Does Ambition have EU/US Privacy Shield?
Yes, we are EU-US Privacy Shield certified.
Does Ambition require employees to undergo annual security training?
All employees are required to take security training during onboarding and then annually thereafter.
Are security controls verified and validated by an independent, third-party auditor? If so, specify which audits/certifications are performed?
Yes, SOC2 Type II.
Where are Ambition's data centers located?
What type of data does Ambition collect?
The Ambition platform stores and processes sales activity data defined and subsequently transmitted by the customer. We only have access to what a customer explicitly sends via FTP/API or when using Salesforce, the data the customer explicitly configures and grants us permission see. For example... data necessary to generate # Calls, # Emails, # Meetings, $ Revenue.
Describe Ambition's patch frequency/schedule?
AWS EC2 instances are launched from an AMI with a hardened OS and the minimum packages required to run Docker. Any available minor security patches are scheduled to automatically be applied after-hours on a weekly basis. Critical security patches are prioritized and applied within 14 days of discovery/notification.
Is scoped data encrypted?
Yes, in-transit and at-rest using AES 256.
Who has access to production?
Only employees who need access get access. Production system access is limited to key members of the Ambition engineering team. At a minimum, authentication requires 2FA including asymmetric public/private keys and a time-based crypto token.
How are customers notified of any incidents related to systems and/or data?
Ambition's customers team will communicate any breach affecting customer data as soon as possible once the extent of the breach has been assessed and understood internally.
Have you had any data breaches within the last three years?
Policies, Processes, and Procedures
Does Ambition perform background checks on employees?
Yes, all Ambition employees are subject to checks.
Does Ambition permit any third-parties (sub-processors) to access, store, process, or transmit data?
We use several third-party services to deliver the Ambition platform and service, all of which have been vetted through our vendor security evaluation process. The current list can be found at https://ambition.com/pages/subprocessors/.
Do you maintain a vendor management program to evaluate the privacy and security of those third-parties?
Yes, all vendors must undergo an internal security audit and receive approval from our information security team. Vendors are re-evaluated on an annual basis.
What risk management activities does Ambition complete?
We perform an internal risk assessment once a year, in-addition to undergoing an annual SOC2 Type II audit.
Is any additional documentation available to describe policies, processes, and procedures in more detail?
Yes, we're happy to provide our Information Security Framework document to interested parties, please contact your Account Executive or Customer Success Manager for more information.