Security Overview

Related Resources

Overview

πŸŽ–οΈ
Disclosure any vulnerabilities or bugs via https://updates.salesroom.com/bugs-issues
🚫
Salesroom currently has SOC2 Type 1 as of Jun 20, 2022 and is working towards SOC2 Type 2. SOC2 report contains sensitive information, and is available here and an NDA will need to be signed before receiving access.
β€œSalesroom Inc” is a Software as a Service (SAAS) company that offers β€œSales Specific Virtualized Virtual Meeting (β€œSalesroom”)” software and services to Sales Account Executives (AE) using its SAAS platform or expert resources. Salesroom improves the likelihood and speed of closing sales contracts virtually by reducing friction during the sales cycle and improving trust and confidence at each step of the process. This is achieved using a virtual meeting platform and machine learning designed specifically for sales. Salesroom is the first real-time Sales platform built directly for AE’s (value prop). Salesroom Inc was founded in February 2021
notion image
Data is stored in an encrypted PostgreSQL database. Sensitive data such as transcriptions undergo further AES-256 encryption so they are not available without excess decryption efforts. All data is encrypted at rest and we use TLS 1.2 for all cross-service communication. We conduct regular third party penetration tests and infrastructure audits. We follow best practices around least privilege and limited production access.
Recordings, meeting metadata and highlight processing are encrypted in transit with AES algorithms, and recordings are encrypted at rest with AES-256 on AWS S3. Access is limited to a small subset of engineers and is logged and alerted. Encryption is non-optional and cannot be turned off or downgraded. Access to recordings is restricted, audit-logged, alerted, and access is only granted with express customer permission to diagnose issues.
Transcriptions, chats, notes and any potentially sensitive freeform text is encrypted in our Heroku PostgreSQL Database (Heroku use AWS), in transit with AES algorithms and at rest using AES-256 encryption algorithms. Engineers do not review any of this data without express permission from the user and any decryption requires excess effort and advanced knowledge to decryption.
No one can listen into an active meeting without being a known participant who has joined through a meeting url that is randomly generated and can’t be brute forced. All participants know exactly who is in a call at any given time. All our meetings are encrypted in transit using AES-256 encryption algorithms.
All code and infrastructure changes are made via a Github Pull Request. Code owners are required to review and approve changes before deployment. Snyk and Github CodeQL Security checks are run on all code before deployment and deployments go through development and staging servers before being able to be promoted to production. Secureframe continually monitors our security controls to ensure they remain functional. JAMF, CrowdStrike and Google Security ensure all computer equipment and internal data is monitored.

Salesroom Compared to Other Vendors

Chat represents best assumptions based on publicly available information.
γ…€
Salesroom
Encrypted at REST
βœ…
βœ…
βœ…
βœ…
Encrypted in Transit
βœ…
βœ…
βœ…
βœ…
Encrypted Video Steams (AES-256)
βœ…
βœ…
βœ…
βœ…
E2E Encryption (P2P Encryption) This means that no one, but the parties involved can see the data. Hence why most features are disabled as a result.
❌
❌
βœ… Paid Enterprise feature When enabled, the following features are disabled. - Join before host - Cloud recording - Live streaming - Live transcription - Breakout Rooms - Polling - Zoom Apps - Meeting reactions* - 1:1 private chats - Read More Not implemented fully until later in the product development lifecycle. Not available until enterprise level, $19.99 per license per month, Minimum 100. Starting at $23k per year
βœ… Paid Enterprise feature When enabled, the following features are disabled. - Live captions and transcription - Call transfer - Call merge - Call park - Consult then transfer - Call companion and transfer to another device - Adding a participant - Recording - Read More Not implemented fully until later in the product development lifecycle.
E2E Encrypted Recording Files This means that no one, apart from the devices the chat occurred on, can see the chat as the keys are only stored on the devices themselves and are not accessible by the provider.
❌
❌
❌
❌
E2E Encrypted Chat & Transcripts This means that no one, apart from the devices the chat occurred on, can see the chat as the keys are only stored on the devices themselves and are not accessible by the provider.
❌
❌
βœ… Paid Enterprise feature When enabled, the following features are disabled. - Advanced encryption ensures keys are generated & operated on chat participants' devices. - Read More Not implemented fully until later in the product development lifecycle. Not available until enterprise level, $19.99 per license per month, Minimum 100. Starting at $23k per year
βœ… Paid Enterprise feature When enabled, the following features are disabled. - Additional layer of encryption on top of service encryption for your content. - Read More
Encrypted Chat & Transcripts This means that within the database further encryption is applied.
βœ…
N/A
βœ…
βœ…
Downloadable Recordings
βœ…
βœ…
βœ…
βœ…
Downloadable Chat
βœ…
βœ…
βœ…
βœ…
Downloadable Transcripts
βœ…
N/A
N/A
N/A
Option to Store Data Locally
❌
❌
βœ…
❌
Option to Store Data On-Premises
❌
❌
On-Premises Enterprise Paid Options - User & meeting metadata on Zoom public cloud. - Video, voice, in-meeting chat, and data sharing through connectors. - Read More Not implemented fully until later in the product development lifecycle. Not available unless added at additional cost to enterprise level.

Common Questions

Organizational Security

  • Information Security Program
    • We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
  • Third-Party Audits
    • Our organization undergoes independent third-party assessments to test our security and compliance controls.
  • Third-Party Penetration Testing
    • We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
  • Roles and Responsibilities
    • Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.
  • Security Awareness Training
    • Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
  • Confidentiality
    • All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
  • Background Checks
    • We perform background checks on all new team members in accordance with local laws.

Cloud Security

  • Cloud Infrastructure Security
    • All of our services are hosted with Amazon Web Services (AWS) and Heroku. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security and Heroku Security. More details can be found on our
      πŸš‡
      Subprocessors
      list.
  • Data Hosting Security
    • All of our data is hosted on Amazon Web Services (AWS) and Heroku databases (on AWS). These databases are all located in the United States. More details can be found on our
      πŸš‡
      Subprocessors
      list.
  • Encryption at Rest
    • All databases are encrypted at rest.
  • Encryption in Transit
    • Our applications encrypt in transit with TLS/SSL only.
  • Vulnerability Scanning
    • We perform vulnerability scanning and actively monitor for threats.
  • Logging and Monitoring
    • We actively monitor and log various cloud services.
  • Business Continuity and Disaster Recovery
    • We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
  • Incident Response
    • We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.

Access Security

  • Permissions and Authentication
    • Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
    • Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
  • Least Privilege Access Control
    • We follow the principle of least privilege with respect to identity and access management.
  • Quarterly Access Reviews
    • We perform quarterly access reviews of all team members with access to sensitive systems.
  • Password Requirements
    • All team members are required to adhere to a minimum set of password requirements and complexity for access.
  • Password Managers
    • All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.

Vendor and Risk Management

  • Annual Risk Assessments
    • We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
  • Vendor Risk Management
    • Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor. More details can be found on our
      πŸš‡
      Subprocessors
      list.