Summary Cover Sheet
This summary highlights the key points of Convene for the Cities Security Policy regarding data protection, shared responsibilities, audits, and access controls. It is intended to help clients quickly understand how their data is secured when using Convene for the Cities Services.
Data Security: Convene for the Cities applies strong technical, administrative, and physical safeguards to protect client data and will not reduce the level of protection during your agreement.
Employee Practices: All Convene for the Cities team members are trained in data security and must sign confidentiality agreements.
Encryption & Recovery: Client data is encrypted both in transit and at rest. Convene for the Cities maintains backups and disaster recovery plans.
System Monitoring: Convene for the Cities monitors systems 24/7 and uses alert systems to detect suspicious behavior.
Third-Party Oversight: Sub-processors used by Convene for the Cities are held to the same security standards.
Client Responsibilities: Clients must secure their own applications and user access (e.g., MFA, secure coding, password rules).
Audit & Compliance: Convene for the Cities data centers and PII-centric functionality undergo regular SOC 1, SOC 2, and PCI-DSS audits and provides reports upon request under NDA.
Audit Limitations: Due to cloud model constraints, physical onsite audits are not allowed. Clients may access audit information through existing third-party reports.
This summary does not replace the full security policy. Please refer to the detailed sections below for complete guidance.
Full Security Policy
A. How Convene for the Cities Protects Your Data
Convene for the Cities uses a combination of administrative, technical, and physical safeguards to keep your data secure. We keep these protections up-to-date as technology improves, and we won’t reduce the overall security of our services during the term of our agreement with you.
Here’s how we help ensure your data stays confidential, accurate, and accessible:
- Background checks and confidentiality agreements for all team members.
- Security and privacy training at hire and annually.
- Encryption of client data in transit and at rest.
- Backups and disaster recovery systems in place.
- Real-time monitoring with alerts to detect suspicious activity.
- Regular vulnerability scanning and risk assessments.
- Documented and reviewed security/privacy policies.
- Vendor and partner reviews for security commitments.
- Internal and external audits to test our systems.
- Controlled access by authorized staff only (for support, compliance, or with client approval).
B. Shared Responsibility: What Convene for the Cities Does vs. What You Do
**Convene for the Cities' Responsibilities:**
- Secure infrastructure, patches, and 24/7 monitoring.
- Managing vulnerabilities, incidents, and uptime.
- Sub-processors are fully vetted and follow the same policies.
**Client’s Responsibilities:**
- Secure your applications.
- Manage access, enforce passwords, and turn on MFA.
- Run vulnerability scans and penetration tests.
- Manage and monitor your user activity responsibly.
C. Third-Party Audits & Certifications
Convene for the Cities' platform is tested regularly by third-party security firms.
Certifications include:
- SOC 1 and SOC 2
- PCI-DSS
Audit reports can be shared upon request with an NDA. These are confidential and meant only to evaluate Convene for the Cities' practices. A fee to provide this information does apply.
D. CLIENT Audit Options
Convene for the Cities' cloud platform (AWS and/or Convene for the Cities Cloud) follows best-practice models for efficiency and safety.
- Onsite audits are not allowed due to cloud limitations.
- Instead, audit information is shared through third-party reports.
Clients can request alternative audit discussions by notifying Convene for the Cities in writing at: [email protected].