e.g. Datadog, Airbrake, Elastic.co, PaperTrail) to actively monitor and detect application-level suspicious activities such as intrusion detection, perimeter security, physical security and security patching.
- DataDog appsec scans on Envisio and customer application and database servers to ensure the customer’s data is secure.
- Envisio achieved SSAE 18 data security standards.
- Encryption: User login passwords are encrypted using Bcrypt. Envisio data is encrypted during transmission using TLS.
- Data access: Only Envisio Customer Success and Development staff can access data when required to assist customers with their issues.