Page tree
Skip to end of metadata
Go to start of metadata

GENERAL PLATFORM SECURITY

Internet Security 

All Viant Ad Cloud web servers use Secure Sockets Layer (SSL) certifications. An SSL certificate is a digital certificate that both authenticates the identity of a website and encrypts information sent to the server using SSL technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

System Architecture Security 

Viant employs industry-standard security technologies, standards, and policies to protect our user data. 

  • The Viant data network is protected by multiple layers of network devices with narrowly defined ACLs (access control lists). The network perimeter is also monitored at all times by our Network Operations Center for any intrusion attempts. The data tier is further protected by being segregated from the rest of the infrastructure by additional ACLs. Access to the data tier is strictly limited to authorized personnel and multiple levels of approval are required to obtain authorization. This authorized list is audited frequently to ensure only appropriate personnel have access.
  • There is no direct access from within the infrastructure to external networks. Access to the Internet is via a proxy farm which requires multiple approvals and is tightly controlled via port/IP address range limitations.
  • Viant's segregation of duty policy strictly prohibits software engineers from being able to deploy changes to the production systems. Deployments and configuration changes are managed and implemented by a separate set of engineers.
  • All of our data centers are SOC3 compliant. Physical access to the Data Center is restricted to Technology Operations staff and authorized visitors with a business need. Personnel not belonging to the Technology Operations staff must be verified and accompanied by a Data Center staff member. 

System Access

Access to Viant's production system is limited to personnel on premise or via VPN only. Access through VPN is further limited by ACLs; any change to the ACL requires appropriate levels of authorization. Personnel access is managed through LDAP groups to ensure that only required access is given. Authentication to production servers running Viant's IMP Audience Insights is controlled using two factor authentication.

New user access to any Viant Ad Cloud server is requested through provisioning tools with an automated workflow. Before a new user account is generated, the request must be approved by both IT group and the system manager. As a user’s role changes within Viant, their level of access is reviewed and modified appropriately. Termination of a Viant employee results in automatic account removal from all systems in which they had access upon the date of their termination. Viant maintains an Employee Handbook featuring data and IT policies that prevents discussing any client specific data outside of work. 

Vulnerability Testing

External Vulnerability Testing is performed on a quarterly basis to ensure our services are secure from external exploits. This test scans all of our external facing systems including web servers, application servers, VPNs, and network hardware. Multiple industry-standard tools are used to independently identify, via port scanning, all services that are externally accessible. Results are shared with internal teams to audit and identify any potential risks. Any services deemed to be at risk will be promptly removed or disabled until remediation work is complete or a process is put in place to eliminate the vulnerability.

Change Management 

All deployments to Viant Ad Cloud servers are tracked by strict release management processes. Deployment requests must be submitted by the developer and approved by management; the deployment is executed by a release management team member. Developers are strictly prohibited by the segregation-of-duty policy from deploying changes into the production environment. All code changes are logged. Change management procedures also include an analysis of the request and its impact on the existing environment, including verification that security requirements are met.  

The following change control policies and guidelines apply to any changes, amendments, or new deployments to the production system:

  • An approved Change Request will be used to request development team-initiated changes to Viant’s production environment.
  • Change Management Procedures shall be in place to ensure that all software and hardware has been appropriately tested and reviewed, when required.
  • Security features shall be tested with each change to ensure that security is properly functioning and has not been impacted by the change, when required.
  • Development team-initiated changes must be authorized by the appropriate Manager or Director.
  • All changes will be recorded and retained.
  • Development team-initiated changes to the production environment must follow the currently approved change notification procedures.

Opt-Out

An individual may opt-out of targeting using the Ad Cloud a number of different ways.  Namely, if an individual opts-out of advertising with the advertiser then no match will be possible and no ads will be served under the subject campaign.  Additionally, if an individual opts-out on the Viant website then they will also be excluded from all ad cloud campaigns.  Finally, if an individual opts-out of advertisements with Myspace or with a third-party which is providing the subject individual’s data to our Ad Cloud service.

 

IDENTITY MANAGEMENT PLATFORM DATA SECURITY

Data Submission

All personally identifiable consumer data (e.g., email, name, address) must be MD5 hashed prior to uploading to the IMP. This ensures that an advertiser's human readable customer data never actually touches Viant servers. The MD5 hash functions as a compact digital signature of a file, where each hash is a 32-byte hexadecimal string.  Viant's data onboarding tool looks at each record in the uploaded file and checks to see if the length of the string is 32-bytes. Any record that is not 32-byte is not eligible for matching or subsequent targeting within the IMP.  

An MD5 hashed list does not contain the actual consumer information, so it is not possible to convert these values back to actual data from the MD5 list alone. The matching process compares the client’s uploaded hashed values against the existing hashed database to determine if any records produce an MD5 hashed match. Matching values indicate that the records relate to the same consumers. The existing records in the Viant database are then flagged as consumers that an advertiser desires to reach in their ad campaign. 

To be eligible for matching, the file must have at least 1000 unique records and be in CSV (Comma Separated Value) format. Files that are not in this file format or that do not have the minimum amount of records will be rejected by the UI and will not be eligible for matching. Additionally, advertiser must have authorization to supply customer data to Viant and must abide by data-related requirements in the Viant Ad Cloud Master Services Agreement and applicable schedules, such as the IMP Services Schedule. 

Authorized Systems 

The application server of the IMP is the only system that can perform matching queries against the database.

All Viant services are accessed through the IMP. Only advertisers with valid Viant user credentials will be able to login to the IMP. Advertiser credentials only allow access to client-specific campaign data, and not to data from any other advertiser or campaign. All activity within the IMP is logged for audit purposes.  

Data Transmission

The Viant web server that receives hashed customer lists has an SSL certification installed to allow secure connections from the browser. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. 

Storage and Retention

Hashed custom audience lists are uploaded to the IMP and matched immediately against Viant’s hashed database. This upload can either be done through the UI or as a managed service. Advertiser data is then stored in a secure area of Google’s Cloud Storage. These files are stored behind multiple levels of access control. The data within an uploaded custom audience list is only accessible outside of the Viant servers if the client requests additional managed services to be performed on their data (ex. matching results download). At such time a managed service is requested, relevant data will be securely ported to the necessary area(s) from its location in Google Cloud Storage. All matching processes against the Viant database are logged.  

Deletion

Advertisers may delete existing custom audiences and the related MD5 hash lists within Viant’s IMP service through the user interface. Deletion of the MD5 hash file is immediate. When a custom audience segment is deleted, the hashed list and the flags identifying matched consumers are deleted from the Viant database and ad server Server Side User Store. Deletion of the resulting matches from the Server Side User Profile Store is completed in no longer than 30 minutes. 

Please note that like any ad serving platform, Viant is required to keep detailed log files of delivered ads for audit and diagnostic purposes. However, access to these logs is restricted and the logs utilize a compressed form with proprietary IDs.

Privacy

When an advertiser uploads hashed customer data to Viant, they authorize Viant to attempt matching of the records to Viant's hashed database in order to deliver the ad serving and analytics services of the Viant Ad Cloud to the advertiser.

Saved custom audience segments can only be used within the account in which they were created. No one outside of the advertiser who uploaded the list can see the file or associated matched users. It is not possible to retrieve, download, or view previously uploaded custom audience files.

A custom audience segment can only be utilized for advertising campaigns generated within the IMP account that originally uploaded the hashed data. Advertisers must safeguard access to account credentials to ensure that the account remains protected. 

Viant will not use any advertiser data for any purpose other than as directed by advertiser or as indicated in Viant’s Privacy Policy, as applicable, a current copy of which is available at the following URL: http://www.viantinc.com/privacy-policy/

 

Viant Ad Cloud Data Security information can be  downloaded here.