At 6sense, we are committed to the security and privacy of your data. The 6sense SaaS platform has many security and privacy features that can be used by 6sense Customer Administrators to harden your 6sense Org. Here, we’ve highlighted a few hardening best practices from 6sense’s own Security team.
6sense Platform basic security and privacy best practices
Access control
Recommendation 1: Configure Single Sign-On (SSO). Activating the SAML integration on the 6sense platform forces all users for your organization to use SAML SSO. They will not be able to use password-based logins after setting up SAML SSO.
Recommendation 2: For customers using non-SSO, define an internal password standard that incorporates 6sense Platform Password Requirements at a minimum, and ensure your employees are trained in password creation and handling best practices.
Recommendation 2a: For customers using non-SSO, users should monitor their email for login notifications. 6sense sends users a notification when a login into their ABM account occurs from a new location. With this email notification, users can view notifications even when they are not actively using the ABM platform. The user should formally approve this new location, via the link provided in the email, for 6sense to add it to the safe-list of locations for the user.
For your awareness: Two-Factor Authentication (2FA) is automatically enforced for basic authentication methods that use a username and password (non-SSO).
Encourage users to become familiar with receiving and entering One-Time Passwords (OTP) as part of their login process.
OTP Details:
Each OTP is sent to the email address associated with the user's account and remains valid for 10 minutes.
Users can request a new OTP up to five times.
After five incorrect OTP entries, the account will be locked for 30 minutes.
For urgent access, the primary admin of your 6sense Org can generate an OTP for that user to login.
Recommendation 3: Manage your users by assigning roles following the principle of least privilege (RBAC) and limiting the number of administrators. Once access is provisioned, periodically review and update user access to ensure appropriate assignment based on employment status and business need.
Recommendation 4: Familiarize yourself with the feature that enables you to provide Just-in-Time (JIT) access to 6sense employees, as and when needed, to your 6sense Organization for troubleshooting or maintenance. For details, please refer to the 6sense Team Access section in our article on User Management (RBAC).
System notifications
Recommendation 5: Set system notifications for:
Expiring credentials, if not using SSO.
Daily API limits of your integration being reached.
When there are web visit data issues:
Manage Recipients for System Notifications: If there are people, besides the primary administrator (default), who should automatically receive all notification emails for your 6sense Org, add them to the list of recipients.
6sense system notifications are sent from system-alert@6sense.com. Add this email address to your company’s approved list of email senders (sometimes called the safe list or allow list).
Monitor your weekly privacy notifications to comply with privacy opt-out requests.
API tokens
Recommendation 6: Follow API best practices:
Give your API Token an appropriate name to help you track where it is being used. This can be the same as the integration for which the token is used.
Do not assign the same API Token to more than one integration, unless necessary.
Rotate your API tokens every 90 days (create a new token, apply, then deactivate the old token).
Migrate any “default_existing_token”.
Deactivate tokens that are not in use and delete tokens that you don’t plan to use anymore. Before deleting a token, if you need the token-related historical match rates and usage graph, save a copy.
The API Token settings (Score and Segments Settings) are secure by default (does not return detailed information), please adjust these settings as required to fetch information that is necessary for your use cases.
For Enrichment APIs as mentioned in our API docs, please ensure that the API token is never exposed on any public domain. These APIs are designed for server-to-server communication.
Recommendation 7: Create Domain Allowlist for Company Identification (CI) API
Create an allowlist of domains so as to restrict the usage of the CI API token(s) on those domains only. For more details, see How to Create an API Token.
WebTag
Recommendation 8: Review the domains covered by your webtags at minimum annually and remove any domains that are no longer valid.
Connecting 6sense with external platforms (CRM and MAP)
Recommendation 9: Implement OAuth 2.0 where available. Learn more about Connecting Salesforce Using OAuth.
Regularly refresh OAuth 2.0 tokens to maintain secure and uninterrupted access between integrated systems.
Ensure that token expiration and refresh intervals are configured according to your organization’s security policies.
Periodically review and reauthorize connected applications to confirm that access scopes remain appropriate and that no unused or outdated tokens persist.
When integrating 6sense with another system, adhere to the security and configuration guidelines for both platforms (such as 6sense hardening and Salesforce hardening).
Monitoring your 6sense organization
Audit logs for your organization are available directly within the 6sense platform and can be downloaded in CSV format for offline analysis. Learn more about 6sense audit logs.
Recommendation 10: Use these logs to regularly monitor user activity and system events within your organization.
Conclusion
With SaaS, security is always a shared responsibility. While 6sense builds with security and privacy by design, it is also up to you to implement security controls and best practices to further strengthen the security of your 6sense org. If you ever have a security concern, report it to 6sense immediately at security@6sense.com. To learn more about 6sense’s security and privacy practices, visit our trust site.