Security Perspective

This document outlines the key components of Narratize's security posture, providing a security perspective on how the company approaches security for its cloud-based SaaS product.

At Narratize, we believe that trust is the foundation of any successful partnership. We understand that when you entrust us with your data, it's not just bits and bytes—it's your insights, your ideas, it’s your business. That's why we've built a robust security infrastructure that leaves no room for compromise. With our comprehensive security measures, meticulous attention to detail, and dedicated experts, we're committed to maintaining your trust every step of the way. So, as you embark on your storytelling journey with Narratize, rest assured that your data is safeguarded with unwavering commitment, ensuring your peace of mind to focus on what you do best—unleashing your imagination and leaving no idea untold. Together, we'll create a secure and empowering environment where innovation can flourish.

Overall Approach

Narratize's approach to security is based on establishing and maintaining the security, confidentiality, integrity, and availability of its applications, systems, infrastructure, and data. Narratize continuously improves upon its security measures to maintain a strong information security posture, adapting to different levels of security controls for different information assets based on risk and other considerations. All Narratize personnel are required to read, accept, and follow all Narratize policies and procedures. Main tenants of these policies are highlighted below with few call-outs of the key features. 

Safeguarding Customer Data

Narratize’s Product and Engineering Team is responsible for implementing and managing our security program. The primary focus of our security program is to prevent unauthorized access, use, and disclosure of user data. Our security program is built with the AICPA Trust Services Principles and continually evolves in accordance with industry best practices. Sensitive data must be stored and disposed of in a manner that reasonably safeguards its confidentiality and protects against unauthorized use or disclosure. Narratize implements encryption for data at rest and in transit, and adheres to strong cryptographic key requirements.

Security Compliance

Narratize reviews and updates its security policies and plans at least annually to maintain organizational security objectives and meet regulatory requirements. Compliance checks and security hardening are performed continuously. Vendor security assessments are performed before using third-party products or services to ensure they maintain appropriate security and privacy controls. Vulnerability scans are performed both during development as well as system-wide scans at every major release. In addition, a yearly external audit inclusive of application penetration tests is performed. 

Access Control

Narratize adheres to the principle of least privilege, granting users only the minimum access necessary based on job function, business requirements, or need-to-know. Access to systems is provisioned via a deny-all methodology, requiring formal independent approval before access is granted. Administrative access to production servers and databases is restricted. Unique accounts with complex passwords are required for all users, and passwords must be kept confidential and stored in a Narratize-approved password manager. Multi-factor authentication is required for access to all core systems. Access and privileges to sensitive applications, infrastructure, systems, and data are audited regularly. System access is revoked immediately upon termination or resignation.

Cloud Hosting

Narratize utilizes mission-critical third-party cloud services such as AWS, OpenAI, and Google Workspace. Essential data is stored remotely using commercial cloud providers with proper backup and redundancy processes in place. For more information about their certifications and compliance practices, please visit the AWS Security and AWS Compliance sites.

Data Retention

Narratize retains customer data for as long as an account is active or in accordance with agreements between Narratize and the customer, unless required by law or regulation to dispose of data earlier or retain data longer. Data is disposed of within 30 days of a request by a current or former customer or in accordance with customer agreements. Narratize may retain and use data necessary for contracts to comply with legal obligations, resolve disputes, and enforce agreements.

Encryption

Narratize uses industry-approved strong algorithms for encryption processes for data-in-transit and data-at-rest. Transport Layer Security (TLS 1.2+ or a minimally equivalent protocol) is used to safeguard sensitive data during transmission over open, public networks. Encryption of data-at-rest only includes strong encryption methods (AES-256 or a minimally equivalent protocol). Encryption keys are rotated based on several criteria, including if the key is or may be compromised, after a specified period, after the key has been used to encrypt a specific amount of data, or if there is a significant change to the security provided by the algorithm.

Vulnerability and Patch Management

Narratize uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such classification may include whether the severity is security-related or based on other additional factors. 

Logging

Narratize collects and monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities. Filters, parameters, and alarms are implemented to trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a minimum of 90 days to assist with potential forensic efforts. Access control is utilized to prevent unauthorized access, deletion, or tampering of logging facilities and log information.

Personnel

The security of the Narratize environment is the responsibility of all Narratize team members including employees, contractors, and temporary workers who have access to Narratize's information systems. All employees must have a completed background check on file before starting, in addition to signing confidentiality agreements. Employees are required to review the employee handbook and code of conduct policy. Violations of any corporate policies may result in disciplinary measures up to and including termination. Narratize adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions as determined by management or a designee.

Secure Development

Narratize incorporates secure coding practices into the development lifecycle and security architecture. Engineers are responsible for defining security requirements and evaluating compliance throughout all phases of the software development lifecycle. Code reviews are used to maintain the quality of Narratize code and products, looking at design, functionality, complexity, tests, security, naming, comments, style, and documentation. All code is managed in a version control repository, with branch protections in place.

Third Parties

Narratize partners with third parties to provide key services. These third parties, also known as subprocessors, are continuously monitored to ensure their security programs continue to meet Narratize's standards. Narratize reassesses its subprocessors regularly, including a review of their independent audit reports and penetration test reports. The full list of our subprocessors is available upon request. Narratize requires a vendor security assessment before third-party products or services are used, confirming the provider can maintain appropriate security and privacy controls.

Data Protection and Disaster Recovery

Narratize maintains a Business Continuity and Disaster Recovery Plan to guide the company in the event of a significant business disaster or other disruption to normal service. The systems were designed and built with disaster recovery in mind. Data is automatically backed up daily and recovery tests are frequently conducted to ensure backups are valid and working properly. The plan is tested, reviewed, and updated at least annually.

User Responsibility

Although Narratize is responsible for most security controls, our users are responsible for securing their user accounts. This includes creating strong passwords, provisioning user accounts and permissions, and disabling accounts as needed. Additionally, users are responsible for determining the appropriateness of the data entered into the application. By default, Narratize handles limited customer Personally Identifiable Information (PII) (name and email). The sensitivity of the data that customers input to generate content is ultimately their responsibility.

Responsible Disclosure

If a vulnerability in the Narratize application is discovered, admin@narrratize.com should be notified. All security concerns brought to our attention are reviewed, and we take a proactive approach to emerging security issues. We prioritize clearly written reports with reproducible examples for app.narratize.com. We do not accept reports for www.narratize.com. 

Securing and maintaining the privacy of customer information is essential to our company's mission. The success of our users lies at the core of what we do. We hope this insight into our security program helps build and maintain your trust in Narratize.