Security Perspective

Last modified: November 18, 2024

At Narratize, we believe that trust is the foundation of any successful partnership. We understand that when you entrust us with your data, it's not just bits and bytes—it's your insights, your ideas, it’s your business. That's why we've built a robust security infrastructure that leaves no room for compromise. With our comprehensive security measures, meticulous attention to detail, and dedicated experts, we're committed to maintaining your trust every step of the way. So, as you embark on your storytelling journey with Narratize, rest assured that your data is safeguarded with unwavering commitment, ensuring your peace of mind to focus on what you do best—unleashing your imagination and leaving no idea untold. Together, we'll create a secure and empowering environment where innovation can flourish.

Safeguarding Customer Data

Narratize’s Product Team is responsible for implementing and managing our security program. The primary focus of our security program is to prevent unauthorized access, use, and disclosure of user data. Our security program is built with the AICPA Trust Services Principles and continually evolves in accordance with industry best practices.

Security Compliance

Narratize constantly monitors and enhances the design and effectiveness of our security controls. By the end of 2023, Narratize will have a collaboration with a reputable third party for their independent assessment of our efforts. This program will include  annual network and application penetration tests. All internal and external audit findings will be shared with executive management and users will be able to request copies of external reports through their account executive.

Access Control

In provisioning access, IT adheres to the principles of least privilege and role-based access control, meaning team members are only authorized the access and permissions necessary to fulfill their job responsibilities. User access reviews, including production access, will be performed semi-annually. Team member access is revoked within two business days of an employee's termination. In cases of involuntary termination, access is revoked immediately.

Cloud Hosting

Narratize  uses Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure as its cloud hosting providers. The Bubble.io platform services are hosted on Amazon Web Services (AWS), which continuously maintains certification for a variety of global security and compliance frameworks. For more information about their certifications and compliance practices, please visit the AWS Security and AWS Compliance sites.

Data Retention

Narratize  retains data for the duration of the customer's use of the application. Customer data is removed upon request for user account deletion or upon customer contract termination.

Encryption

Narratize  encrypts all customer data at rest and in transit using robust encryption methods. Bubble uses AWS RDS’s AES-256 encryption to encrypt data at rest. Xano utilizes the Google Cloud Platform (GCP) as its cloud hosting provider. Google uses the AES algorithm to encrypt data at rest. All data at the storage level is encrypted by DEKs, which use AES-256 by default, with the exception of a small number of Persistent Disks that were created before 2015 that use AES-128.

Logging

Logging is enabled for all production systems. Logs are reviewed for indications of compromise and alerted upon. The Product team is responsible for monitoring alert thresholds, tracking security events to resolution.

Personnel

The security of the Narratize environment is the responsibility of all Narratize team members including employees, contractors, and temporary workers who have access to Narratize's information systems. All employees must have a completed background check on file before starting, in addition to signing confidentiality agreements. Employees are required to review the employee handbook and code of conduct policy. Violations of any corporate policies may result in disciplinary measures up to and including termination.

Secure Development

Narratize has built a secure software development life cycle. All code is managed in a version control repository, with branch protections in place. Access to source code requires MFA. The agile process allows engineers to follow their own release cycles, deploying continuous improvements to the Narratize application.

Third Parties

Narratize partners with third parties to provide key services. These third parties, also known as subprocessors, are continuously monitored to ensure their security programs continue to meet Narratize's standards. Narratize reassesses its subprocessors regularly, including a review of their independent audit reports and penetration test reports. The full list of our subprocessors is available upon request.

Data Protection and Disaster Recovery

Our systems were designed and built with disaster recovery in mind. Our data is automatically backed up daily and we regularly test that our backups are working and can be easily restored. Point-in-time data recovery for user data is available at any time.

User Responsibility

Although Narratize is responsible for most security controls, our users are responsible for securing their user accounts. This includes creating strong passwords, provisioning user accounts and permissions, and disabling accounts as needed. Additionally, users are responsible for determining the appropriateness of the data entered into the application. By default, Narratize handles limited customer Personally Identifiable Information (PII) (name and email). The sensitivity of the data that customers input to generate content is ultimately their responsibility.

Responsible Disclosure

If a vulnerability in the Narratize application is discovered, admin@narrratize.com should be notified. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues. We prioritize clearly written reports with reproducible examples for narratize.com/app. We do not accept reports for www.narratize.com.

Securing and maintaining the privacy of customer information is essential to our company's mission. The success of our users lies at the core of what we do. We hope this insight into our security program helps build and maintain your trust in Narratize.