en DE RU
Request Demo
x
Bloomreach Acquires Exponea. Learn more
Focus

I am focused
on Tech & Security

Possible Positions: CTO, DPO, CISO, Head of IT, Tech Lead

Enhance your tech stack with Exponea. Ensure stability by enabling your team to create, send, test, and analyze campaigns, all within the same user-friendly platform.

background graphic graphic

Google Cloud

“Exponea’s progress has been spectacular.”

Read on to see how Exponea uses Google Cloud to drive scalability, flexibility, and security at scale.

Read the Article
sky
Security

Security is
our priority

Security commitment
icon

Strong security culture

arrow

We are trying to create a strong security culture amongst all employees of Exponea. We strongly believe that every employee is an essential part of our defense against potential security breaches.

This culture has a strong impact on all employees and is present at all stages and everywhere, including the hiring process, employee on‑boarding, but also as a part of the ongoing trainings that Exponea provides and company events to raise awareness. Before an employee joins Exponea, we perform a check of his/her background. All our employees must be familiar with our security policies and go through security training as part of the on‑boarding process and receive regular security training throughout their stay here at Exponea. During the on‑boarding process, new employees agree to our NDA and go through OWASP training. This shows our commitment to keep the data of our customers secure.

All employees working at Exponea must follow our password security and lockout policy, must have 2FA authentication, must have a secure Wi‑Fi connection, or alternatively, be connected to our VPN when working remotely. Additionally, all of Exponea’s employees are using Okta which is a Single Sign‑On service that enables them to securely access their accounts and applications.


icon

Security development practices

arrow

The developers in the IT segment receive instructions on topics like best coding and development practices, the principle of least privilege when granting access rights, etc. The IT department also attends technical presentations on security‑related topics, receives regular updates on the newest issues from the Cybersecurity space in our security channel.


icon

Our certificates

arrow

Exponea has valid certifications to show how seriously we take the topics of security and compliance. We currently have the following certifications:

Security commitment
Security management

We Care About
Your Security

icon

Endpoint Security

We take care that all of our endpoint devices are protected according to our Endpoint Security Policy. This includes that all of our endpoint devices have disc encryption, malware protection, guest access disabled, firewall, and have regularly updated OS. In addition, we perform regular checks to make sure that we maintain this high level of security.

icon

Vulnerability Management

Exponea has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked, given a priority according to how urgent it is, and assigned to relevant people as a ticket. Our security team tracks such issues and follows up regularly until they can check that the issues have been resolved.

icon

Quality Assurance

It is vital for us to properly test all new features before implementing them so that we make sure that no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug‑free prior to release. They also test private instances for our fresh clients just before they get into the hands of our Client Services team.

icon

Monitoring

Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyse system logs.

icon

Incident Management

Exponea has well‑defined incident management processes for security events that may affect the confidentiality, integrity, or availability of our client's resources or data. If an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.

icon

Reassurance

To ensure our Security Management is transparent and the details are shared with those who need to see it the most, we also hold a SOC 2 (Type 2) Report. This report can be provided on request under an NDA and gives an overview of Exponea’s technical and organisational security measures.

Protecting our clients’ data

lines of code

Data Encryption

Whenever we store data in the Google Cloud Platform (GCP), there are several layers of encryption. By default, data is encrypted both at rest and in transit. Additional security controls are implemented depending on the requirements of our customers.

Without any further implementations, GCP encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of Google. Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Transport Layer Security (TLS) is used to encrypt data in transit for transport security.

pc

GDPR Compliant

Exponea application supports our customers in finding the best ways how to be compliant with the GDPR. The application works in such a way that the clients have a complete control of consent management (they set a purpose for processing), data subject rights management (they can download all customer data, anonymize a customer or delete a customer).

Exponea has access management that enables the users to select specific data types as PII and then set/revoke permission to see PII per user. For every event it is possible to manage its retention and set expiration separately. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.

Exponea Application

Security Within
Exponea’s Platform

Exponea Core Security

At Exponea, we make sure that all our clients have a secure set‑up. This includes 2‑FA Authentication (SMS, App Authenticator, Yubikey) and Captcha challenge‑response test when signing in. We use Google Load Balancer with firewall rules to protect load‑balanced resources during distribution and TLS to encrypt communication within the Exponea application. We ensure that static IPs used for webhooks and imports are encrypted in log files.

Exponea Instances

Exponea offers three main types of instances: shared, private and exclusive. These each contain different security features and configurations of data layers. In each of these instances, data is separated and access management is enabled to ensure your security.

Shared Instance

Within our shared instance, users cannot access data of other clients and data is separated on a frontend level. Computing resources are shared on a backend level.

Shared instances are encrypted at the level of GCP infrastructure and undergo periodic security scans and penetration tests.

To access the account on the shared instance, users must choose a strong password (checked by a password guardian) and may use two-factor authentication (2FA) to sign in. The accounts are further secured by captcha to fence off bot attacks. The admin of the particular project can also specify in the `Access management` which users can see the PII (personally identifiable information) of their customers. This segregation is in the frontend and backend.

Private Instance

Within our private instance, data layers are logically separated in the backend. There are reserved computing resources for the client, which are separated from other resources in the backend by namespace.

Private instances are encrypted at the level of GCP infrastructure and undergo periodic security scans and penetration tests.

To access their account on a private instance, users must choose a strong password and may use two-factor authentication (2FA) to sign in. The accounts are further secured by captcha to fence off bot attacks. The admin of the particular project can also specify in the `Access management` which users can see the PII (personally identifiable information) of their customers. This segregation is in the frontend and backend.

Exclusive Instance

Exclusive instances are encrypted at the level of GCP infrastructure and undergo periodic security scans and penetration tests.

To access the account, the exclusive instance supports Single Sign-On (SSO) to meet security standards in this industry. The accounts are further secured by captcha to fence off bot attacks. The admin of the particular project can also specify in the `Access management` which users can see the PII (personally identifiable information) of their customers. This segregation is in the frontend and backend.

This instance includes a complete segregation of logical layers and network separation through utilizing a different GCP project, plus backend computing resources dedicated to you. Within the exclusive instance there is also a separation of access rights and permissions.

Exponea Security Overview

The following visualization illustrates the differences between the three instances. The upper portion details how data in transit is secured and encrypted before entering Exponea, while the lower part shows a high-level overview of Exponea architecture and security features for each instance.

See Security Comparison Table

Shared Private Exclusive
Computing Power Shared Reserved (Partially Dedicated) Fully Dedicated
Identity Access Management (IAM)
Password Guardian
Captcha
DDoS Protection
Firewall
Data Encryption (SSL/TLS & AES)
Static IPs (Socks Proxy)
SSH Tunel
Single Sign‑On Available as
Paid Add-on
Available as
Paid Add-on
Cloud Armor (Firewall IP Whitelisting) Available as
Paid Add-on
Available as
Paid Add-on
Virtual Private Network Available as
Paid Add-on
Available as
Paid Add-on
Custom SSL Available as
Paid Add-on
Available as
Paid Add-on
Audit Log Access (Application) Available as
Paid Add-on
Available as
Paid Add-on
Available as
Paid Add-on
Audit Log Access (IAM) Available as
Paid Add-on
Available as
Paid Add-on
Audit Log Access (Infrastructure) Available as
Paid Add-on
SLA Available as
Paid Add-on
Available as
Paid Add-on
Available as
Paid Add-on
SmartSecure Available as
Paid Add-on
Available as
Paid Add-on
Available as
Paid Add-on
Vulnerability Scan Report Available as
Paid Add-on
Available as
Paid Add-on
Available as Paid Add‑on

* The default option is a shared instance. Other instances are available for an additional cost.

** Audit Log and Vulnerability Scan is operational on all instances (it runs everywhere, but the access to it may not be available on some instances)

Explore our security features in depth

Conclusion

The protection of our clients’ data and resources is our priority and therefore, we will continue to improve our security measures and keep up to date with the newest cybersecurity advancements. Finally, we will keep up with the newest regulatory laws so that we stay compliant.

Integrations

Smooth
Integration

Exponea can simplify and optimize your tech stack, replacing multiple tools with an all‑in‑one platform, giving you more time for meaningful work.

But we understand that such a big change isn’t always possible. That’s why Exponea has a number of silky‑smooth native integrations, making it easy to take advantage of Exponea’s capabilities with the tools you already use.

All integrations

Our Data Security Specialist

Exponea’s dedicated team of security engineers, led by a cybersecurity manager, are an essential part of our IT infrastructure. This team is responsible for maintaining Exponea’s protection and defense systems, building security frameworks, reviewing operational security processes, and creating new security policies. The security team is also responsible for monitoring any suspicious activity, address cybersecurity threats and perform regular health checks and audits.

In addition, our independent Data Protection Officer (DPO), Lenka Gondova, makes sure that we stay compliant. Our DPO is also tasked with monitoring our compliance with GDPR and other data protection laws, as well as our data protection policies, GDPR awareness-raising, training, and audits.


lenka
Lenka Gondova
Chief Information Security Officer (CISO)
and appointed as DPO:
shield icon
CISA
CGEIT
CRISC
ISO 27001 LA
CSX‑F
ISO 20000‑1 LA
ISO 22301 LA
eIDAS LA

Lenka is an expert on auditing, risk management and governance who support the national Office for Personal Data Protection by creation of execution law for GDPR certification and DPIA.

product calendar

See What's
Next for Exponea

See where we're heading: Roadmap
See our product history: Changelog

Have you not found what you

have been looking for?

We rely on cookies

to optimize our communication and to enhance your customer experience. By clicking on the Accept and Close button, you agree to the collection of cookies. You can also adjust your preferences by clicking on Manage Preferences. For more information please see our Privacy policy.

Manage cookies
Accept & close

Cookies preferences

Accept & close
Back
X
We use cookies to optimize our communication and to enhance your customer experience. We also share information about how you use our website with our third parties including social plugins and analytics. You consent to our use of cookies if you continue to browse our website. You can opt out of our cookie use on the Do not Sell my Personal Information page. For more information please see our Privacy Policy.