What methods are taken by C3 to insure data security?

The team at C3 Metrics believes in data integrity and keeping data safe and secure.  Data intrusion can occur at any level; from code on the server, to user behavior  Here are the steps our team takes to keep your data secure:

1.  Two-Factor Authentication
Two-factor authentication is offered to clients for users to login and access data.  C3 utilizes a platform where after entering username and password, users receive a text message or phone call, typically their mobile, and are required to enter a key for access.  This process provides two separate channels prior to access and is FFIEC, PCI, HIPAA and NIST compliant.

2.  C3 is NOT in the Cloud
The insecure cloud-infrastructure is not suitable for sensitive sales and marketing data.  The C3 infrastructure is located in two different secure facilities for maximum data protection.

3. SOC 2 Certification
The data centers housing the C3 infrastructure have achieved SOC 2 certification.

4. Secure Database Code
C3 is built from the secure code base of the MySQL database structure, owned by Oracle.  It is the world’s most popular choice due to its high performance and security.  

5. Bio-Security Required
Authorized access to the C3 server facilities requires positive identification, escorted access, bio-security identification and keys to access the server area.  In addition, all visits to the C3 data centers are logged by data center staff.

6. Security Patch Management
Patch management procedures are implemented to ensure that vendor patches and upgrades necessary to correct security flaws are acquired, tested and installed regularly and comply with the formal change management procedures defined by the C3.

7. Annual Review
Administrator accounts (local administrator, domain administrator, databases, financial applications, firewall, etc.) are reviewed on an annual basis to ensure elevated (network & database administrator) access is consistent with job responsibilities, that all terminated employees have been disabled from the system, and to prevent inappropriate active accounts and privileges, which may lead to unauthorized access to key systems and application data.