ISO 27701:2019—VWO’s Commitment Towards Data Protection and Security

With progressing technology, cyber-attacks are evolving by the hour. With more than 89% of businesses using software as a service (SaaS) as their cloud computing model, security is the biggest and one of the most concerning challenges for online businesses.

Download Free: A/B Testing Guide

SaaS has been there for a while. Yes, subscription-based services like Netflix and Amazon’s video streaming vertical Prime are SaaS too, and so are your email services like Gmail and Yahoo. Given its versatility and agility to cater to a large variety of customers, SaaS is a hot-selling model that businesses are adopting to scale globally. But it’s equally challenging for businesses to protect colossal customer data from the prevailing and ever-evolving cyber attacks. If any potential vulnerability is neglected, this data could prove devastating for businesses as customers trust their data with companies and have little control over it. 

To combat such attacks, SaaS businesses need to stay at par with the international cybersecurity standards for robust gatekeeping in their security and compliance endeavours to protect customer data and privacy. In this blog post, we have discussed the security measures VWO follows to stay updated with the dynamic security landscapes, ensuring a seamless and secure customer experience.

Is VWO GDPR compliant?

VWO is not only GDPR compliant but also certified to meet a broader set of international and industry-specific compliance standards, including ISO 27001, ISO 27701, SOC 2 Type II, and PCI-DSS, and is also compliant with various other global data protection laws such as HIPAA, CCPA, PIPEDA, etc.

What is the ISO/IEC standard?

ISO/IEC 27701:2019 (ISO 27701) is internationally recognized and built as an extension of the widely-used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. VWO follows the global privacy standard that focuses on collecting and processing personally identifiable information (PII), including passwords, card information, phone number, social security numbers, etc. VWO anonymizes such sensitive data of users before storing them on its servers. This standard focuses on three main factors:

1. Providing a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS).

2. Includes requirements and guidance for organizations acting as PII controllers and PII processors, a key distinction from General Data Protection Regulation (GDPR) compliance, and other privacy laws.

3. Providing confidence to stakeholders and customers that organizations are maintaining the highest standards in managing privacy risks related to PII.

How is it important for VWO?

Being a SaaS organization, VWO handles client data such as personal details, card numbers, visitor profiles, etc., with utmost responsibility and care. To mitigate the risk of any data breaches, VWO anonymizes the data at the point of collection at DACDN nodes, which can never be re-identified once anonymized.

In addition, VWO helps customers minimize their data protection compliance burden right from the point of data collection.

“Data minimization (ensuring that data collection and retention is restricted to only those categories of data that are absolutely necessary for a specific purpose) is a fundamental privacy principle that should form part of any sound information security and data privacy strategy. If you don’t need it, don’t collect it.”

~Maheshnarayan Sarasan, Data Protection Officer, Wingify

In pursuing compliance with the international standards for security and privacy, VWO has received an accredited ISO/IEC 27701:2019 certification as PII processor and controller after undergoing an audit by an independent third party.

This universal framework allows VWO to efficiently comply with new regulatory requirements and keep their customers’ information secure.

Download Free: A/B Testing Guide

How does VWO protect customer data from cyber-attacks?

VWO is committed to ensuring security of customer data by following robust internal data security and privacy practices: 

• VWO does not collect and has maintained strict processes to avoid collecting or receiving PII like credit card information.
• Data Encryption: VWO follows best practices for cryptographic protection controls using trusted cryptographic technologies for data at rest and data in transit. 
• Secure Software Development Life (SDL) Cycle: VWO follows a secure Software Development Life Cycle with an emphasis on security and privacy throughout the product development processes. The SDL cycle includes a set of practices that support security assurance and compliance requirements that help address data protection and privacy requirements which includes effective privacy reviews for every VWO product.

• OWASP Top 10: VWO is protected against OWASP Top 10 security threats. It internally uses OWASP to establish consensus about the most critical security risks to web applications and protect the app from potential external threats at the application level. Customers are also encouraged to conduct vulnerability scans at individual level with VWO’s permission.
• Regular update of software dependencies: VWO has an internal alerting system that flags security updates to the team, enabling them to take swift action to combat any threats. 

Know more about VWO security here.

The way forward: commitment to compliance

More than 2500+ customers trust VWO with their data, and this responsibility is something we take very seriously. With ISO 27701:2019 certification, VWO stands fast on its commitment to build a strong culture of secure systems and privacy across all aspects of the business. The ISO frameworks emphasize continuous improvement, aligning well with VWO’s passion for keeping pace with an ever-changing threat landscape to protect customer data.

One of the recent changes to the international legal landscape surrounding data protection was the July 2020 Schrems II judgment of the Court of Justice of the European Union (CJEU) that declared the European Commission’s Privacy Shield decision was invalid based on the level of government surveillance and control over data in the United States.

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) that specifically take into account the Schrems II judgment. These new SCCs have been made mandatory from September 2021. In anticipation of the same, we have already incorporated these new SCCs into our data protection agreements to ensure that we remain future-ready regarding GDPR compliance.

~Maheshnarayan Sarasan, Data Protection Officer, Wingify

If you are looking to build a CRO program to increase conversions for your business and want a breach-free and end-to-end protected and safe ecosystem to work with, start a 30-day free trial with VWO. You can alternatively request a demo to understand the product and get answers to all your security and compliance-related queries/concerns from VWO’s seasoned security experts.