Creating data security for event registration and payments
Pillars of our security framework
Risk & Compliance
Application & Product Security
Cloud & Data Protection
Our Security Culture
Cvent employs expert professionals within its Information Security team to deploy a robust Information Security and Privacy Program geared towards the protection of our customer's data and availability of services. Cvent’s Risk & Compliance team is regularly engaged with third-party assessors to examine our security policies, procedures, technologies, and controls to validate that our Program is designed and operating effectively. Cvent is compliant with several internationally recognized industry security standards and data privacy regulations, including the following:
- SOC 1 Type II
- SOC 2 Type II
- ISO 27001:2013
- ISO 27701:2019
- Payment Card Industry Data Security Standard (PCI DSS)
- Cloud Security Alliance (CSA)
- E.U. General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
Cvent employs Application Security personnel who are responsible for ensuring our products are created and designed with security as an integral part of the process. Our employees work collaboratively to ensure that a properly implemented Software Development Life Cycle (SDLC) is in place for all Cvent applications. In addition, Cvent works with industry certified third-party penetration testing parties to obtain an independent insight into our product's security posture. Cvent also aligns its vulnerability management process to industry-standard benchmarks to provide a standardized view of our product security.
Our multi-layered software security strategy is consistent with that of many of the world’s most successful cloud providers. Key activities of our software security program include:
- Secure Code Training: Our software engineers are trained on how to identify the latest threats and use secure coding techniques to build resilient solutions.
- Secure Design Reviews & Threat Modeling: Our software designs undergo rigorous security reviews to identify and assess the impact of potential threats, and we establish countermeasures to address them. In addition, Cvent strictly adheres to the security guidelines outlined within OWASP Top Ten for application security reviews.
- Automated Security Testing: Our software undergoes several types of security testing at various stages of software development before it’s released to customers.
- Penetration Testing: We perform Red Team exercises to simulate attacks against our solutions and identify potential points of weakness or vulnerability.
- Vulnerability Disclosure Program: We maintain a program to incentivize responsible reporting of bugs in Cvent platforms and applications by the security research community.
Cvent implements a wide variety of security-based strategies to ensure we are properly safeguarding our customer’s data; which includes, but is not limited to, the following:
- Strong Perimeter & System Defense: Cvent employs and engineers advanced systems and processes to detect and prevent damage from security threats to systems and data.
- Identity & Access Management: Cvent maintains strict control over who can access our computing resources; such examples of how this is implemented are role-based access controls, enforcement of strong passwords and multi-factor authentication for any access into our environments.
- Military-Grade Data Protection: All customer data is protected while in transit and at rest by methods compliant with FIPS 140-2, the U.S. government standard for data encryption.
- Vulnerability Assessment & Security Patch Management: Cvent’s security teams perform regularly automated security scans across our infrastructure to identify any potential vulnerabilities or security gaps and to appropriately triage and remediate any potential threats to our organization.
- Resilient Systems & Disaster Recovery Sites: Cvent maintains highly available fault-tolerant systems along with industry-standard tools and processes to recover systems and data to geographically distinct disaster recovery centers. Cvent has also implemented a comprehensive Business Continuity and IT Disaster Recovery Management Program designed to identify and assess threats and hazards, understand their impacts to Cvent’s operations, and develop a framework for planning and responding to unavoidable disruptions. Our framework focuses on three core elements:
- People: We have developed a unified command and control mechanism for event identification, evaluation, escalation, declaration, response, and deactivation.
- Processes: We have developed recovery strategies and plans for critical business functions required to sustain an acceptable level of operation during a significant business disruption.
- Technology: We have identified resiliency strategies for required essential information technology infrastructure, hardware and software.
- Data Deletion: Cvent follows industry-standard compliance requirements for the deletion of data. Cvent ensures that data is used only for customer-defined specific purposes and is deleted once the agreement between Cvent and customer has been fulfilled.
- Incident Response & Monitoring: Cvent maintains an in-house Security Threat Analysis team, which works closely with our industry recognized third-party Security Operations Center (SOC) to provide around-the-clock threat intelligence and security event monitoring, incident response and recovery capabilities.
Cvent’s information security teams understands that network security is one of the vital factors when it comes to securing customer’s data. Cvent’s Network Security team works closely with Cvent’s Information Security teams to ensure that we are properly safeguarding customer data and implementing proper security measures throughout our organization. Cvent’s teams work with advanced network security tools and maintain standard infrastructure, such as firewalls, IPS’, IDS’, SIEMs and more to fulfill the demands of securing network from unauthorized activities.
Cvent works extremely hard to build and maintain a culture of security within our organization by ensuring all our employees receive awareness and role-based training. Our security education activities include:
- In-person security awareness training during onboarding
- Annual computer-based security awareness training
- Quarterly email phishing assessments
- Annual crisis management and emergency response exercises
- Annual IT disaster recovery and continuity plan testing, training, and exercises
Updated: May 23, 2022
Cvent utilizes F5 systems within their environment and is aware of the CVE-2022-1388 BIG-IP iControl REST vulnerability that has recently been announced. As stated within the CVE, the vulnerability contains no data plane exposure and only affects the control plane. Cvent's configurations of the F5s in place do not expose the control plane to the internet. In addition, Cvent has patched all systems to version 13.1.5 as recommended by F5 as of 05/20/22, which in turn remediates this vulnerability.
For details on the vulnerability released, please click here.
Updated: April 1, 2022
Cvent has been investigating recent reports of CVE-2022-22965, the 0-day Remote Code Execution (RCE) vulnerability in the Spring software framework, and can confirm that we have successfully mitigated the risk associated with this issue. A limited number of Cvent applications run the Spring framework and product engineering teams have been mobilized to remediate the issue. We expect that all relevant product components will be updated to Spring Framework versions 5.3.18 or 5.2.20 by April 16, 2022.
Most important, however, Cvent has successfully implemented safeguards across our platforms that detect and block potential exploitation attempts that may target this weakness. These safeguards, along with other defense-in-depth security capabilities, effectively mitigate risk associated with this issue in order to protect Cvent systems and customer data.
For details on the vulnerability released, please click here.
Updated: February 7, 2022
This update constitutes Cvent's final customer notification regarding our security posture related to the Apache log4j vulnerabilities discovered in December of 2021:
As of early January 2022, Cvent has updated all critcal customer systems to either log4j versions 2.17 or 2.17.1. In circumstances where systems have been updated to log4j version 2.17, Cvent has maintained multi-layered compensating controls to substantially mitigate the risk of exploitation of CVE-2021-44832 (the inherently lower-risk vulnerability in log4j version 2.17).
Even though the risk of exploitation is mitigated across the board, Cvent still aims to update the remaining 2.17 versions of log4j to 2.17.1 via our normal security patching cadence. Per our internal service level objectives, this means that the remaining systems will be updated by the end of March 2022.