Cheetah Digital is committed to ensuring the security, availability, and confidentiality of the information entrusted to it by its customers, stakeholders including management, staff, investors, shareholders, and other business partners.
Cheetah’s security posture in a nutshell:
- Cheetah Digital’s SaaS solutions leverage technical and organizational measures aligned to ISO 27001/2 standards and implemented using security and data protection industry best practices.
- Our production systems utilize key compliance controls and objectives to cover a range of data security, confidentiality, and availability controls. tested against multiple security and information systems management standards.
- Our Global Security Policy & Standards is comprehensive and authorizes individual supplementary policies covering topics such as business continuity, risk management, systems acceptable use, and data retention among other governance areas.
- Part of the management of the policies, a senior-management forum is used to review and approve all new policies and changes to existing policies.
- Current security reports, certificates and related supporting handouts are available under NDA through your Customer Success Manager.
Standards, certifications and related compliance
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. Our technical and organizational measures, and those of our infrastructure suppliers, align to this standard.
We follow NIST standards for hardening all systems, moving and disposing of physical assets, and for applying least privilege access controls to physical and information assets.
SOC 2 Type II
The reports cover IT General controls and controls around Security, Availability and Confidentiality of business and customer data across our key solutions.
SOC 1 Type II
The reports cover IT General controls and controls around Security, Availability, and Confidentiality of customer data. The SOC 1 report is primarily concerned with examining controls that are relevant for the financial reporting of our Loyalty customers.
The HITRUST Certification covers security and information risk management controls that are relevant to customers who are covered under the U.S. HIPAA and HITRUST laws.
PrivacyMark is a Certification system set up to assess private enterprises that take appropriate measures to protect personal information. This certification examines controls relevant to our customers in Japan.
Our data privacy and marketing self-regulatory approach aligns to the EU and UK frameworks for personal data protection and electronic communications privacy. Our solutions support our customers who are subject to these and similar such requirements.
Cheetah is a Business Associate (BAA) for customers subject to US HIPAA and is HITRUST certified to meet HIPAA security requirements.
When providing creative design and campaign coding professional services we follow W3C standards and ANA EEC best practices for making web and email content accessible to people with disabilities.
Cheetah Digital maintains a comprehensive information security program that contains safeguards appropriate to the sensitivity of the information. Such safeguards are designed to:
- Ensure the security and confidentiality of client and customer information
- Protect against any anticipated threats or hazards to the security information
- Protect against unauthorized access or use of information that could result in harm to any client or customer
Global security & privacy team
We have a dedicated internal team responsible for the management of information security and privacy-compliance throughout the organization. The team constantly monitored our environment for vulnerabilities, performs tests and audits, and works cross-functionally to guide the development and implementation of information security, data privacy and risk management requirements. The team includes ISC2 and the IAPP certified professionals.
Policies and standards
Cheetah developed a comprehensive set of security and data protection policies modeled after the International Organization for Standardization (ISO) 27001 standards. These policies are updated frequently and shared with all employees.
We perform background checks on all new employees in accordance with local laws.
Employees sign a confidentiality agreement outlining their responsibility in protecting customer data, and all employees are required to adhere to Cheetah’s ethical conduct and acceptable use policies as a condition of employment.
New hires learn about Cheetah Digital’s tools, products and policies, and all employees complete security and privacy awareness training annually.
We maintain a comprehensive errors and omissions policy with cyber coverage to address security and data privacy incidents.
We implement the latest measures to restrict electronic access to our production environment, and in turn our Customers’ data. Single Sign-On (SSO) with Multi-Factor Authentication (MFA) allows us to authenticate access to our production environment in a layered and auditable way.
Our solutions support SAML SSO with 2-Factor Authentication (2FA), and Customers can set granular role-based permissions for their account users.
We enforce password complexity and user lifecycle standards which Customers can further customize to meet their needs. All credentials are encrypted.
Login sessions and data at rest are encrypted using industry-standard 256 bit algorithms with strong cipher suites. We hash user account passwords, encrypt files exchanged through our platforms, and secure our APIs and application endpoints using TLS 1.2 following OWASP and OpenSSL best practices.
Network and application security
Data hosting and storage
Our production systems are hosted in Tier-3 co-located data centers and with cloud hosting providers who maintain multiple ISO 27001 and SOC 2 certified physical and environmental controls. Further, production facilities and offices are secured by keycard access and biometrics, and are monitored with cameras throughout. We review our facility providers and physical security measures at least annually.
Our office network is segmented and segregated from our production network. In turn, our customers are geographically and/or logically segregated, or are hosted within dedicated single-tenant environments.
Continuity and recovery
Cheetah Digital’s infrastructure is designed to be highly resilient across our co-location data center facilities, and across multiple AWS availability zones. Our backup solutions are layered and tested to to ensure key systems are available, and to mitigate against the risk of data loss.
Logging and monitoring
Our production and corporate systems are monitored using enterprise class infrastructure, security tools, and managed services. Audit trails are aggregated, processed and stored using an industry leading SIEM and forensic log vault solution
We use enterprise class best of breed scanning tools to continuously as well as manually scan for internal and external vulnerabilities. Each year we also engage a third-party security firm to perform detailed penetration tests on our applications and infrastructure. Our dedicated security team responds to issues raised and works collaboratively with technical teams to address findings.
We implement a risk-based incident management process to respond to security events. Protocols include an escalation plan based on the nature and severity of the event, event tracking requirements, mitigation pathways, and Customer notification requirements.
If you have questions or feedback, please contact your Cheetah Digital representative or reach out to us at firstname.lastname@example.org