Audience Manager takes data security and privacy very seriously. We work to keep our systems secure and protect your valuable data.
Audience Manager security practices include external and internal audits, activity logging, training, and other procedures designed to help protect our systems and your valuable data. We believe a secure product helps build and maintain the trust customers place in us.
In Audience Manager, we think about security in three main categories:
Provides Support For
Enterprise-level authentication, encryption, and data storage practices
Deep and actionable insight into on-site activities that constitute or contribute to data leakage
Clients, by working with industry best practices for privacy and data security
Systems, Training, and Access
Processes that help keep our system and your data secure.
External Security Validation: Audience Manager tests security on an annual and quarterly basis.
- Yearly: Once a year, Audience Manager undergoes a full penetration test conducted by an independent third-party company. The test is designed to identify security vulnerabilities in the application. The tests include scanning for cross-site scripting, SQL injections, form parameter manipulation, and other application-level vulnerabilities.
- Quarterly: Once each quarter, internal teams check for security vulnerabilities. These tests include network scans for open ports and service vulnerabilities.
- Blocks requests from unauthorized IP addresses.
- Protects data behind firewalls, VPNs, and with Virtual Private Cloud storage.
- Tracks changes in the customer and control-information databases with trigger-based audit logging. These logs track all changes at the database level, including the user ID and IP address from which changes are made.
password requirements Secure Access: Audience Manager requires strong passwords to log on to the system. See password requirements.
Privacy and Personally Identifiable Information (PII)
Processes that help protect data owned by individual clients.
Inbound Server-to-Server (S2S) Transfers
Adobe Audience Manager supports two main methods of transferring S2S on-boarded data files to our systems:
Both methods are designed with the security of our customer and partner data in mind while data is in flight between their systems and our system.
To add PGP encryption to your data files, see File PGP Encryption for Inbound Data Types .
Protecting Data by Escaping
Note that Audience Manager does not escape outgoing data to secure it against possible cross-site scripting (XSS), etc. It is the responsibility of the client to escape incoming data.
HTTP Strict-Transport-Security (HSTS) is an industry-wide web security mechanism which helps protect against cookie hijacking and protocol downgrade attacks.
The policy instructs the web browser that once a secure HTTPS call was made to a given domain, no subsequent unsecure calls (HTTP) should be allowed to that domain. This protects against man-in-the-middle attacks, where an attacker might try to downgrade HTTPS calls to unsecured HTTP calls.”
This policy improves data security between clients and Adobe Edge servers.
Let's say the yourcompany.demdex.com domain sends trafic to the DCS via HTTP. HSTS upgrades the calls to use HTTPS instead, and all subsequent DCS calls coming from yourcompany.demdex.com will use HTTPS instead of HTTP.
See HTTP Strict Transport Security - Wikipedia for more information about HSTS.