Conviva Security & Privacy
Your trust is our priority.
As a trusted provider of real-time performance analytics for many of the world’s leading brands, Conviva is committed to protecting the data it accesses, stores, and processes.
Security, privacy, and compliance are central to everything we do.
Conviva builds its security and privacy frameworks to meet the highest standards of protection and transparency. Our approach is organized into three pillars:
- Compliance & Privacy: Adhering to global data protection regulations and industry best practices.
- Data Protection & Security: Securing data by embedding security throughout our platform and products.
- Third-Party Risk Management: Managing vendor risk.
Compliance
Conviva is committed to upholding the highest standards of information security and regulatory compliance.
- ISO/IEC 27001:2022 Compliance: Conviva is certified under ISO/IEC 27001:2022, the globally recognized standard for information security management systems (ISMS). This certification reflects our dedication to implementing robust security controls, continuously assessing and mitigating risks, and protecting the confidentiality, integrity, and availability of customer data.
- Trusted Hosting Platforms: Conviva hosts its cloud infrastructure on trusted third-party platforms that comply with industry-recognized standards such as SOC 1, SOC 2, and ISO 27001, among others. These certifications ensure that data processing and storage are handled securely, reliably, and in compliance with global best practices.
GDPR and CCPA Compliance
Conviva’s services are compliant with the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA). Key practices include:
- Data Transfer Mechanisms: Conviva implements appropriate safeguards, including Standard Contractual Clauses (SCCs), for transfers of personal data outside the EEA and UK.
- Data Minimization & Retention: Personal data is retained only as long as necessary for service delivery or legal obligations.
- Breach Notification: We assist with regulatory notifications and promptly inform affected customers in the event of a data breach.
- Confidentiality & Access Controls: All personnel authorized to process personal data are bound by confidentiality obligations.
- Sub-Processor Management: We require all sub-processors to meet our stringent data protection and security standards.
- Data Subject Rights: We support customers in responding to data subject requests, including access and deletion, in accordance with GDPR.
Additional details about Conviva’s GDPR compliance are available at https://www.conviva.com/legal/#GDPR.
Privacy
As a sub-processor, Conviva understands the critical importance of safeguarding data while delivering its services.
- Personal Data or Personally Identifiable Information (PII): Customers may transmit to Conviva — or instruct Conviva to collect and process — IP addresses, Viewer ID numbers, user ID numbers necessary for the provision of Conviva services.
- Anonymization & Hashing: Conviva offers the capability to hash or anonymize such data. For instance, IP addresses may be hashed into randomly generated instance ID numbers that are non-reversible and cannot be linked back to the original IP address. The original IP address is then deleted, and any associated customer-identifiable information processed from it is further deleted in accordance with its Data Retention Policy.
- Customer’s Personnel Data: Conviva collects website login credentials— including name, email address, and passwords — to facilitate authorized access to its services and its Pulse user interface.
Conviva’s Privacy Policy can be accessed at https://www.conviva.com/legal/.
Personal Data Retention Period
In delivering its products, Conviva collects and processes data that may qualify as personal data or personally identifiable information under applicable privacy laws. Conviva retains such personal data in accordance with applicable data privacy laws, its Data Retention Policy, and/or as otherwise directed by its customers.
Data Subject Rights and Requests
In accordance with applicable data privacy laws, customers may request access to, correction of, deletion of, or cessation of collection of personal data related to their employees or end users. Please note that deletion or restriction of personal data may impact certain service functionalities.
- Request Submission: These requests can be submitted via the support form available in the help menu of Conviva platform’s “Pulse” customer portal. Conviva responds to requests within 30 days, unless an extension is necessary, in which case Conviva will notify the requester.
- Verification and Limitations: To process a request, Conviva may require additional information to verify the requester’s identity. In some cases, Conviva may be unable to cease processing certain personal data. If so, Conviva will provide an explanation.
- Customer-Controlled Data: If personal data was collected or processed on behalf of a customer, individuals must contact that customer directly to exercise their rights. Conviva will act on such requests only upon the direction of the relevant customer, as required by law.
For assistance, contact Conviva’s support team at support@conviva.com.
Data Protection & Security
At Conviva, data protection and security are foundational to how we design, build, and deliver our products, with a comprehensive information security program that thoroughly evaluates all of their aspects. This includes robust measures to ensure secure access, transmission, processing, storage, and protection of customer data throughout its lifecycle.
Data Encryption: In-Transit & At-Rest
Conviva secures customer data using strong encryption during both transmission and storage, leveraging the latest secure protocols to ensure data confidentiality and integrity.
Access Management
Conviva enforces a robust access control framework to protect the security of its platforms, systems, and data. This framework includes both logical and physical access controls and is guided by a least-privileged access model.
- Strong Authentication: Conviva uses secure methods such as role-based access control, multi-factor authentication, and single sign-on to manage access across services.
- Physical Security: Physical access to Conviva’s facilities is tightly controlled, with sensitive areas further secured using measures such as biometric scanners. These practices help ensure the integrity of our operations and safeguard customer data.
Availability
The Conviva platform is built for resilience and reliability.
- Distributed, Redundant Infrastructure: Conviva operates across multiple global regions with built-in redundancy to ensure continuous service availability.
- 24/7 Continuity & Response: Conviva’s platform is supported by globally distributed teams with deep expertise across operations, infrastructure, and security, ensuring 24/7 service continuity and incident response.
- Automated Failover & Recovery: Customer data is securely backed up and can be quickly restored across regions, ensuring no data loss and minimal disruption.
- Tested Disaster Recovery: Conviva’s disaster recovery plan includes both local and geographic failover strategies, with full production data backups securely stored in remote locations and regularly tested to ensure data integrity and operational readiness.
Monitoring, Logging, and Alerting
Conviva ensures high availability and security of its platform, services, and infrastructure.
- 24/7 Monitoring Coverage: Conviva continuously monitors system uptime using a combination of enterprise-grade, open-source, and internal observability tools.
- Transparent Status Updates: A real-time view of service status is available at https://status.conviva.com.
- Centralized Logging: All production logs are collected and stored in a centralized, tamper-proof system.
- Real-Time Threat Detection: Automated log analysis and real-time alerting help detect security threats, performance issues, and service disruption, enabling rapid incident response and maintaining platform reliability.
Vulnerability Management
Conviva prioritizes proactive risk mitigation through regular security assessments.
- Third-Party Testing: Conviva performs annual third-party penetration testing.
- Continuous Protection: Conviva continuously scans its applications and infrastructure for vulnerabilities. Identified issues are promptly remediated as part of our ongoing security and software development lifecycle, including during major updates.
3rd-Party Risk Management
Conviva carefully vets all third-party vendors and sub-processors to ensure they meet rigorous standards for data security, privacy, and compliance.
- Data Protection Standards: When handling any personal data, whether collected by Conviva or provided by customers for the delivery of our services, Conviva requires its sub-processors to adhere to the same data protection practices that it follows.
- Rigorous Vendor Vetting: Before engaging any sub-processor, Conviva conducts a thorough review of its technical, administrative, and physical security controls to ensure consistent, end-to-end protection of customer personal data.
- Global Compliance: For vendors and sub-processors that transfer personal data outside the European Union and United Kingdom, Conviva ensures appropriate transfer mechanisms are in place to maintain EU GDPR and UK GDPR compliance, respectively.
A current list of Conviva’s sub-processors who process customer personal data is available at https://www.conviva.com/conviva-subprocessors/.
Have questions?
For general inquiries about the security of Conviva’s services or the information above, please contact us at:
Conviva Inc.
Legal-Privacy Policy Issues
989 East Hillsdale Boulevard, Suite 400
Foster City, CA 94404
USA
(650) 401-8282
For queries about GDPR or other privacy and data security policies in Europe, you may also contact a representative at:
Conviva Ltd.
Fourth Floor
St. James House, St. James’ Square
Cheltenham, United Kingdom
GL50 3PR
Attention: General Manager