Security

At Issuu, we are committed to protecting the confidentiality, integrity and availability of our information systems and our customer's data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.

Here we provide an overview of some of the security controls in place to protect your data.

You can reach our security team at security@issuu.com.

Cloud Security

Data Center Physical Security

Facilities

Issuu uses infrastructure from AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, SOC 1, SOC 2 and SOC 3 compliant. Learn more about AWS certifications and compliance standards at AWS Compliance offerings.

Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, and secure device destruction amongst others.

On-Site Security

AWS implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about AWS Physical Security.

Network Security

In-house Security Team

Issuu has a dedicated and passionate security team to respond to security alerts and events, continuously improve the security posture of the product and organization, and perform periodic internal security assessments.

Third-party Penetration Tests

Third-party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation.

Threat Detection

Issuu leverages threat detection services within AWS to continuously monitor for malicious and unauthorized activity.

Vulnerability Scanning

We perform regular internal vulnerability scans. Where issues are identified, these are tracked until remediation. These activities cover all aspects of our organization, including code we write, dependencies and infrastructure.

DDoS Mitigation and Defense at the Edge

Issuu uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Fastly’s sophisticated CDN with built-in DDoS protection as well as native AWS tools and application-specific mitigation techniques. We monitor and block common types of attacks at the edge, aiming to prevent malicious traffic from reaching our servers at all.

Access Control

We comply with the least privilege principle by granting our staff the minimum permissions needed to carry out their jobs. Plus, access is granted for a limited time and is scoped to the minimum number of services needed. Permissions are subject to frequent internal assessment, technical enforcement, and monitoring to ensure compliance. 2FA is required for all production systems.

Encryption

In Transit

Issuu forces HTTPS for all services using TLS (SSL). Encryption is managed by Fastly through our CDN and by AWS in certain cases.

At Rest

Issuu data is encrypted at rest with industry-standard encryption algorithms managed by AWS, like AES.

Availability & Continuity

Uptime

Issuu is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load.

Recovery

In the event of a major region outage, Issuu has the ability to deploy our application to a new hosting region. We have proper monitoring and dedicated engineers to spot downtime and promptly react to recover from any kind of disaster.

Application Security

Quality Assurance

Issuu’s Quality Assurance function reviews and tests changes to our code base. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to Support QA.

Environment Segregation

Testing and production environments are logically separated from one another. No customer data is used in any development or test environment.

Personal Security

Security Awareness

Issuu delivers a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees.

Information Security Program

Issuu has a set of information security policies covering a range of topics. These are delivered to all employees and contractors right after hiring.

Confidentiality Agreements

All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls

Access to systems and network devices is based upon a well-defined request process. Logical access to platform servers and management systems requires two-factor authentication. Access is further restricted by system permissions using the least privilege methodology and all permissions require documented need. User access is revoked upon termination of employment or change of job role.

Third-party Security

Vendor Management

Issuu understands the risks associated with improper vendor management. We evaluate all of our vendors before the engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them.

PCI-DSS

As a card-not-present merchant, Issuu outsources our cardholder functions to a PCI-DSS Level 1 service provider.

Subprocessors

Issuu uses subprocessors to provide core infrastructure and services that support the application. Before engaging any third party, Issuu evaluates a vendor’s security as described above.

  • Amazon Web Services, Inc. (US), cloud hosting services
  • Google, LLC (US), cloud hosting services
  • Zendesk, Inc. (US), customer support platform
  • Bending Spoons S.p.A. and its affiliates (Italy), as parent company of Issuu, Bending Spoons S.p.A., together with its affiliate, support Issuu in providing the service

Responsible Disclosure

At Issuu, the security of our users and our platform comes first. Please visit our dedicated page for more information on vulnerability disclosures.