Back to Blog

Privacy by design: Glassbox is the first digital CX analytics provider to be ISO/IEC 27701:2019 certified

There is no denying that an organization’s data is a crucial asset and a critical component for everyday operations and ongoing success. The digital collection of customer data has never been under closer scrutiny. With the introduction of laws like the EU’s General Data Protection Regulation (GDPR) and the California Customer Privacy Act (CCPA), the pressure on companies to protect and respect customer privacy is higher than ever.

Data protection has always been a priority at Glassbox. For us, the term “Privacy by Design” is not just a buzzword. The Glassbox platform was built upon the principle that the safeguards of the security and privacy of customer data is nothing less than critical. It is part of the Glassbox company culture to create a product and infrastructure which can ensure the maximum degree of security and privacy are kept, while providing valuable business insights. We constantly work to reinforce this commitment to privacy and security as evidenced by our ISO 27001 and SOC 2 certifications.

We have once again transcended the market. Today, we’re thrilled to announce that Glassbox is the only digital customer experience analytics with session replay solution to receive an accredited ISO/IEC 27701:2019 certification (“ISO 27701”).

What is ISO 27701?

The International Organization for Standardization (ISO) 27701 Certification is a prestigious global recognition that proves our commitment to providing solutions that support our clients’ compliance efforts. The 27701 standard was published in summer 2019 as a global standard to support organizations in building a privacy management program which complies with international privacy laws such as GDPR and CCPA. The ISO 27701 requirements apply both at the company level as well as the design of products and services, namely data processing systems.

Keep reading to learn more about the ISO 27701 requirements and how the Glassbox customer experience analytics platform excels them.

Data collection structure

In addition to the secure manner our software is designed, following the Secured Software Development Life-Cycle (SSDLC), our information security architecture has been built in accordance with the highest market standards.

We pride ourselves on being the only provider who offers a single-tenant environment for cloud deployments (virtual private cloud) as well as the only provider to offer an on-premises deployment option. This gives our customers the ability to control and process their data in their own private data center or benefit from the security and efficiency of certified highly secured data centers from top cloud providers.

In order to maintain high standards for security and to keep compliant with privacy regulations, Glassbox boasts end-to-end encryption. All data going in and out of the Glassbox platform is encrypted in accordance with the highest market standards both in transit and at rest—on all platforms—as well as application-based encryption.

Conditions for the transfer of personal data

With the July 2020 invalidation of the EU-U.S. Privacy Shield Framework, the transfer and storage location of consumer data has come under renewed scrutiny. This has created a substantial headache for thousands of companies who do business globally.

Glassbox provides maximum flexibility and resilience in choosing the storage location of data. Unlike most solution providers, data gathered by Glassbox can be stored in various geographic locations in accordance with your preference and local privacy regulations.

Obligation to end user privacy rights

In order to meet the requirements of ensuring end users rights such as the right for accuracy and the right to be forgotten.

The Glassbox platform boasts free-text search which allows you to find any customer journey or session replay. This lets you locate and remove unnecessary personal identifiable information (PII) in real time using search-engine-like inquiries so you can immediately update or remove customer data. You can easily adhere to customer requests and stay compliant with your applicable privacy regulation.

Privacy by data minimization

The principle of data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Most privacy regulation guidelines require that you collect, process and store only the PII that is necessary for the identified purposes.

Our advanced data masking and omitting capabilities offer auto-detection and omission of PII and PCI data (from both the client- and server-sides)—and they are available right out of the box.

Privacy by default

By default, the Glassbox platform takes a whitelisting approach to all input fields. These defaults set you up for out-of-the-box privacy. Plus, they can be adjusted in accordance with your organization’s unique requirements.

In addition, our IP anonymization tool is configured by default to deidentify users and remove unnecessary PII. Finally, Glassbox offers an automatic removal tool for PII and PCI, to ensure no private information is be captured by accident.

Security of mobile and web application data

ies must be able to ensure there is no compromise of PII, regardless of the channel and device through which the data was captured.

With Glassbox, you get the same high level of security and privacy in all types of deployments including JS code for web and SDK for iOS and Android native mobile apps.

Access control

The principle of least privilege requires giving each user, service and application only the access needed to perform their work and no more. It requires that organizations set up their systems and processes so that access to data is granted only to defined job roles. This goes hand-in-hand with the principle of accountability, which requires organizations to self-audit by keeping records of what information was accessed, by whom and when.

With Glassbox, features and capabilities are enabled according to role by default so you can keep access to sensitive customer data on a need-to-know basis. The platform can be easily configured for both role-based permissions and application-based permissions. Plus, you get audit logs to keep track of all activity within the Glassbox system.

Our continued commitment to your compliance efforts and your customers’ privacy

We believe that respecting consumers’ rights while still extracting maximum value from data is achievable when the proper privacy and security safeguards are in place. We are the only software provider in our space, and among the earliest adopters in the technology industry, to achieve this significant distinction. An ISO 27701 certification provides independent validation of our ongoing commitment to world-class security and privacy, as well as our dedication to helping our customers with their own compliance efforts. By meeting the rigorous standards outlined by ISO 27701, we demonstrate our aggressive efforts to protect and respect our customers’ critical business information and their users’ privacy.

Look no further

Start understanding your customers like never before.