🏆 Salesroom is SOC2 Type 2 as of @February 17, 2023. SOC2 report contains sensitive information, and is available here and an NDA will need to be signed before receiving access.
“Salesroom Inc” is a Software as a Service (SAAS) company that offers “Sales Specific Virtualized Virtual Meeting (“Salesroom”)” software and services to Sales Account Executives (AE) using its SAAS platform or expert resources. Salesroom improves the likelihood and speed of closing sales contracts virtually by reducing friction during the sales cycle and improving trust and confidence at each step of the process. This is achieved using a virtual meeting platform and machine learning designed specifically for sales. Salesroom is the first real-time Sales platform built directly for AE’s (value prop). Salesroom Inc was founded in February 2021
Shared Responsibility Matrix
This matrix is an essential document that clearly outlines the various responsibilities of both Salesroom and you, our valued customer, in terms of security, compliance, and operations.
The Shared Responsibility Matrix is designed to help both of us to understand our respective roles and expectations, reducing potential confusion and misunderstandings. By clearly defining the responsibilities related to infrastructure, platform, software, network security, data storage, access management, compliance, data privacy, and security monitoring, we can collaboratively work together to ensure the security, reliability, and performance of our product.
Understanding and adhering to the Shared Responsibility Matrix is crucial for the following reasons:
Enhanced Security: By following the matrix, both of us can implement appropriate security controls and best practices, reducing the risk of data breaches and security incidents.
Compliance: The matrix helps maintain compliance with relevant industry regulations and certifications, such as SOC2, GDPR, and CCPA, by specifying each party's compliance-related responsibilities.
Operational Efficiency: Clearly defined responsibilities help streamline operations and improve efficiency, resulting in a more reliable and high-performing service.
Trust and Transparency: The matrix fosters trust between our companies by establishing transparent communication and setting clear expectations for both of us.
We encourage you to carefully review and understand the Shared Responsibility Matrix, as it is a vital component of our working relationship. We are always available to discuss any questions or concerns you may have regarding the matrix, and we look forward to our ongoing collaboration in maintaining the security and compliance of Salesroom.
Contact Us or email [email protected] with any questions.
Area | Description | Salesroom Responsibilities | Customer Responsibilities | Shared Responsibilities |
Infrastructure | The physical and virtual resources used to provide the Salesroom service, such as servers, storage devices, and networking components. | Provide and maintain underlying infrastructure, including compute, storage, and networking resources. |
|
|
Platform | The underlying operating systems and runtime environments on which the SaaS application runs. | Ensure platform security, including patch management, vulnerability scanning, and secure development practices. |
|
|
Software Application | The cloud-based sales specific video conferencing software provided as a service to customers. | Develop, maintain, and update software, including regular security patches and feature enhancements. | Properly configure and use the application according to provided guidelines and best practices. | Report and address software vulnerabilities, sharing relevant information to ensure timely resolution. |
Network Security | The protection of network infrastructure and communication channels between Salesroom and the customer. | Protect network infrastructure by implementing firewalls, intrusion detection systems, and DDoS mitigation measures. | Secure their own network connections, ensuring proper firewall configurations and traffic monitoring. |
|
Data Storage | The secure storage, backup, and retrieval of customer data in Salesroom environments. | Provide secure data storage, including encryption at rest and in transit, and regular data backups. | Manage their data according to best practices, including proper classification, retention, and disposal. | Comply with relevant data protection regulations, sharing updates and concerns related to compliance. |
Access Management | The control and management of user access to the Salesroom and related resources. | Implement access controls, authentication mechanisms and user management features. | Manage user accounts, roles, and permissions, including timely provisioning and deprovisioning of access. |
|
Compliance | The adherence to legal, regulatory, and industry-specific requirements for security and data protection. | Maintain relevant SOC2 & GDPR certifications and implement compliance-related controls and processes. | Ensure compliance with industry-specific regulations, maintaining necessary documentation and evidence. | Address and share compliance-related concerns, collaborating on maintaining and improving compliance posture. |
Data Privacy | The protection of personal and sensitive information, in accordance with applicable data privacy regulations. | Implement privacy controls and processes, such as data anonymization, pseudonymization, and access restriction. | Adhere to data privacy best practices, training employees on proper handling and processing of personal data. | Comply with applicable privacy regulations, collaborating on data privacy impact assessments and incident response. |
Security Monitoring | The ongoing surveillance and analysis of potential security incidents, threats, and vulnerabilities. | Monitor the environment for security incidents, using tools like SIEM and threat intelligence platforms. | Monitor their own systems for incidents, including user activity and access logs. | Collaborate on incident response and resolution, sharing relevant information and coordinating recovery efforts. |
Architecture
Data is stored in an encrypted PostgreSQL database. Sensitive data such as transcriptions undergo further AES-256 encryption so they are not available without excess decryption efforts. All data is encrypted at rest and we use TLS 1.2 for all cross-service communication. We conduct regular third party penetration tests and infrastructure audits. We follow best practices around least privilege and limited production access.
Recordings, meeting metadata and highlight processing are encrypted in transit with AES algorithms, and recordings are encrypted at rest with AES-256 on AWS S3. Access is limited to a small subset of engineers and is logged and alerted. Encryption is non-optional and cannot be turned off or downgraded. Access to recordings is restricted, audit-logged, alerted, and access is only granted with express customer permission to diagnose issues.
Transcriptions, chats, notes and any potentially sensitive freeform text is encrypted in our Heroku PostgreSQL Database (Heroku use AWS), in transit with AES algorithms and at rest using AES-256 encryption algorithms. Engineers do not review any of this data without express permission from the user and any decryption requires excess effort and advanced knowledge to decryption.
No one can listen into an active meeting without being a known participant who has joined through a meeting url that is randomly generated and can’t be brute forced. All participants know exactly who is in a call at any given time. All our meetings are encrypted in transit using AES-256 encryption algorithms.
All code and infrastructure changes are made via a Github Pull Request. Code owners are required to review and approve changes before deployment. Snyk and Github CodeQL Security checks are run on all code before deployment and deployments go through development and staging servers before being able to be promoted to production. Secureframe continually monitors our security controls to ensure they remain functional. JAMF, CrowdStrike and Google Security ensure all computer equipment and internal data is monitored.
Salesroom Compared to Other Vendors
Chart represents best assumptions based on publicly available information.
Salesroom | Meets | Zoom | Teams | |
Encrypted at REST | ✅ | ✅ | ✅ | ✅ |
Encrypted in Transit | ✅ | ✅ | ✅ | ✅ |
Encrypted Video Steams (AES-256) | ✅ | ✅ | ✅ | ✅ |
E2E Encryption (P2P Encryption) This means that no one, but the parties involved can see the data. Hence why most features are disabled as a result. | ❌ | ❌ | ✅ Paid Enterprise feature When enabled, the following features are disabled. - Join before host - Cloud recording - Live streaming - Live transcription - Breakout Rooms - Polling - Zoom Apps - Meeting reactions* - 1:1 private chats - Read More Not implemented fully until later in the product development lifecycle. Not available until enterprise level, $19.99 per license per month, Minimum 100. Starting at $23k per year | ✅ Paid Enterprise feature When enabled, the following features are disabled. - Live captions and transcription - Call transfer - Call merge - Call park - Consult then transfer - Call companion and transfer to another device - Adding a participant - Recording - Read More Not implemented fully until later in the product development lifecycle. |
E2E Encrypted Recording Files This means that no one, apart from the devices the chat occurred on, can see the chat as the keys are only stored on the devices themselves and are not accessible by the provider. | ❌ | ❌ | ❌ | ❌ |
E2E Encrypted Chat & Transcripts This means that no one, apart from the devices the chat occurred on, can see the chat as the keys are only stored on the devices themselves and are not accessible by the provider. | ❌ | ❌ | ✅ Paid Enterprise feature When enabled, the following features are disabled. - Advanced encryption ensures keys are generated & operated on chat participants' devices. - Read More Not implemented fully until later in the product development lifecycle. Not available until enterprise level, $19.99 per license per month, Minimum 100. Starting at $23k per year | ✅ Paid Enterprise feature When enabled, the following features are disabled. - Additional layer of encryption on top of service encryption for your content. - Read More |
Encrypted Chat & Transcripts This means that within the database further encryption is applied. | ✅ | N/A | ✅ | ✅ |
Downloadable Recordings | ✅ | ✅ | ✅ | ✅ |
Downloadable Chat | ✅ | ✅ | ✅ | ✅ |
Downloadable Transcripts | ✅ | N/A | N/A | N/A |
Option to Store Data Locally | ❌ | ❌ | ✅ | ❌ |
Option to Store Data On-Premises | ❌ | ❌ | On-Premises Enterprise Paid Options - User & meeting metadata on Zoom public cloud. - Video, voice, in-meeting chat, and data sharing through connectors. - Read More Not implemented fully until later in the product development lifecycle. Not available unless added at additional cost to enterprise level. |
Common Questions
Organizational Security
Information Security Program
We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
Third-Party Audits
Our organization undergoes independent third-party assessments to test our security and compliance controls.
Third-Party Penetration Testing
We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
Roles and Responsibilities
Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.
Security Awareness Training
Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
Confidentiality
All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
Background Checks
We perform background checks on all new team members in accordance with local laws.
Cloud Security
Cloud Infrastructure Security
All of our services are hosted with Amazon Web Services (AWS) and Heroku. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security and Heroku Security. More details can be found on our Subprocessors list.
Data Hosting Security
All of our data is hosted on Amazon Web Services (AWS) and Heroku databases (on AWS). These databases are all located in the United States. More details can be found on our Subprocessors list.
Encryption at Rest
All databases are encrypted at rest.
Encryption in Transit
Our applications encrypt in transit with TLS/SSL only.
Vulnerability Scanning
We perform vulnerability scanning and actively monitor for threats.
Logging and Monitoring
We actively monitor and log various cloud services.
Business Continuity and Disaster Recovery
We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
Incident Response
We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Access Security
Permissions and Authentication
Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
Least Privilege Access Control
We follow the principle of least privilege with respect to identity and access management.
Quarterly Access Reviews
We perform quarterly access reviews of all team members with access to sensitive systems.
Password Requirements
All team members are required to adhere to a minimum set of password requirements and complexity for access.
Password Managers
All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
Vendor and Risk Management
Annual Risk Assessments
We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
Vendor Risk Management
Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor. More details can be found on our Subprocessors list.