Company Compliance

Security

An overview of our commitment to the security of our global solutions, systems, business operations, and the data -- business and personal -- under our care.

Cheetah Digital is committed to ensuring the security, availability, and confidentiality of the information entrusted to it by its customers, stakeholders including management, staff, investors, shareholders, and other business partners.
 

Cheetah's security posture in a nutshell:

 

  • Cheetah Digital's SaaS solutions leverage technical and organizational measures aligned to ISO 27001/2 standards and implemented using security and data protection industry best practices. 

  • Our production systems utilize key compliance controls and objectives to cover a range of data security, confidentiality, and availability controls. tested against multiple security and information systems management standards.

  • Our Global Security Policy & Standards is comprehensive and authorizes individual supplementary policies covering topics such as business continuity, risk management, systems acceptable use, and data retention among other governance areas.  

  • Part of the management of the policies, a senior-management forum is used to review and approve all new policies and changes to existing policies.

  • Current security reports, certificates and related supporting handouts are available under NDA through your Customer Success Manager.

Standards, certifications and related compliance

ISO
ISO 27001
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. Our technical and organizational measures, and those of our infrastructure suppliers, align to this standard.
NIST
NIST
We follow NIST standards for hardening all systems, moving and disposing of physical assets, and for applying least privilege access controls to physical and information assets.
AICPA SOC
SOC 2 Type II
The reports cover IT General controls and controls around Security, Availability and Confidentiality of business and customer data across our key solutions.
AICPA SOC
SOC 1 Type II
The reports cover IT General controls and controls around Security, Availability, and Confidentiality of customer data. The SOC 1 report is primarily concerned with examining controls that are relevant for the financial reporting of our Loyalty customers.
HITRUST
HITRUST CSF
The HITRUST Certification covers security and information risk management controls that are relevant to customers who are covered under the U.S. HIPAA and HITRUST laws.
PrivacyMark
PrivacyMark
PrivacyMark is a Certification system set up to assess private enterprises that take appropriate measures to protect personal information. This certification examines controls relevant to our customers in Japan.
GDPR
GDPR
Our data privacy and marketing self-regulatory approach aligns to the EU and UK frameworks for personal data protection and electronic communications privacy. Our solutions support our customers who are subject to these and similar such requirements.
HIPAA
HIPAA
Cheetah is a Business Associate (BAA) for customers subject to US HIPAA and is HITRUST certified to meet HIPAA security requirements.
W3C WCAG
WCAG 2.1
When providing creative design and campaign coding professional services we follow W3C standards and ANA EEC best practices for making web and email content accessible to people with disabilities.

Organizational security

 

Management

 

Cheetah Digital maintains a comprehensive information security program that contains safeguards appropriate to the sensitivity of the information. Such safeguards are designed to: 

  • Ensure the security and confidentiality of client and customer information 

  • Protect against any anticipated threats or hazards to the security information 

  • Protect against unauthorized access or use of information that could result in harm to any client or customer 
     

Global security & privacy team

 

We have a dedicated internal team responsible for the management of information security and privacy-compliance throughout the organization. The team constantly monitored our environment for vulnerabilities, performs tests and audits, and works cross-functionally to guide the development and implementation of information security, data privacy and risk management requirements. The team includes ISC2 and the IAPP certified professionals.

 

Policies and standards

 

Cheetah developed a comprehensive set of security and data protection policies modeled after the International Organization for Standardization (ISO) 27001 standards. These policies are updated frequently and shared with all employees. 

 

Background checks

 

We perform background checks on all new employees in accordance with local laws. 

 

Confidentiality

 

Employees sign a confidentiality agreement outlining their responsibility in protecting customer data, and all employees are required to adhere to Cheetah's ethical conduct and acceptable use policies as a condition of employment.

 

Awareness training

 

New hires learn about Cheetah Digital's tools, products and policies, and all employees complete security and privacy awareness training annually. 

 

Insurance

 

We maintain a comprehensive errors and omissions policy with cyber coverage to address security and data privacy incidents.

 

Product security

 

Access control

 

We implement the latest measures to restrict electronic access to our production environment, and in turn our Customers' data. Single Sign-On (SSO) with Multi-Factor Authentication (MFA) allows us to authenticate access to our production environment in a layered and auditable way. 

Our solutions support SAML SSO with 2-Factor Authentication (2FA), and Customers can set granular role-based permissions for their account users. 

 

Password  complexity

 

We enforce password complexity and user lifecycle standards which Customers can further customize to meet their needs. All credentials are encrypted. 

 

Encryption

 

Login sessions and data at rest are encrypted using industry-standard 256 bit algorithms with strong cipher suites. We hash user account passwords, encrypt files exchanged through our platforms, and secure our APIs and application endpoints using TLS 1.2 following OWASP and OpenSSL best practices.

 

Network and application security

 

Data hosting and storage

 

Our production systems are hosted in Tier-3 co-located data centers and with cloud hosting providers who maintain multiple ISO 27001 and SOC 2 certified physical and environmental controls.  Further, production facilities and offices are secured by keycard access and biometrics, and are monitored with cameras throughout. We review our facility providers and physical security measures at least annually.

 

Segregation

 

Our office network is segmented and segregated from our production network. In turn, our customers are geographically and/or logically segregated, or are hosted within dedicated single-tenant environments.

 

Continuity and recovery

 

Cheetah Digital’s infrastructure is designed to be highly resilient across our co-location data center facilities, and across multiple AWS availability zones. Our backup solutions are layered and tested to to ensure key systems are available, and to mitigate against the risk of data loss. 

 

Logging and monitoring

 

Our production and corporate systems are monitored using enterprise class infrastructure, security tools, and managed services. Audit trails are aggregated, processed and stored using an industry leading SIEM and forensic log vault solution

 

Vulnerability management

 

We use enterprise class best of breed scanning tools to continuously as well as manually scan for internal and external vulnerabilities. Each year we also engage a third-party security firm to perform detailed penetration tests on our applications and infrastructure. Our dedicated security team responds to issues raised and works collaboratively with technical teams to address findings.

 

Incident response

 

We implement a risk-based incident management process to respond to security events. Protocols include an escalation plan based on the nature and severity of the event, event tracking requirements, mitigation pathways, and Customer notification requirements. 

 

If you have questions or feedback, please contact your Cheetah Digital representative or reach out to us at privacy@cheetahdigital.com