Security & Architecture - Act-On Automation Software

Security and Architecture

Act-On protects your organization’s security, privacy, reputation, and intellectual property

Act-On is designed with an intuitive, user-friendly interface for marketing users of all stripes, even those with few technology skills. Behind the scenes, for information technologists, it’s a bit more complex. We know that security is important, and we go beyond industry standards to preserve and protect your privacy, your intellectual property, and your investment in marketing.

Here’s how we do it:


The Act-On solution is served from a LAMP stack fronted by a load-balanced and firewall Internet connection. The application is served over HTTP/HTTPS on external ports 80 and 443 (re-mapped internally to protected ports). Browser based connections flow through either firewall ports 80 or 443 depending on requirements. Our API access is secure REST calls, with email delivery over SMTP. Currently the client is a web browser or mail reader with all HTTP/HTTPS sessions, stateless.

Act-On’s client-side components can operate in both Citrix XENAPP/XENDESKTOP and VMware virtual environments. Our domestic and European hosting providers are:

  • US domestic
    Atmosera and ViaWest maintain separate upstream Internet connections through three Tier1 providers: AT&T, Century Link, and Level 3.
  • European 
    Amazon Web Services (AWS) utilize highly available redundant connected data centers within the Amazon cloud in Ireland (Dublin) and Germany (Frankfurt). Read about European compliance and technical specifications.

Data Confidentiality

Physical and logical separation

Act-On is a hosted SaaS solution with a multi-tenant environment. All customer account data is isolated and protected from access by other multi-tenant accounts. Physical access is restricted to the Act-On operations team, and housed in a secure Type II SSAE 161 (formerly SAS 70) audited facility.1 All multi-tenant data is partitioned logically and isolated to prevent unauthorized access. Physically, electronic card locks and biometric authorization restrict in-person access to authorized personnel only, and additional key locks provide secure access to Act-On computing assets.

The site is physically staffed 24/7, locked and security guarded 7×24, 365, with monitored electronic and biometrics authorization with intrusion detection, internal alarming and external security service. All access is physically logged and cameras provide additional recorded surveillance.

Backup; continuity; failover

Act-On applies a daily automatic backup that is maintained with daily snapshots for disaster recovery (DR) offsite for 30 days.

Act-On applies automatic HA fail-over for data storage and network fabric and automatic hot-swap for disk failures. Our DR plan includes restoration from remote media to new application secured servers


Security, application, and operating system patching is performed by the Act-On operations team on a regular schedule with monitoring and alerting systems in place for early issue detection and staff notification. All critical infrastructure is redundant and is covered under hardware and software maintenance contracts.

Site Administration, Access Control and Permissions

Act-On customers designate which of their employees will have access to the organization’s Act-On account. Those persons can sign into the system and use its capabilities without needing to

have any “special privileges” (such as Domain Admin or root access) outside the Act-On application.

There are three possible user  roles:

  • An administrator has master control over both sales and marketing users and The administrator can add or remove account user privileges and assign specific rights. The account administrator sets the password security policy for the entire account. Secured logins and passwords are required to access the application.
  • Marketing users have full access to both marketing features (such as creating campaigns, segmenting lists, assigning lead scores, setting up webinars, ) and sales features (such as prospect profiles and list segments).
  • Sales users see a different dashboard than marketing They do not have access to marketing assets and features other than website visitor tracking and reports of their own email campaigns. If Act-On is integrated into a CRM system, anyone with access to the CRM system can see an Act-On Hot Prospect list if there is one for their territory. All a company’s salespeople, whether designated users or not, can receive alerts from the system.

Content Access and Control

For any one Act-On customer, only the administrator and all marketing users share full access to all creative assets and content. Certain types of content, including stationery, message templates, forms, and landing pages can be shared with channel partners if they have their own separate Act-On accounts. The content owner can add the recipient to a list and actively publish the content to that list. The recipient is passive, and cannot take action within the system to acquire content from a separate account.

Encryption & Directory Services

Act-On performs secure data transmission using strong encryption: TLS, AES-256,2 which includes 256- bit encryption. If a directory service such as LDAP or AD is used, the credentials are protected throughout the authentication process.

Email Authentication

Act-On sends all mail with DomainKeys Identified Mail (DKIM) authentication. DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. This is an industry best practice to establish sender identity.

Third-Party Integrations, Etc.

Native integrations include Salesforce, MS Dynamics, SugarCRM, Netsuite, Infor CRM, WebEx, GoToWebinar, Google Analytics, CoreMetrics, Twitter, LinkedIn, Facebook, Zoominfo, and


In regard to compliance with Payment Card Industry (PCI) and Data Security Standards (DSS), the Act-On platform does not process credit card transactions or maintain credit card data. Third-party services provided by First Data,, and PayPal are used for payment processing. Act-On is audited monthly by TrustWave’s TrustKeeper.

1SSAE 16 and its predecessor, SAS 70, are widely recognized audit standards maintained by the American Institute of Certified Public Accountants (AICPA). The SSAE audit report allows a service organization to provide independent third party verification regarding the state of internal controls that govern the services provided to its user organizations.

2AES (Advanced Encryption Standard) was standardized in 2001 after a five year review, and is currently one of the most popular algorithms used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS). It is also the “gold standard” encryption technique; many security-conscious organizations actually require that their employees use AES-256 (256-bit AES) for all communications.