You want to scale up and automate your customer engagements, but you're worried. You wish you could answer all your customer questions 24/7, but you're concerned about chatbot security and are wondering about the security protocols that are followed to protect your data.
This article will help alleviate your security concerns.
Governments, banks, and other organizations with extreme data security concerns use Engati to scale their customer engagements worldwide . Here are a few of the precautions that we take to eliminate security risks and protect their data and yours.
What security measures can a business implement in order to ensure a chatbot is safe for its customers?
Hosting
Our database servers are securely configured and not accessible outside the demilitarized zone.
Even though we use a multi-tenant system, your data is always logically separated from another customer’s data.
For website bots, the same connection where requests are received is the one over which responses are sent back. We have also implemented additional logic to protect you from data leaks and session hijacking. The server even drops off any and all spurious connections.
Our bot platform does not save any end-user’s personally identifiable information or location information unless specifically enabled from the platform.
While building your bot, you are also encouraged to only ask your customers for details that you absolutely require. We also urge you to provide details about how the system consumes the data in a transparent manner.
Infrastructure security
We have set up strong firewalls to protect the network and infrastructure from unauthorized access and attacks.
We even ensured that no backend functional services are exposed to the internet, and all calls go through specific checks on limited ports.
Your backup files are also stored in a separate location with different layers of security.
We have restricted physical access to the data storage through multi-factor access control, using a combination of network, certificate access, and password protection.
You can use third-party infrastructure monitoring tools to collect performance data from backend components, like servers, virtual machines, and databases.
Encryption
All data transmission between the web browser client and the server is done only over SSL encrypted channels.
All sensitive data is stored only in encrypted files.
Application user credentials (for the portal) are all stored in salted hashed form.
Periodical assessments
We conduct a monthly security-focused code review on the entire platform.
All potential threat scenarios are modeled and outlined from a design perspective on a monthly basis.
Our team performs a black box security assessment on all applications before a release. In a worst-case scenario, we carry out these assessments quarterly.
We also conduct network security assessments at regular intervals on all our production servers.
Compliances
The GDPR or General Data Protection Regulation is a regulation concerning data protection and data privacy for the European Union.
Here are a few of the measures that we take in compliance with the GDPR:
ISO/IEC 27001 sets the international standard for creating, implementing, maintaining, and continuously improving an information security management system (ISMS).
As an ISO 27001 certified organization, we have sturdy security-focused controls in place under these areas:
Miscellaneous
Conversation data from third-party sources is always validated for data integrity before being consumed.
Idle time validation is enforced for all bot user-workflow interactions.
Relevant security headers are set in place, and strong session management is enforced to prevent session hijacking.
Proper cookie-based authentication & authorization mechanisms have been implemented to protect user’s from insecure direct object reference.
Our backend framework protects the web application and its resources from cross-site scripting, cross-site request forgery and injections.
Individual portal users can only have one active session at a time. In addition to this, users are logged out of the portal after 30 minutes of inactivity, and password recovery links are only valid for 15 minutes after you request them.
Certain organizations with highly sensitive information (like government organizations and banks) cannot have their systems based entirely on the cloud. They can use our C2E (Cloud to Enterprise) Bridge for a hybrid solution in such situations.
It empowers organizations to work with a combination of on-premise environments along with Engati’s services. The C2E Bridge makes it possible for you to flow between these environments enabling greater flexibility and productivity in a secure manner.
Engati is also secure and protected against the Open Web Application Security Project (OWASP) Top 10 web application security risks.
In addition to this, all of Engati’s portal workflows are associated with user roles. Only authorized portal users are granted access to these workflows based on the configuration.
So, what are you waiting for? Start engaging your customers 24/7, without the slightest delay, in a safe manner.
