Clients’ Security Responsibilities and Best Practices

Effective: August 10, 2020 — present

Intapp makes the following recommendations based on ISO 27017: Information technology — Security techniques — Code of practice for information security controls based on ISO / IEC 27002 for cloud services which clarify the responsibilities that Intapp has and responsibilities the Client must maintain for the security of the Intapp Cloud Solution. In some cases, both Intapp and the Client share a specific responsibility.

Please note that this document describes the standard Intapp commitment, and any written agreements signed by both authorized Client and Intapp representative might modify those commitments.

Security Area (ISO 27017)Intapp’s responsibilityClient’s responsibility
Information Security Policy (ISP) (5.1.1, CLD.6.3.1)Intapp will maintain an ISP for its staff as required to fulfill Client commitments, certification requirements, legal requirements, as well as to maintain the security of Customer Data.Client will maintain an ISP for its staff as required to ensure the use of the solution is compliant with relevant Client commitments, legal requirements, license terms, and as well as Client information handling requirements.
End User Authentication (9.1.2, 9.2.1, 9.2.2, 9.2.4)Intapp will provide the Client with various, secure options to manage end-user authentication, including locally managed users and integration with single-sign-on providers per SAML 2.0 standard. Intapp supports multi-factor authentication for end-users.Client will manage the end-user provisioning and de-provisioning process, including defining appropriate authentication methods and password or multi-factor authentication restrictions.
End-User Access Permissions and Restrictions (9.1.2, 9.2.2, 9.2.3, 9.4.1)Intapp will provide relevant permissions and roles capabilities in its solution to allow Clients to restrict its end users to access only relevant information or to perform only specific actions.Client will manage the permissions and roles assigned to each end-user such that it complies with the Client’s security and privacy requirements.
Solution Security (9.4.4, 12.1.2, 12.6.1, 14.1.1, 18.1.3, 18.2.1, CLD.6.3.1, CLD.9.5.2, CLD.12.1.5, CLD.13.1.4)Intapp will use industry best-practices to secure the Intapp Cloud Solutions. The controls deployed are tested internally as well as by an independent third-party. Intapp will maintain for its Cloud Solutions ISO 27001 certification with demonstrated compliance to ISO 27017 and ISO 27018 as well as its CSA STAR certification. Additionally, Intapp will hire 3rd party auditor to attest its cloud solutions for Type 2 SOC 1 and Type 2 SOC 2..The Client should review the controls listed in the Type 2 SOC 2 Report and the ISO 27001 and CSA STAR certificate. The Client should ensure that the listed controls are adequate for the Client’s needs.
Application Security (12.6.1)Intapp will develop and maintain its solutions using its secure development guidelines. Intapp will perform internal and external security testing. Any vulnerabilities Intapp becomes aware of will be evaluated and resolved based on the risk to the security of the solution and the data therein.Client will inform Intapp support should they become aware of an application vulnerability. Client may, at their own cost, perform their own application testing in the non-production environment provided such testing is non-destructive and Intapp support has been informed before commencing such tests.
Network Security (12.6.1, 13.1.3)Intapp will design and maintain its solution such that any endpoints exposed to the public are secure and require adequate authentication. Intapp will perform internal and external network vulnerability scans. Any vulnerabilities Intapp becomes aware of will be evaluated and resolved based on the risk to the security of the solution and the data therein.Client will inform Intapp support should they become aware of network vulnerabilities. Client may, at their own cost, perform their own network testing in the non-production environment provided such testing is non-destructive and Intapp support has been informed before commencing such tests.
Data Encryption (10.1.1, 10.1.2, 18.1.5)Intapp will store data using the industry-standard AES-256 encryption algorithm with an Intapp managed key. Intapp will encrypt data-transfers and authentication processes using secure algorithms and ciphers. , Intapp will encrypt HTTP-based data-transfers using the TLS 1.2 (or better) protocol using a valid certificate issued by an external certification authority. Intapp provides, for DealCloud-branded solutions, an option for Client-Managed Keys; this option is available at a premium.For DealCloud-branded solutions, the Client should review their requirements and validate whether the Intapp-managed key or the Client-Managed Key solution satisfies their business needs. Note: The CMK option requires the upgrade to a single-tenant database.
Mobile Applications (9.1.2, 9.4.1, 10.1.1)Intapp provides mobile applications for some of its solutions. Such mobile applications provide several security mechanisms that can be enabled by the Client as described below this table.The Client should review the mobile application security information below this table. Based on its security requirements, the Client should enable appropriate mobile application restrictions.
Infrastructure Maintenance and Capacity Planning (12.1.2, 12.1.3)Intapp and its hosting providers will maintain the infrastructure and systems required to provide the solution to be secure and operate reliably. Intapp will monitor performance and capacity and take appropriate action to manage appropriate solution performance.Client will inform Intapp support should they become aware of any performance issues or if they expect a significant change in the utilization of the solution.
Availability (6.1.1, 12.3.1, 18.1.3)Intapp will design and maintain its solutions to be available as agreed to in the Client service level agreement specified in the contract. Intapp will monitor the availability and take appropriate action to resolve any issues detected or reported as soon as possible. Intapp will provide up to date status information on its status website https://status.my.intapp.com/Client will inform Intapp support should they become aware of the solution not being available. If the Client wants to be notified of cloud availability issues, the Client will subscribe to the notifications on the status website. The Client should review the Intapp Secure Cloud Availability Whitepaper for additional information.
Backups (12.3.1, 18.1.3)Intapp will create and securely store copies of all Customer Data at a location at least 100 miles from the production center[1]. Intapp will create multiple copies for distinct purposes, such as to provide high availability, disaster recovery, and data corruption recovery. Should a restore of a backup be required, Intapp will perform the restore operation. All data copies are stored in an encrypted format in the geographical location designed for Customer Data. All replication transfers are done using a secure, encrypted channel. Details on Intapp’s multi-tiered replication strategy are discussed in the Intapp Secure Cloud Availability Whitepaper.The Client should review the Intapp Secure Cloud Availability Whitepaper for additional information.
Maintenance Information (6.1.1, CLD.12.4.5)Intapp will provide Clients with advance notice of any non-emergency upcoming maintenance work, which might affect the availability of the solution. Such notification is published per maintenance policy on its status website https://status.my.intapp.com/If the Client wants to be notified of planned or ongoing cloud maintenance, the Client will subscribe to the notifications on the status website.
Release Information (6.1.1, 12.1.2)Intapp will provide Clients with information about solution changes in upcoming releases in the Client portal ahead of its introduction. In case of significant solution changes, Clients can review the changes in their sandbox.Client should review release information in the Client Portal. Should the Client determine that any processes need to be updated or end-user training needs to be provided for such changes, they will perform those activities in time to prepare for the planned upgrade date.
Data Ownership (8.1.1, 8.2.2, 18.1.1, 18.1.2)Intapp will maintain ownership of all its intellectual property, including but not limited to the solution itself as defined in the contract. Intapp receives the right to store and process Customer Data as defined in the contract and data processing agreements.Client will maintain ownership of all its Customer Data as defined in the contract and data processing agreements. Client will be responsible for appropriate asset tracking of Customer Data, if required by regulations, such as GDPR.
Data Location (6.1.3, 18.1.1)Intapp will store Customer Data in the geographical location specified in the contract. Intapp will not store Customer Data outside that geographical location unless explicitly approved by the Client.Client will be responsible for ensuring the legal basis to store Customer Data in the geographical location specified in the contract.
Sensitive Data Elements (18.1.1)Intapp will treat all Customer Data at its highest confidentiality categorization. However, Intapp Cloud Solutions have not been evaluated for compliance with regulations for highly sensitive data, including but not limited to health information or credit card details.The Client is responsible for reviewing requirements and protections regarding any regulated data elements and for determining if storing or processing such data in the solution is appropriate or should be prohibited.
Data Segregation (18.1.3, CLD.9.5.1)Intapp will segregate all Customer Data from the data of other Clients. For OnePlace-branded solutions, all Customer Data beyond end-user information is stored in tenant-specific databases. For DealCloud-branded solutions, Intapp provides a single-tenant database option for a fee. Intapp Cloud Solutions are segregated from Intapp internal operational systems and networks. Intapp’s hosting provider will provide segregation of infrastructure components between Intapp and other customers of hosting provider.For DealCloud-branded solutions, Clients should decide to use a multi-tenant database or upgrade, for a fee, to a single-tenant database option.
Security Awareness Training (7.2.2)Intapp will provide its staff with security awareness training, including how to handle Customer Data securely.Client will provide its end users with training such that they are aware of any Client, legal, or license requirements or restrictions regarding data categories and data handling.
Sub-processors (15.1.1, 15.1.2, 15.1.3)Intapp will require its sub-processors to follow appropriate policies and security standards such that the use of such sub-processors does not negatively impact Client commitments. Intapp will publish an up-to-date list of sub-processors on its trust website https://www.intapp.com/intapp-trust/If a Client wants to be notified of sub-processor changes, the Client will request such email notifications by emailing dpa@intapp.com.
Event Logging and Monitoring (12.4.1, 12.4.3, CLD.12.4.5)Intapp will capture logging information about the service backend as well as any data access and changes by staff members or deployment processes. Intapp has various alerting and searching capabilities for those logs to detect unusual behavior such as errors or service malfunction. Intapp also captures certain Application Data about the Client’s usage of the solution and other relevant metrics that allow Intapp to improve the solution. Intapp will provide the Client the capability to review login and logout events. Specific solutions might capture additional logging information, as described in the product documentation.n/a
Clock Synchronization (12.4.4)Intapp will maintain an accurate clock using reliable, external time sources to provide timestamps in internal logs and application logs that are accurate and can be correlated with logs of outside systems.n/a
Secure Development Process (12.1.2, 14.2.1)See the secure development process document.n/a
Incident Response (6.1.1, 16.1.1, 16.1.2, 16.1.7)Intapp will investigate any security incidents within its cloud or corporate environment it becomes aware of. Intapp has an extensive Incident Response Plan in place, which is tested annually. Intapp also has cyber insurance and arrangement with support services, such as forensic investigations, should those be needed. Intapp keeps logs of cloud solutions for at least one year to enable collecting forensic evidence to determine the length and scope of an incident. In case of an availability incident of the cloud solution, Intapp will post status updates on its status site. In case of a confirmed integrity incident of the cloud solution, Intapp will inform affected Clients and restore Client environments using backup copies or fix the corruption based on the best course of action. In case of a data breach, Intapp will inform affected Clients without undue delay but no later than 72 hours after detecting the breach.Client will inform Intapp support should they become aware of a security incident or a security concern regarding the cloud solution. Client will inform Intapp support of the email notification address to be used in case of a data breach notification or incident investigation request.
Media Disposal (11.2.7)Intapp’s hosting provider securely disposes of media or securely erases media prior to disposal or reuse by other hosting provider customers. As all data is stored encrypted, data on media is protected against loss even if stolen or inappropriately disposed of. Intapp securely disposes of media or securely erases media before disposal if such media contained confidential client information.n/a
Data Retention (CLD.8.1.5)Intapp retains all Customer Data[2] during the term of the subscription plus 90 days after the subscription is terminated. Intapp will delete all Customer Data within 7 days after the 90-day period post-termination has passed. Intapp will provide the Client with a public, documented API or an alternative, documented, a complementary process that allows the Client to retrieve all Customer Data from the cloud solution.Client will retrieve all information from the Cloud solution within the retention period if such information is still needed.
Third-Party Applicationsn/aThe Client is responsible for any connections or integrations between Intapp Cloud Solutions and 3rd party systems, unless an explicit agreement with Intapp regarding the maintenance of those connections or integrations has been entered into. The Client will be responsible for the configuration and security of those third-party applications. This includes the security and configuration of Office 365 used with OPCC/Repstor.
Third-Party ContentIntapp CRM solutions might offer an iFrame feature to Clients allowing to render external content. Intapp implements controls to limit the iFrame scope to a Client and mitigate security risk caused by iFrame.The Client is responsible to ensure the content rendered withing iFrame is not malicious and will not cause any issue or incident which impacts the confidentiality, integrity, or availability of Intapp Cloud Solutions or Customer Data.   The Client must inform Intapp as soon as becomes aware of any issue with content impacting confidentiality, integrity, or availability of Intapp Cloud Solutions.

Mobile Application Security

Intapp provides mobile applications for some of its solutions for iOS and Android based devices. Such mobile applications provide several security mechanisms described as follows:

CategoryDescription
Local Data EncryptionAny Customer Data stored on the device is encrypted using OS-level encryption. OS level encryption requires that the user must configure some device passcodes to be set. This feature is enforced by default but can be disabled by a Client administrator either in the web interface or by request to Intapp support.
Application Passcode / Lock  Application allows user to configure optional passcode, and as soon as user puts the application into background, this passcode will be required to resume application. This feature can be enforced by a Client administrator through a support request, so users will have to create a passcode. On devices with biometric authentication available, this can be used to unlock application. For the Open mobile applications, this feature is enabled by default, but can be disabled by a Client administrator through the administration settings.
Data Encryption in TransitAny communication between the device and the cloud solution is encrypted using HTTPS with verifiable, current, and secure SSL certificates; cloud endpoints are configured according to best practice using secure protocols (TLS 1.2 and above) and ciphers.
Screen Grab ProtectionWhenever the user puts the application into the background the application screen will be blurred or hidden, so when later application is revealed in multi-task switcher no sensitive information is visible.
Debugging and Jailbreak Detection (iOS devices only)By default, mobile OS runs applications in a sandbox, so the private data of one application cannot be accessed by another application. On Jailbroken devices this limitation is no longer true, and other applications can access data belonging to Intapp applications. To prevent that Intapp applications recognize when applications are running on devices where the sandbox protection is disabled and prevent user from using the app. Debugger detection is the other side of similar security feature where application recognizes when it is running with debugger attached and prevents user from using the app as well.
User Management and kill switchApplication administrator can see all users along with their device information registered (logged in) into the application. Administrators can disconnect any device and force the user to re-authenticate to the system; local data stored on the device is deleted until the user re-authenticates.

[1] 100 miles separation is not available for Clients in the Australian and Canadian regions;

[2] See https://www.intapp.com/intapp-cloud-policies/customer-data-retention-policy/ for product-specific exceptions.