Conga Novatus Security, Privacy & Architecture

The Conga Novatus service provides cloud-based contract management software to help manage, negotiate and administer all contractual agreements with customers, partners, and suppliers. As a SaaS product, the Conga Novatus service processes and stores customer information in redundant and highly secure data center facilities.

Infrastructure

The Conga Novatus service delivery model provides a fullservice solution requiring only a web browser for user access, eliminating the need for internal IT support and hardware costs. The Conga Novatus service uses the DataSite Orlando SaaS Hosting facility as the primary US data center, with a secondary facility in Los Angeles for disaster recovery and business continuity. For EU-based customers, the Conga Novatus service uses Equinix data centers in Paris, France (primary) and Amsterdam, Netherlands (secondary). The Conga Novatus Contract service provides clients with secure access to their mission-critical contract management system with a 99.9% uptime.

External connections

The Conga Novatus service provides security transmission between the service and any client via security transport leveraging TLS.

Firewalls/intrusion prevention

The Conga Novatus service utilizes multiple layers of firewalls from diverse vendors. By performing scheduled internal and external intrusion detection testing, we ensure the highest level of network security. In addition, the Conga Novatus service successfully passes annual third-party penetration tests by a Global 1000 company.

Access control and password management

Identity Management is used to provide authentication. Users must have a valid username and password to access the system. User Profiles containing first and last name, email address, login name and password are associated with Contract Groups, User Security Roles and Profile Rules using Conditions and actions. Single Sign-On is also an option for ease of user administration and greater security controls. Conga Novatus service utilizes SAML 2.0 for our SSO solution.

Account provisioning

Account provisioning for the Conga Novatus service is performed by an Administrative user. An Administrator can handle all of the account management and system settings from within the service.

Security-related maintenance

The Conga Novatus service performs security-related change management and maintenance transparent in most cases to the client via new system builds at the data centers. Patches and updates are installed during the scheduled maintenance window.

Data management/protection

Conga Novatus service clients own all data which resides in the Conga Novatus service database created using the service. Each client has their own unique credentialed and named database instance. Client data is never co-mingled with other client data. Conga Novatus service employees do not have direct access to client systems and data unless they are granted a user login created by the client administrators for the sole purpose of providing technical support services to support the client’s business needs. Conga Novatus service employees are bound by strict confidentiality terms and corporate policies.

System hardening/monitoring

Conga Novatus employs standardized system hardening practices across Conga devices. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging. Additionally, Conga employs an enterprise-class vulnerability management program to monitor and alert on any non-authorized changes or security configurations.

Anti-virus/anti-malware controls

Conga Novatus leverages enterprise-class solutions employed on all servers to protect against virus and malware incidents. Signatures for anti-virus and anti-malware are updated in a near real-time process as soon as they are available from the applicable vendors.

Backups

The Conga Novatus service performs nightly tape backups on all client data. This data is encrypted utilizing AES-256. The tapes are stored off-site in a secure facility. Week-ending and monthending tapes are rotated and delivered via Iron Mountain bonded couriers. Month-ending tapes are stored for a 12-month period.

Physical security

Conga Novatus service uses Tier 3 data centers that employ a variety of security equipment, techniques and procedures to control, monitor and record access to the facility, including in customer areas. The data centers are staffed with aroundthe-clock security officers to compliment the physical security design of the facility. Other security measures include:

  • Vehicle blockades
  • Anonymous and windowless building exterior
  • Biometric and Keycard access systems
  • Close-Circuit Television monitoring systems.

Scalability

The Conga Novatus service is architected to be both horizontally and vertically scalable; additional services can be added to increase performance of clusters and new clusters can be added to provide service for new clients. The Conga Novatus service SaaS application cluster currently has more than 350,000 users; and the performance spike rarely reaches 30% capacity and will scale as necessary.

Emergency management

In addition to the primary data center in Orlando (and Paris for EU clients), the Conga Novatus service has all client data replicated to a hot backup DR facility in Los Angeles (and Amsterdam for EU clients) that provides an additional level of redundancy in the event of a catastrophic disaster to the primary site. The DR site can be up and running within 24 hours ensuring your system will always be available.

Audits and certifications

The Conga Novatus service undergoes a SSAE16 SOC 2 Type I Audit annually.

The Conga Novatus service data centers are SSAE16 SOC 2 Type II compliant facilities in the US and ISO 27001 compliant in the EU.

TRUSTe Privacy Seal: Conga has been awarded the TRUSTe Privacy Seal signifying that Conga’s Web Site Privacy Statement and associated practices related to the Conga Services have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements including transparency, accountability, and choice regarding the collection and use of personal data.

EU/US and Swiss/US Safe Harbor self-certifications: Customer Data submitted to the Conga Services is within the scope of an annual self-certification to the EU/US and Swiss/US Safe Harbor frameworks as administered by the U.S. Department of Commerce. The current self-certification is available at https://safeharbor.export.gov/list.aspx by searching for “Appextremes, LLC.”

EU/US Privacy Shield: Customer Data submitted to the Conga Services from the EU to the US, is within the scope of the annual Privacy Shield Program administered by the U.S Department of Commerce. The current certification.