Home > Security, Frequently Asked Questions
(Last Updated On: March 29, 2019)
Does your solution perform validation of input and output to ensure that it is correct and appropriate to mitigate risks of cross-site scripting, SQL injection, buffer overflow, etc?
Yes, In developing SnapEngage we applied security best practices. We are filtering sensitive fields for XSS injection, not using direct queries but instead parameterized queries to avoid SQL injections.
Yes, chat agents and dashboard administrator need to log in to chat or view and make changes in the dashboard. Authentication is handled through a TLS secured communication.
Yes, SnapEngage passwords are not stored in the DataStore nor do any SnapEngage employees, owners, or affiliates have access to any user’s password. Upon a user creating a password an PBKDF2 salted hash is created and thereafter used to validate user credentials.
SnapEngage is a cloud based service, hosted in Google data-centers on the Google AppEngine infrastructure.
The physical location of data is in Google data centers. There are data servers both in the USA and the EU. SnapEngage leverages the state of the art physical security of Google data centers.
SnapEngage is hosted on the Google network. The Google infrastructure has a multi tiered infrastructure to not allow any access to systems or data other than through the SnapEngage application.
Yes, when installed on an SSL encrypted website the SnapEngage widget encrypts all communications between the visitor and its servers using SSL. A customer can enforce SSL encryption on non https page by following these instructions. Additionally, all communication between web client and the servers are SSL encrypted.
TLS 1.2, TLS1.1, TLS1.0. SSL v3 is no longer permitted.
Do you have a process for periodic scanning, identifying and re-mediating security vulnerabilities on servers, workstations, network equipment and applications?
Yes. A third party organization does perform yearly automatic scanning of SnapEngage.
Do you implement network security solutions for network monitoring, internet filtering, and intrusion detection?
Google, as our platform provider, is handling all the network security, monitoring, and response to threats.
Yes, the policy is reviewed by different staff on a monthly basis to ensure the policy is known, understood, and any compliance issue are escalated.
There are four ways to add extra security in the options tab of your Admin Dashboard under the Extra security section.
1. Enforce encryption (SSL) to view support request
If this option is selected you can view cases in logs by using https (rather than http).
2. Require sign in to view support request
If enabled the case can only be accessed after an admin logs in. If the option is not checked, then anybody with the link can see it.
3. Delete visitor data after it is successfully sent to destination
This feature removes all visitor information, ip, location, chat transcript, email after the end of the chat (and after any data that was collected was sent to any integrations).
4. Filter credit card numbers from transcripts
If enabled the chat transcript will be searched for any credit card numbers entered within the chat and the credit card number will be replaced with X’s.
Our hosting provider is SAS 70 Type II, SSAE 16 Type II, and ISAE 3402 Type II compliant. You can read more about this here.
SnapEngage complies with the EU-US Privacy Shield Framework and the U.S.-Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland.
Published November 6, 2012
No comments yet