1 Online: getconga.com | Twitter: @getconga DATA SHEET The Conga Contracts service provides cloud-based contract management software to help manage, negotiate, and administer all contractual agreements with customers, partners, and suppliers. CONGA CONTRACTS SECURITY Infrastructure The Conga Contracts service delivery model provides a full-service solution that requires only a web browser for user access and eliminates internal IT support and hardware costs. The Conga Contracts service is hosted in the Amazon AWS environment. The North American environment will always be hosted in US located AWS regions and the European environment will always be hosted in European located AWS regions. The Conga Contracts service provides clients with secure access to their mission-critical contract management system with a monthly uptime of 99.7% excluding scheduled maintenance periods as defined within your MSA. Network Bandwidth and Latency Conga relies on AWS network infrastructure to provide low latency network availability between Conga and end users. The AWS Cloud infrastructure is composed of Regions and Availability Zones. A Region is a physical location in the world where there are multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. These Availability Zones offer the ability to operate production applications and databases which are more highly available, fault-tolerant and scalable than would be possible from a single data center. Conga monitors applicable networks and addresses internal issues that may impact availability. Please note encryption gateways and associated third-party technologies that redirect connections are incompatible with the Conga Contracts service. External Connections The Conga Contracts service provides secure transmission between the service and any client via security transport leveraging TLS 1.2. Firewalls & Intrusion prevention The Conga Contracts service utilizes firewall and identity and access management services provided by AWS. Further, managed endpoints are protected with host-based Anti-Malware, File Integrity Monitoring, HIPS/HIDS, and Log Monitoring. Applicable signatures are updated in near real-time as released by vendors. Security group policies are established to further limit access by protocol, source and destination addresses, and ports. To ensure the highest level of network security, internal and external vulnerability tests are performed at least monthly. In addition, the Conga Contracts service successfully passes annual third-party penetration tests.
Transcript
1 Online: getconga.com | Twitter: @getconga
DATA SHEET | CONGA CONTRACTSDATA SHEET
The Conga Contracts service provides cloud-based contract management software to help manage, negotiate, and administer all contractual agreements with customers, partners, and suppliers.
CONGA CONTRACTSSECURITY
InfrastructureThe Conga Contracts service delivery model provides a full-service solution that requires only a web browser for user access and eliminates internal IT support and hardware costs. The Conga Contracts service is hosted in the Amazon AWS environment. The North American environment will always be hosted in US located AWS regions and the European environment will always be hosted in European located AWS regions. The Conga Contracts service provides clients with secure access to their mission-critical contract management system with a monthly uptime of 99.7% excluding scheduled maintenance periods as defined within your MSA.
Network Bandwidth and LatencyConga relies on AWS network infrastructure to provide low latency network availability between Conga and end users. The AWS Cloud infrastructure is composed of Regions and Availability Zones. A Region is a physical location in the world where there are multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. These Availability Zones offer the ability to operate production applications and databases which are more highly available, fault-tolerant and scalable than would be possible from a single data center. Conga monitors applicable networks and addresses internal issues that may impact availability. Please note encryption gateways and associated third-party technologies that redirect connections are incompatible with the Conga Contracts service.
External ConnectionsThe Conga Contracts service provides secure transmission between the service and any client via security transport leveraging TLS 1.2.
Firewalls & Intrusion preventionThe Conga Contracts service utilizes firewall and identity and access management services provided by AWS. Further, managed endpoints are protected with host-based Anti-Malware, File Integrity Monitoring, HIPS/HIDS, and Log Monitoring. Applicable signatures are updated in near real-time as released by vendors. Security group policies are established to further limit access by protocol, source and destination addresses, and ports.
To ensure the highest level of network security, internal and external vulnerability tests are performed at least monthly. In addition, the Conga Contracts service successfully passes annual third-party penetration tests.
2 Online: getconga.com | Twitter: @getconga
DATA SHEET | CONGA CONTRACTS
Access Control & Password ManagementIdentity Management is used to provide authentication. Users must have a valid username and password to access the system. User Profiles containing first and last name, email address, login name, and password are associated with Contract Groups, User Security Roles and Profile Rules using Conditions and actions. Single Sign-On is also an option for ease of user administration and greater security controls. Conga Contracts service utilizes SAML 2.0 for our SSO solution.
Conga employee access to the service is limited to only that access required for support and maintenance purposes. Employee access is contingent on a successful background check, confidentiality agreements, and documented authorization by an engineering VP or above. Access is strictly controlled via VPN and other authentication mechanics for approved employees.
Account ProvisioningAccount provisioning for the Conga Contracts service is performed by the customer’s administrative user. An Administrator can handle all of the account management and system settings from within the service.
Security-Related MaintenanceThe Conga Contracts service performs security-related change management and maintenance transparent in most cases to the client via new system builds at the data centers. Patches and updates are installed during the scheduled maintenance window.
Data Management & ProtectionConga Contracts service clients own all data which resides in the Conga Contracts service database created using the service. Each client has their own unique credentialed and named database instance. These database instances are encrypted at rest for an additional level of data security. Client data is never commingled with other client data. Conga Contracts service employees do not have direct access to the client’s application environment unless they are granted a user login created by the client’s administrator for the sole purpose of providing technical support services to support the client’s business needs.
Conga maintains security incident management policies and procedures. Conga promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of
their respective Customer Data by Conga or its agents of which Conga becomes aware to the extent permitted by law. All Conga systems used in the provision of the Conga Services, including AWS infrastructure components and operating systems, log information to their respective system log facility or a centralized Syslog server (for network systems) to enable security reviews and analysis.
System Hardening & MonitoringConga Contracts employs standardized system hardening practices across Conga devices. This standard includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging. Additionally, Conga employs an enterprise-class vulnerability management program to monitor and alert on any non-authorized changes or security configurations.
Anti-Malware ControlsConga Contracts leverages enterprise-class solutions employed on all servers to protect against virus and malware incidents. Signatures for anti-virus and anti-malware are updated in a near real-time process as soon as they are available from the applicable vendors.
BackupsInformation stored in the Conga Contracts database systems are backed up using AWS provided facilities. For short term recoverability, the AWS Point-In-Time restore capability is enabled. Using a combination of daily snapshots and transaction log backups, a recovery can be performed to any instant in the prior 7 days. For longer term recoverability AWS snapshots are taken nightly.
For files stored outside of the database, the Amazon EBS snapshot functionality will be used to snapshot the file storage daily.
Both the database and file backups will be encrypted and retained for one year.
Disaster RecoveryConga maintains a separate disaster recovery site in each geographic area. This site is provisioned to take over processing requests for Conga Contracts should the primary site experience a total failure. Data is replicated from the primary site to the recovery site continuously to minimize any data loss in such a case.
Conga Americas Global Headquarters390 Interlocken CrescentSuite 500Broomfield, Colorado 80021+1.303.465.1616
Physical SecurityAWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Video surveillance, intrusion detection systems are in place at a minimum of all ingress and egress points. Authorized personnel must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
ScalabilityThe Conga Contracts service is architected to be both horizontally and vertically scalable; additional services can be added to increase the performance of clusters and new clusters can be added to provide service for new clients.
Conga leverages AWS scaling groups behind application load balancers to balance services among three or more Availability Zones to keep the system operational even in the case of an entire Availability Zone failing. In the case of an Availability Zone failure, the load balancer will redirect traffic to the machines in the remaining healthy zones. To account for the loss of capacity in the failed zone, additional resources can be added manually and automatically to the scaling group in the remaining operational zones. When the failed Availability Zone is back online, resources will be added to the scaling group in that zone to balance load across the original set of Availability Zones again.
Audits & CertificationsThe Conga Contracts service undergoes a SOC 2 Type II audit annually. With the recent move into AWS, the SOC 2 audit report scheduled for March 2019 will include the AWS components. The Conga Contracts service data centers are SOC 2 Type II audited facilities in the US and ISO 27001 certified in the EU. Conga complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Conga has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit: go.getconga.com/privacyshield
