Security & Privacy

Ultimate is now a part of Zendesk. For further Security and Privacy information please visit https://www.zendesk.com/trust-center/

We use multifactor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, we use private keys for authentication. To connect with administrative access to production servers, our team is required to connect using both an SSH key and a one-time password associated with a device-specific token.

Where passwords are used, multifactor authentication is enabled. The passwords themselves are required to be complex: auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements.

Ultimate allows personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

Customer data is removed immediately upon deletion or message retention expiration. Backups are destroyed within 14 days. We follow industry standards and advanced techniques for data destruction.

Ultimate defines policies and standards requiring media be properly sanitized once it is no longer in use. Our hosting provider GCP is responsible for ensuring removal of data from disks before they are re-purposed.

Ultimate utilizes the services provided by our hosting provider Google Cloud Computing (GCP) to operate the whole base infrastructure of our production environment. The distinct locations within the GCP network ensure protection from loss of connectivity, power, and other possible location specific events.

Full backups are stored in the GCP cloud in a highly redundant and available storage solution. Backups are created multiple times a day.

We maintain disaster recovery and business continuity plans, providing our processes and procedures to follow in the event of a disaster. These plans are updated as needed and at a least annually.

Data at rest in our production network is encrypted using AES256 encryption. This applies to all types of data at rest within our systems — relational databases, file stores, database backups, etc.

Ultimate stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.

Ultimate transmits data over public networks using strong encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients.

We also monitor the changing cryptographic landscape and upgrade the cipher suite choices as the landscape changes, while balancing the need for compatibility with older clients.

We are committed to making Ultimate a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or entire data centers. Our Platform team tests disaster-recovery measures regularly and staffs an on-call team to quickly resolve any problems.

Ultimate divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting our production application. Customer data submitted into our services is only permitted to exist in our production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Ultimate’s production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of service to its users are open at our perimeter. Changes to Ultimate’s production network configuration are restricted to authorized personnel.

We engage independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with management. We then review and prioritize the reported findings and track them to resolution.

The Ultimate service is hosted in Google Cloud Platform (GCP) data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment. These service providers are responsible for restricting physical access to Ultimate’s systems to authorized personnel.

Our hosting environment maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the GCP Security website and GCP Compliance website.

All workstations are pre-configured for employees to meet our standards. The default configuration includes disk encryption, anti-virus, strong passwords, and locking when idle. Employees are not permitted to download customer data from production systems to their local workstations.

We adhere to the principle of least privilege. Our teams are only authorized to access data they are required to handle in order to fulfill their current job responsibilities.

All systems require users to authenticate, and users are granted user specific credentials. Systems access for all employees are reviewed at least quarterly to ensure the correct level of access.

The core of our security program is to prevent unauthorized access to customer data. We take extensive measures to ensure we identify and mitigate risks, implement best practices, and evaluate how we can do better.

As part of our SOC2 certification, we regularly review our policies and controls. These are audited at regular intervals by a third party to ensure ongoing certification and compliance.

Personnel practices apply to all members of the Ultimate workforce: regular employees and independent contractors who have direct access to Ultimate’s internal information systems, and/or unescorted access to Ultimate’s office space. All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Ultimate, all access to Ultimate’s systems is removed immediately.

We maintain a set of policies, standards, procedures, and guidelines (“security documents”) that govern our activities. These security documents help ensure that our customers can rely on our workers to behave ethically, and for our service to operate securely. Security documents include, but are not limited to:

• Fair, ethical, and legal standards of business conduct
• Acceptable uses of information systems
• Planning for business continuity and disaster recovery
• Classification of security incidents
• Control of changes
• Security development life cycle process
• Description, schedule, and requirements for retention of security records

We update these documents as needed and at least annually to ensure they are accurate.

We maintain policies and procedures (also known as runbooks) for responding to potential security incidents. Ultimate defines the types of events that must be managed via our incident response process. Incidents are classified by severity and response procedures are tested and updated at least annually.

We use a secure development life cycle process to assess the security risk of each development project. During the design phase each project is assessed and classified utilizing OWASP 10 as High, Medium, or Low risk. Based on the risk classification, a set of requirements must be met before the project can be released to production.

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow information security policies at least annually.

Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

All code is stored in a version-controlled repository with changes subject to peer review and continuous integration testing. Defects found in this process must be remediated prior to deployment.