Security โ Competitive
From SE cert sessions
IT + SE reference
Security Posture & Certifications
Attentive's trust program at a glance โ what IT needs to hear.
Attentive's trust center is at security.attentive.com (SafeBase). All reports, policies, and certifications are available on NDA request.
Security Program Domains
6 rows| Domain | Controls | Key Detail |
|---|---|---|
| Data Security | Encryption at rest + in transit, access monitoring, data erasure | AES-256 at rest; TLS in transit; A grade on Qualys SSL Labs |
| Application Security | Annual pen test, SDLC, responsible disclosure | 2023 pen test by Mandiant (Google), June 26 โ July 14 |
| Access Control | MFA, SSO, RBAC (limited), full logging | SAML 2.0 SSO supported; MFA enforced platform-wide |
| Network Security | Firewall, SIEM, Cloudflare CDN/DDoS | Cloudflare listed as official subprocessor |
| Endpoint Security | Disk encryption, EDR, MDM | Full-disk encryption on all corporate endpoints |
| Infrastructure | BC/DR policy, separate prod environment | AWS US-East (N. Virginia) โ UK/GDPR compliant region |
โญ Key Facts to Memorize
- 1Data stored in AWS US-East (N. Virginia) โ complies with UK via GDPR Article 46 safeguards.
- 2SOC 2 Type 2: annual audit. Current report covers Nov 1, 2024 โ Oct 31, 2025.
- 3Pen test: Mandiant (now Google) conducted June 26 โ July 14, 2023.
- 4SSL Grade: A on Qualys SSL Labs and Security Headers benchmark (ui.attentivemobile.com).
- 5RBAC is limited today โ permission levels currently uniform. Expansion in progress.
- 6SAML 2.0 SSO supported. Set up in IdP to provision access.
- 7Login attempts captured as sensitive audit data โ not exposed to clients directly.
- 8Privacy/Deletion API payload returns: code, request ID, status, type, email, phone, audit msg, timestamps.
Infrastructure, Storage & Subprocessors
The cloud and data stack powering Attentive.
Data is stored in AWS US-East (N. Virginia). Complies with UK data storage requirements via appropriate safeguards under GDPR Article 46. See aws.amazon.com/compliance/gdpr-center.
Cloud & Data Stack
5 rows| Provider | Role | Certifications |
|---|---|---|
| AWS (Primary) | Core hosting, US-East | SOC 2 T2, ISO 27001, PCI DSS, NIST 800-53 |
| Google Cloud | Secondary hosting | SOC 2 T2, ISO 27001, PCI DSS |
| Cloudflare | CDN, DDoS, edge security | SOC 2, ISO 27001 |
| Datadog | Logging & monitoring (SIEM) | SOC 2 T2 |
| OpenAI / Google AI / ElevenLabs | AI / LLM features | DPA-bound subprocessors |
Data Technology Stack
1 rows| Event Streaming | Query Engines | Databases / Search |
|---|---|---|
| Apache Kafka, Apache Pulsar | Trino, Apache Druid | PostgreSQL, MySQL, OpenSearch |
Compliance, Privacy & Legal
Frameworks, certifications, and answers you need cold.
Attentive acts as data processor / service provider on behalf of the client (controller). Attentive does NOT disclose consumer data to third parties except DPA-bound subprocessors or as required by law. attentive.com/legal/msa-dpa
Frameworks & Certifications
5 rows| Framework | Status | What It Means |
|---|---|---|
| SOC 2 Type 2 | โ Active | Annual audit. Nov 2024โOct 2025 report at security.attentive.com on NDA. |
| GDPR | โ DPF Certified | EU-U.S. Data Privacy Framework. DPA at attentive.com/legal/msa-dpa. EU Rep: EDPO, Brussels. SCCs as fallback. |
| CCPA / CPRA | โ Compliant | Deletion, access, opt-out rights. Integrates with Mine PrivacyOps. |
| UK GDPR | โ Compliant | UK Extension to DPF. AWS US-East qualifies via GDPR Article 46. |
| TCPA | โ US Law | Sign-up units adhere to TCPA. UK does NOT require Y double opt-in โ but it's best practice. |
Q&A Bank (4/4)
Sign-up units adhere to TCPA (US law). UK does not require a double opt-in (Y response) for SMS Text-to-Join, however it is good practice. Attentive uses required carrier language in confirmation messages โ any deviation requires Attentive's Compliance team review.
Study Note
UK clients can decide whether to include 'Text STOP to cancel' in every message. If they elect to add it, CSMs or clients must manually add it to each message.
API, Integration Architecture & Data Flows
Every integration surface and how data moves.
OAuth 2.0 for all APIs. Each integration requires a custom app created in App Marketplace to generate a scoped access token. SAML 2.0 SSO supported for platform login. Legacy APIs require separate tokens โ contact legacyapi@attentivemobile.com.
API Overview
6 rows| API | Type | Use Case |
|---|---|---|
| eCommerce API | GraphQL (required) | Product views, add-to-cart, purchase events. Triggers abandoned cart, browse abandonment journeys. |
| Custom Events API | REST | Any custom event (loyalty tier change, in-store visit, wishlist add). |
| Custom Attributes API | REST | Unlimited custom subscriber attributes. Cannot store CCPA-sensitive data. |
| Subscribers API | REST / GraphQL | Programmatic opt-in/opt-out. Requires phone or email as identifier. |
| Product Catalog API | REST | Sync full catalog. Powers back-in-stock, price drop, low inventory journeys. |
| Privacy Request API | REST | CCPA/GDPR deletion & access request automation. |
3 Data Ingestion Paths
3 rows| Method | Direction | Speed | Best For |
|---|---|---|---|
| REST / GraphQL API | Bidirectional | Real-time | Behavioral events, loyalty updates, transactional triggers |
| Webhooks | Attentive โ Your System | Real-time push | Opt-in/opt-out syncs to CRM/CDP, click events, attribute changes |
| SFTP File Feed | Bidirectional batch | Scheduled | Historical loads, high-volume segment files, recurring data exchange |
Salesforce Ecosystem โ 3 Integrations
3 rows| Integration | What It Does |
|---|---|
| SFCC | Syncs product catalog, historical orders, behavioral events. Supports 19.10, 21.2, 22.7, 22.10. One Attentive account per storefront. |
| SFMC (Journey Builder) | AppExchange integration. Compose SMS inside SFMC journeys. Coexists with SFMC email. Max 300K contacts/batch. |
| Salesforce Service Cloud | 3 components: post subscriber data to CRM, sync CRM data to Attentive in real-time, text support in Service Console. |
Tag, Sign-Up Units & Identity
Real SE Cert questions โ installation, capture, recognition.
Q&A Bank (12/12)
Via the Attentive JavaScript tag. The tag loads any active sign-up units assigned to specific URLs. Google Tag Manager can also be used to install the tag.
Study Note
Always offer to show the documentation page. Mention GTM as a key alternative. Show it loading asynchronously.
Journeys, Segmentation & Platform
Real SE Cert questions โ orchestration, branching, attribution.
Q&A Bank (10/10)
Yes. Create a Dynamic Segment based on Subscriber Activity (Added to Cart) with a filter on price or product attributes. Reference that segment in an Abandon Cart journey Branch node. Send incentive to one branch, no incentive to the other.
Study Note
Know specifically: Abandoned Cart can branch by product attributes. Create segment with Added to Cart + price filter โ use segment as branch condition.
SFCC, Email, Compliance & Competitive
Real SE Cert questions โ commerce, email migration, positioning.
Q&A Bank (11/11)
Yes โ the SFCC app brings product catalog data into Attentive. Before setup, ask: (1) Which SFCC version? Supported: 19.10, 21.2, 22.7, 22.10. (2) Separate storefronts per domain? Only 1 Attentive account per storefront.
Study Note
Always qualify SFCC version AND storefront structure. Multi-domain single-storefront = special config needed.
IT Stakeholder Q&A Bank
Verbatim answers for security and infrastructure conversations with IT.
Use these answers verbatim when IT or security teams ask. All are sourced from official Attentive certification sessions.
Q&A Bank (12/12)
Attentive stores data in the AWS US-East availability zone โ specifically N. Virginia. Complies with UK/GDPR data storage requirements through appropriate safeguards under Article 46. For US retailers, all subscriber data stays in US-based AWS regions.