Affiniv Trust Center
Affiniv is a customer experience platform that helps businesses collect NPS, CSAT, and Customer Feedback in general, analyze them using AI, and uncover actionable insights for business growth. This page explains Affiniv’s security and compliance architecture.
For any questions regarding this page.
To learn more about our privacy policy.
At Affiniv, we take security extremely seriously. Our security and governance program is designed to ensure the security and privacy of your data. We continually assess and improve our controls and associated processes by prioritizing key areas through our Information Security Management framework.
This page outlines our key security and compliance policies.
1. Infrastructure Security
Strong Authentication and Access Controls
- Unique Production Database Authentication: Access to production databases requires unique accounts and is enforced via secure authentication mechanisms such as authorized SSH keys or strong passwords.
- Unique Account Authentication: All system and application access is controlled via unique usernames and passwords or authorized SSH keys.
- Unique Network System Authentication: Production network authentication requires unique credentials or authorized SSH keys for all users.
- Remote Access Controls: Remote access to production systems is permitted only for authorized employees using enforced multi-factor authentication (MFA). All remote access sessions are protected with approved encrypted connections.
- Access Control Procedures: Our documented access control policy governs the entire access management lifecycle, including user onboarding, modification, and timely removal.
- Access Revocation on Termination: Access is promptly revoked for terminated employees through a formal checklist process, ensuring no residual access to systems after departure.
Principle of Least Privilege
- Production Application Access Restriction: Application access is limited strictly to authorized personnel.
- Production Database, Network, OS, and Firewall Access Restriction: Privileged access to production infrastructure (databases, networks, operating systems, and firewalls) is limited to users with a verified business need.
- Encryption Key Access Restricted: Access to encryption keys is tightly controlled and granted only to privileged users with a demonstrated business requirement.
Network Security
- Network Segmentation and Virtual Private Cloud (VPC): Affiniv leverages Virtual Private Clouds (VPCs) to isolate and secure our infrastructure at the network level. Production systems, databases, and application servers are logically segmented to ensure critical workloads and customer data are compartmentalized and inaccessible from less-trusted network zones. This segmentation minimizes the attack surface and prevents unauthorized lateral movement within our environment.
- Firewalls and Access Controls: Network firewalls are deployed at the perimeter and between network segments to tightly control traffic flows and block unauthorized access. Firewall rules and network access control lists (ACLs) are reviewed and updated at least annually—or upon infrastructure changes—to ensure appropriate protections remain in place. Changes are strictly tracked and audited.
- Least Privilege Networking: Access between internal systems, services, and users follows the principle of least privilege. Only the minimum necessary ports and protocols are open, and traffic between network zones is controlled and monitored.
- Encrypted Network Traffic: All data transmitted over public and internal networks is encrypted using secure protocols such as TLS. This protects sensitive information in transit and further reduces risk from network-level threats.
- Regular Assessment: Our network security configuration and architecture are regularly assessed to identify improvement opportunities, respond to emerging threats, and maintain compliance with security standards.
Security Monitoring and Logging
- Application-Level Intrusion Detection: Affiniv employs both automated and manual monitoring of application activity logs to detect unauthorized or suspicious access. Every log event captures user identification, roles, accessed APIs or resources, authorization levels, and timestamps to provide complete auditing and traceability.
- Automated Alerting & Incident Handling: Our automated systems continuously analyze activity for anomalies. When potential unauthorized access is detected, alerts are instantly sent via Email and Slack to the engineering and management teams. A manual audit of the event is then performed to assess risk, determine the root cause, and guide responsive actions.
- Client Notification: Typically, clients are promptly notified after the conclusion of the manual audit to ensure the information provided is accurate and actionable. However, clients may elect to be included in automated alert notifications as part of their specific security requirements.
- Comprehensive Log Management and Performance Monitoring: Critical application and infrastructure events are recorded and aggregated using log management tools, ensuring clear visibility into historical incidents. In addition, our infrastructure performance monitoring tools provide real-time alerts on system health, performance, and security, enabling rapid response to threats or outages.
Hardening and Patch Management
- Network and System Hardening Standards: Affiniv adheres to industry-aligned hardening standards, regularly documented and reviewed to mitigate vulnerabilities.
- Service Infrastructure Maintenance: All infrastructure supporting the service is routinely patched and maintained as part of our vulnerability management process to ensure resilience against emerging threats.
Cloud Infrastructure & Data Centers
Affiniv is hosted on AWS with a globally distributed, highly available data center. Our providers maintain industry-leading certifications and ensure physical and environmental security with 24/7 surveillance, multi-factor access controls, and continuous monitoring. Within AWS, we use the US East Zone as Primary with the US West Zone as backup.
Data Encryption in Transit & at Rest
All customer data is encrypted in transit using TLS 1.2+ and at rest using industry-standard AES-256 encryption. Encryption keys are securely managed and rotated regularly in accordance with compliance best practices.
Backup & Disaster Recovery
Affiniv is dedicated to ensuring ongoing service availability and the protection of customer data, even in the event of unexpected disruptions. Our Business Continuity Plan (BCP) covers risk assessment, regular system backups, geographic redundancy, and disaster recovery processes to rapidly restore operations if needed. The plan includes defined roles, clear communication protocols, and annual testing to verify effectiveness.
Regular backups of critical applications and customer data are performed automatically and securely stored in geographically diverse locations. Our disaster recovery plan is tested periodically to ensure rapid recovery and minimal downtime.
We proactively inform affected customers in the event of a significant incident and work to restore services as quickly and securely as possible. Our commitment is to minimize downtime and maintain the trust you place in our platform.
Additional Practices
- Annual Review of Security Controls: Policies, firewall rules, and hardening standards are reviewed at least annually and updated to reflect evolving risks and best practices.
- Limited Encryption Key Access: Encryption keys are only accessible by trusted personnel and subject to strict audit controls.
2. Product Security
Secure Development Lifecycle (SDLC)
- Security by Design: Security considerations are integrated into every product design and development phase at Affiniv, following secure coding best practices and frameworks such as OWASP.
- Code Reviews: Peer code reviews and automated static analysis tools are used to identify vulnerabilities before code is merged or deployed.
- Dependency Management: Third-party libraries and dependencies are audited and systematically tracked. Vulnerabilities are monitored and patched using automated tools.
Application Security Testing
- Security Testing: Regular code reviews and security assessments are performed throughout the development lifecycle to identify and address vulnerabilities.
- Penetration Testing: Annual (or more frequent) penetration testing by independent experts identifies and remediates potential vulnerabilities.
- Vulnerability Disclosure Program: Affiniv encourages responsible disclosure of security issues via a public vulnerability reporting process.
Data Protection and Privacy
- End-to-End Encryption: Data is encrypted both in transit (using TLS 1.2+) and at rest (using AES-256 or equivalent), ensuring robust privacy for all users.
- Granular Access Controls: User roles and permissions within the product are strictly managed, enabling customers to tightly control who can access sensitive data.
Authentication & Session Security
- Multi-Factor Authentication (MFA): Optional/enforced MFA is available to customers for enhanced account security.
- Session Management: Session tokens are securely generated, stored, and invalidated on logout or after periods of inactivity as per security best practices.
- Brute-force Protection: Account login and sensitive actions are protected using rate limiting, account lockout mechanisms, and monitoring.
Customer Data Isolation & Segmentation
- Tenant Isolation: Where Affiniv is multi-tenant, customer data is logically separated at the application and database layers to prevent cross-customer data access.
- Secure APIs: All APIs are authenticated, encrypted, and designed to mitigate common API security vulnerabilities such as injection and broken authentication.
Product Hardening & Updates
- Product Security Patching: Affiniv deploys timely security updates and hotfixes to address known product vulnerabilities.
- Feature-Driven Security Controls: Security features (e.g., IP whitelisting, audit logs, and configurable password policies) are available to empower customers with greater protections.
3. Internal Security Procedures
Continuity and Disaster Recovery Plans Established Affiniv maintains comprehensive Business Continuity and Disaster Recovery (BCDR) plans that ensure our services and data remain secure and accessible, even during major disruptions. These plans include clearly defined roles, communication strategies, and recovery objectives for a broad range of scenarios.
Regular Testing of Continuity and Disaster Recovery Plans Our BCDR plans are reviewed and tested at least annually, simulating various disaster scenarios to validate procedures, train staff, identify gaps, and improve resilience across the organization.
Configuration Management System in Place Affiniv enforces standardized configuration management procedures for all critical systems and applications. This ensures system builds are consistent, secure, and changes are reliably tracked and reviewed.
Formal Change Management Procedures: Any changes to software, infrastructure, or configurations follow a documented process that includes planning, review, testing, approval, and tracking. This minimizes risks associated with unintended or unauthorized changes.
Restricted Access to Production Deployment The authority to deploy changes to production environments is limited to a small group of trusted and trained personnel, reducing the risk of accidental or malicious modifications.
Documented Software Development Life Cycle (SDLC) We follow a structured SDLC for the development, maintenance, and decommissioning of software systems. This ensures new features and changes are designed, implemented, and reviewed in a controlled, secure manner.
Incident Response and Annual Testing Affiniv has well-defined incident response policies and procedures. These are communicated to relevant personnel and tested annually to ensure effective detection, escalation, containment, and recovery from security events.
Comprehensive Incident Management: All security and privacy incidents are logged, investigated, and managed from detection through resolution. Impacted stakeholders are informed as necessary, and processes are reviewed to mitigate future risks.
Regular Access Reviews Affiniv conducts access reviews at least quarterly for all sensitive systems and data resources, ensuring only authorized users retain access and that permissions reflect current job roles.
Access Provisioning Requires Formal Requests and Approval. User access to critical systems is only granted after receiving documented requests and direct managerial approval. This ensures permissions are properly justified and tracked.
Routine Vulnerability Scanning and Remediation We perform regular vulnerability scans on all external-facing systems, promptly addressing identified issues based on severity and risk. This proactive approach helps prevent exploitation.
Security Policies Established and Regularly Reviewed. Information security policies are regularly communicated to all staff and reviewed at a minimum on an annual basis to align with evolving threats and regulatory requirements.
Comprehensive Risk Management Program Affiniv operates a formal risk management process that routinely identifies, assesses, and mitigates security and privacy risks across our technology, people, and processes.
Defined Management Roles and Responsibilities. Roles and responsibilities for managing information security are documented and assigned to ensure accountability and proper oversight throughout the organization.
Organizational Structure and Board Oversight We maintain a clear organizational structure describing reporting lines and cybersecurity accountabilities. The executive team and board are regularly briefed on the company’s cybersecurity and privacy risk posture to provide oversight and strategic direction.
4. GDPR Compliance Policy
Owner: Manas Panda
Last Updated: 20.05.2024
1. Introduction
Affiniv is committed to ensuring the protection and privacy of personal data according to the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy outlines how Affiniv processes, stores, and safeguards personal data of our customers, users, and partners in the European Union and beyond.
2. Scope
This policy applies to all personal data processed by Affiniv as a data controller and data processor, regardless of where the data subject is located, in the context of services offered to data subjects in the EU.
3. Data Collection and Purpose Limitation
Affiniv collects only the minimum necessary personal data required to deliver our services. We use this data solely for legitimate business purposes, including:
- Providing and improving our platform and services
- Customer support and communication
- Legal and compliance obligations
4. Lawful Basis for Processing
Affiniv ensures all personal data processing is justified by one or more lawful bases as defined in Article 6 of the GDPR, such as consent, contractual necessity, legal obligations, or legitimate interests.
5. Data Subject Rights
Affiniv enables all data subjects to exercise their rights under GDPR, including:
- Right to access personal data
- Right to rectification and erasure (“right to be forgotten”)
- Right to restriction or objection to processing
- Right to data portability
- Right to withdraw consent at any time
Requests can be submitted via email.
6. Data Security
Personal data is protected using technical and organizational measures, including encryption, access controls, and regular security assessments. Affiniv ensures confidentiality, integrity, and availability in line with leading industry standards.
7. Data Retention
Affiniv retains personal data only as long as necessary to fulfill the specified purposes or as required by law. Data is securely deleted or anonymized when no longer needed.
8. Data Breach Notification
In the event of a personal data breach, Affiniv will promptly assess the impact, notify affected individuals and relevant authorities in accordance with GDPR Articles 33 and 34, and take corrective actions to prevent future incidents.
9. Accountability and Governance
Affiniv maintains detailed records of data processing activities and continuously reviews and updates privacy practices. Staff are trained on data protection principles and responsibilities.
10. Contact Information
For questions or requests related to this policy or your personal data, please contact:
Manas Panda
Email: [email protected]
List of Subprocessors
Affiniv uses trusted subprocessors to deliver, enhance, and support our platform and services. These subprocessors provide essential infrastructure, security, customer communications, and productivity tools that enable Affiniv to operate at scale and meet the highest standards of reliability and data protection. We carefully select each subprocessor and require them to adhere to strict confidentiality, privacy, and security obligations. Below is a list of key subprocessors that support Affiniv’s service delivery.
| Logo | Subprocessor | Service Description | Location | Website |
|---|---|---|---|---|
 | Amazon Web Services (AWS) | Cloud services: data hosting, compute, storage, security | Ireland/United States | aws.amazon.com |
 | Cloudflare | DNS protection, CDN, DDoS mitigation | United States | cloudflare.com |
 | OpenAI | AI: natural language processing, machine learning | United States | openai.com |
| Zoom | Video conferencing: meetings, webinars, communications | United States | zoom.us |
 | Zendesk | Customer support: helpdesk, service management | United States | zendesk.com |
 | Slack | Team communication, notifications | United States | slack.com |
 | Google Workspace | Productivity: email, docs, storage, collaboration | United States | workspace.google.com |