Welcome to the Serebro Help Center
Security and Compliance Overview
Serebro Security and Compliance Overview
This knowledge base provides a comprehensive overview of Serebro AI's security and compliance framework. It details the multi-layered security controls implemented to protect client data and ensure platform reliability. The document covers key areas including infrastructure security on leading cloud platforms like AWS and Google Cloud, application-level defenses against threats, data encryption protocols, and strict identity and access control measures. Furthermore, it outlines corporate security policies, disaster recovery procedures, and Serebro AI's commitment to privacy and compliance with standards like GDPR, serving as a complete guide to the company's robust security posture.
Updated 1 month ago
Introduction
Our Vision and Platform
Serebro Technologies Inc. dba as Serebro AI, was engineered from the ground up with a singular mission: to empower marketing professionals and agencies to not only meet but dramatically exceed their goals. Our philosophy is rooted in advancing automation, refining communication, and enhancing scalability through an intuitive user experience. We are dedicated to delivering continuous, forward-thinking updates that reflect these core values.
Since our establishment in 2018, Serebro AI has experienced significant, sustained growth, expanding our influence within the tech and SaaS communities. At Serebro AI, we define our success by the achievements of our clients. This principle drives us to constantly optimize our platform to serve their evolving needs.
Our unified, AI-driven platform for sales, marketing, and customer relationship management (CRM) is a comprehensive suite of essential tools for today's agencies and marketers. This expansive software solution presents limitless opportunities for our clients to pursue and realize ambitious sales objectives, backed by our dedicated team of experts. We also empower our clients to white-label our platform, providing them with a complete toolkit to scale their operations and their clients' success beyond all previous expectations.
Our Commitment to Security and Risk Management
The security program at Serebro AI is built on one foundational principle: to safeguard our clients' data. To that end, Serebro AI has made significant investments in a comprehensive suite of controls designed to protect and serve our clientele. This investment encompasses dedicated programs for corporate, product, and infrastructure security, with oversight provided by our Legal Team in close collaboration with all other departments.
Our Security and Compliance Goals
We have architected our security framework based on leading practices within the SaaS industry. Our primary objectives are:
Client Trust and Data Protection: Delivering exceptional products and services while upholding the absolute privacy and confidentiality of client data.
Service Availability and Continuity: Guaranteeing the high availability of our services and mitigating risks that could impact service continuity.
Information and Service Integrity: Ensuring that client information remains pristine and is never altered or corrupted improperly.
Adherence to Standards: Committing to meet or surpass industry-standard best practices in all our operations.
Serebro AI Security Controls
To protect the data entrusted to us, Serebro AI employs a multi-layered defense strategy, integrating administrative, technical, and physical security controls across the entire organization. The following sections address some of the most common questions regarding these controls.
Infrastructure Security
Cloud Hosting: Serebro AI operates on a modern, cloud-native model, with no product systems or data hosted in our corporate offices. We entrust our product infrastructure hosting to premier cloud providers, namely Google Cloud Platform Services and Amazon Web Services, located within the United States. We rely on the robust, audited security and compliance frameworks of Google and AWS for the integrity of their physical, environmental, and infrastructure security controls.
Google guarantees a monthly uptime percentage of at least 99.5%. You can learn more about their controls and compliance measures at their public Compliance Resource Center.
AWS ensures service reliability between 99.95% and 100%, with full redundancy for power, network, and HVAC systems. Their business continuity and disaster recovery capabilities are validated by their SOC 2 Type 2 report and ISO 27001 certification, with documentation available at the AWS Cloud Compliance Page and the AWS Artifacts Portal.
Network and Perimeter Security: The Serebro AI product infrastructure is protected by a robust architecture of filtering and inspection on all connections. We implement network-level access control lists and logical firewalls to block unauthorized access to our internal systems. By default, all firewalls deny any network connections that are not explicitly permitted. Any modifications to our network and perimeter defenses are managed through a stringent change control process, and firewall rule sets undergo periodic reviews to ensure only necessary connections are configured.
Configuration Management: Our ability to scale seamlessly with our clients' demands is driven by a deep commitment to automation and rigorous configuration management. The Serebro AI product infrastructure is a highly automated environment that expands capacity on demand. All server configurations are codified into images and configuration files, which are used to provision new containers. Each container is hardened, and any changes to configurations or standard images are governed by a controlled deployment pipeline. Server instances are managed from provisioning to de-provisioning, with automated systems in place to detect and revert any configuration drift from our established baseline within 30 minutes. Patch management is handled through automated tools or by cycling out server instances that fall out of compliance.
Logging: Every action and event within the Serebro AI application is meticulously and consistently logged. These logs are indexed and securely archived in a centralized solution within our cloud environment. All security-relevant logs are retained to support investigations and response activities, with retention periods determined by the nature of the data. Write-access to log storage is strictly controlled and limited to a small number of authorized engineers.
Alerting and Monitoring: Serebro AI invests heavily in automated monitoring, alerting, and response systems to proactively address potential issues. Our infrastructure is instrumented to alert our teams to any anomalies, including error rates, abuse patterns, or application attacks. These alerts trigger either an immediate automated response or a notification to the appropriate team for investigation. Many of these triggers are designed for immediate action, such as traffic throttling or process termination, which activate at predefined thresholds.
Application Security
Web Application Defenses: A sophisticated Web Application Firewall (WAF) protects all client content hosted on the Serebro AI platform. Our monitoring tools continuously analyze the application layer, alerting on malicious activity based on behavior patterns and session rates. The rules we employ to detect and block threats are aligned with the best practices documented by the Open Web Application Security Project (OWASP), particularly the OWASP Top 10. We also integrate robust protections against Distributed Denial of Service (DDoS) attacks to ensure the continuous availability of our clients' websites and all Serebro AI products.
Development and Release Management: Serebro AI employs a modern Continuous Integration/Continuous Delivery (CI/CD) pipeline to optimize our product development. Code is regularly deployed following mandatory code reviews, testing, and merge approvals. Static code analysis is run consistently against our repositories to block known misconfigurations. Approvals are managed by designated owners, and once approved, code is sent to our CI environment for compilation, packaging, and unit testing.
We perform periodic dynamic security testing on our applications. New code is first deployed to a segregated QA environment for final testing before production promotion. Network and project-level segmentation prevents unauthorized access between QA and production. All deployments are automated, with immediate rollback capabilities in case of failure.
Vulnerability Management: The Serebro AI security team operates a multi-faceted approach to vulnerability management, utilizing a variety of industry-recognized tools and threat intelligence feeds. We conduct regular vulnerability scans across our technology stack with adaptive asset discovery and the latest detection signatures. Furthermore, we engage third parties for annual penetration tests against our applications and infrastructure to identify potential risks. All findings are assessed, and remediation efforts are prioritized accordingly.
Customer Data Protection
Data Classification: As outlined in our Terms of Service, clients are responsible for ensuring they collect information appropriate for their business processes. The Serebro AI platform should not be used to store or collect sensitive information like credit card numbers, financial account details, Social Security numbers, or protected health information, except as otherwise permitted.
Tenant Separation: Our platform is a multi-tenant SaaS architecture where each client's data is maintained in logically distinct containers, using unique IDs to associate all data and objects with a specific client. Robust authorization rules are built into the platform's design and are continuously validated. We meticulously log application authentication, availability, and user access changes.
Encryption: All data is encrypted in transit using strong protocols, specifically TLS version 1.2 or 1.3 with 2,048-bit keys or better. For stored data, Serebro AI leverages AES-256 encryption. User passwords are securely hashed following industry best practices and are also encrypted at rest.
Key Management: Encryption keys for data both in transit and at rest are securely managed by the Serebro AI platform. Keys for at-rest encryption are stored in a hardened Key Management System (KMS) and are rotated at a frequency determined by the sensitivity of the data they protect. TLS certificates are typically renewed annually. At present, we are unable to accommodate customer-supplied encryption keys.
Data Backup and Disaster Recovery
System Reliability and Recovery: Serebro AI is dedicated to maximizing service uptime and resilience. All our product services are designed with redundancy. Our server infrastructure is strategically distributed across multiple availability zones and virtual private clouds, and all application and database components are deployed with point-in-time recovery capabilities.
Backup Strategy:
System Backups: Our systems are backed up regularly according to established schedules. We retain seven days' worth of backups for any database to ensure straightforward restoration. Backups are monitored for successful completion, with any failures triggering an immediate alert for investigation and resolution.
Physical Backup Storage: As we rely entirely on public cloud services, Serebro AI does not utilize physical infrastructure or storage media for backups. We do not produce hard copy media as part of our service delivery.
Backup Protections: All backups are protected by stringent access control restrictions and write-once-read-many (WORM) safeguards on our infrastructure.
Customer Data Restoration: While disaster recovery operations are managed by Serebro AI engineering teams, clients have several ways to recover their data. The in-app recycle bin allows for the direct restoration of contacts, opportunities, and other items for up to 30 days. Version history can be used to restore previous versions of web pages, blogs, or emails. For clients who require additional backups, our platform provides numerous export options and a public API library for synchronizing data with external systems.
Identity and Access Control
Product User Management: The Serebro AI platform supports highly granular, role-based access controls (RBAC). Clients have full control to create and manage users within their portals, assign appropriate privileges, and restrict access as needed.
Product Login Protections: We enforce a strong password policy for native logins, requiring a minimum of 8 characters with a mix of uppercase and lowercase letters, numbers, and special symbols. We also provide two-factor authentication for all users, and portal administrators can mandate its use for their entire team.
Serebro AI Employee Access to Customer Data:
Access to Production Infrastructure: Access to our internal data stores and production infrastructure is strictly governed by a role-based access control (RBAC) model. Routine access is limited to essential engineering team members, with persistent administrative access being heavily restricted. Direct connections to production devices are prohibited; engineers must authenticate through a secure bastion host or possess an assigned IAM role.
Access to Customer Portals: To assist with support, our staff can obtain temporary, limited access to a client's Serebro AI account. The platform uses a Just-In-Time Access (JITA) model, granting access for a limited duration (maximum 24 hours), with every request being logged. We employ risk-based monitoring to detect any unusual activity. During a JITA session, employees are blocked from performing high-risk actions like exporting contacts, deleting data, or changing security settings. All user logins and employee access events are logged.
Corporate Authentication and Authorization: Access to the Serebro AI corporate network requires multi-factor authentication (MFA). Our password policies adhere to industry best practices. We utilize an extensive support system to automate our security management, ensuring permission grants are appropriate, access revocations are timely, and compliance evidence is preserved. Employee permissions for key internal systems undergo semi-annual reviews.
Organizational and Corporate Security
Background Checks and Onboarding: All prospective Serebro AI employees are subject to a comprehensive third-party background check before an employment offer is formalized. Upon joining, every employee must acknowledge our Employee Handbook and Code of Conduct, which clearly outline their responsibilities in protecting company and client data.
Policy Management: Serebro AI maintains a robust framework of documented policies and procedures, anchored by a core Written Information Security Policy. This policy covers data handling, privacy, and disciplinary actions for violations and is reviewed at least annually.
Security Awareness Training: New employees must complete mandatory CyberSafety training, which is refreshed annually. This program includes continuous phishing awareness education.
Vendor Management: We leverage third-party service providers for product development and internal operations. As part of our contractual agreements, we ensure that all our vendors maintain appropriate security and privacy controls. A list of our sub-processors is available in our Data Processing Agreement.
Endpoint Protection: All company-issued laptops are centrally managed with full-disk encryption enabled. We deploy a Mobile Device Management (MDM) solution to enforce security policies, configure settings, and ensure all devices comply with our corporate standards.
Compliance
Sensitive Data Processing and Storing: For details on how we process data, please refer to our Terms of Service and Privacy Policy. While clients can pay for services with a credit card, Serebro AI does not store or process this information directly. We partner with PCI-compliant payment processors to handle these transactions securely.
Privacy: As detailed in our Privacy Policy, we do not sell your personal data. The protections outlined in this document are designed to ensure your data remains private and secure.
Data Retention and Deletion: Client data is retained as long as the account remains active. Clients may request data deletion in writing, which Serebro AI will fulfill in accordance with privacy regulations. We retain certain data, such as logs, to meet security, compliance, or statutory requirements.
Privacy Program Management: The Serebro AI Legal Team works with our engineering and product teams to maintain an effective privacy program. Our commitment is further described in our Privacy Policy and Data Processing Agreement.
Breach Response: In the event we become aware of a data breach that affects your personal data, Serebro AI will notify you as required by law.
GDPR: Serebro AI is committed to providing features that empower our clients to meet and maintain their GDPR compliance obligations. Please visit our GDPR page for more information. Note that using the Serebro AI platform is a component of, but does not solely constitute, full GDPR compliance.
Document Scope and Use
This document serves as a resource for our customers and is for informational purposes only. It does not establish a binding contractual obligation or amend any existing agreements. Serebro AI is dedicated to continuous improvement, and as such, our security procedures are subject to change.
Contact Us
Questions about this document? We want to hear from you! You can reach us at support@serebro.ai.
