Security Policy

We take data security and privacy very seriously. As you place your trust in us, we recognize that our security practices are important to you. For security reasons, we don’t expose too many details about our security practices, but we have provided some general information below to give you confidence in how we secure the data you entrust to us.

This Security Policy, together with our Platform Services Description, User Terms of Service, Cookie Statement, Privacy Policy, Service Level Agreement, Acceptable Use Policy, Copyright and Trademark Policy, and Browser/Mobile Support Policy, form a legally binding agreement between you and us. Capitalised words used but not defined here have meanings provided in the User Terms of Service.

Please carefully read all our terms and policies because they affect your rights and obligations under the law. By using the Platform, you confirm that you understand and agree with this Security Policy,  and our applicable terms and policies. If you do not agree, you may not use the Platform.

1. Confidentiality & Personnel Practices

We train our employees to understand and act in your best interest with regard to your privacy and data protection rights. All employees are required to sign an Employee Security & Confidentiality Undertaking. Further, our employees are trained to identify and respond to data breaches. We also train our employees on best security practices, such as appropriately addressing customer data privacy requests.

2. Physical Security

We use data centres and network architectures built to meet the requirements of the most security-sensitive organizations. To ensure that your data remains secure, we utilise Amazon Web Services (AWS) for our infrastructure needs. AWS is an industry leader in cloud hosting solutions and provides a highly scalable and redundant computing platform with end-to-end security.

Some examples of AWS compliance reports and certifications are:

• Global: CSA, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, SOC 1, SOC 2, SOC 3

• United States: CJIS, DoD SRG, FedRAMP, FERPA, FFIEC, FIPS, FISMA, GxP, HIPAA, ITAR, MPAA, NIST, SEC Rule 17a-4(f), VPAT / Section 508

• Asia Pacific: FISC, IRAP, K-ISMS, MTCS Tier 3, My Number Act

• EU: C5, Cyber Essentials Plus, ENS High, G-Cloud, IT-Grundschutz, TISAX

For a full list of Amazon AWS compliance programs and certifications, please visit: https://aws.amazon.com/compliance/programs/

Physical access to the AWS data centres is strictly controlled and monitored using sophisticated physical controls, intrusion detection systems, environmental security measures, 24x7 on-site security staff, biometric scanning, multi-factor authentication, video surveillance, and other electronic means. All physical and electronic access to the AWS data centres by Amazon employees is authorized on a strictly least privileged basis and is logged and audited routinely. Our employees do not have physical access to our infrastructure in AWS. Electronic access to AWS servers is restricted to a core set of approved staff only.

3. Data Security & Encryption (in Transit and at Rest)

Data within the Platform is stored in separate databases to prevent corruption and overlap. Our database servers are built on our internal network which cannot be accessed directly from the external internet. All data is encrypted at rest (when stored on our servers) using the latest encryption technology and key management best practices. All client data files are located on encrypted disk volumes maintained in the highly secure data centres of AWS. You can be confident knowing that your data is secure and managed with a best-practice approach to storage, backup, and retrieval.

We also have multiple layers of logic that segregate User Accounts from each other. Further, all client connections to the database are encapsulated, which means that clients cannot access other clients’ data.

The Platform uses the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. This means that all communications between your computer and our Services are encrypted using the same technology used by banks and financial institutions. While we implement new technologies as cryptographic features and weaknesses evolve, we balance this through compatibility with older systems.

4. Network Protection

All servers and databases are firewalled to permit the minimum traffic necessary to run our services. All application APIs are protected by a firewall, and all unnecessary ports are blocked by configuration.

5. Security Features

Our service features provide additional security safeguards such as:

• Hashed passwords;

• All login pages incorporate brute force protection;

• Permission-controlled features that authorize access at various levels of the application;

• Global and permission-based roles;

• User interface and backend permission checks; and

• Account and campaign monitoring for signs of abuse.

6. Disaster Recovery

All client database servers support real-time data backup with full daily backups. Backup files are encrypted and securely stored with Server-Side Encryption:

• Nightly production system database backups occur for the last 30 days;

• Recovery time for total loss, which includes both server rebuild and data, is 3 hours;

• Recovery time for full data loss is just 30 minutes;

• All backups are encrypted and inaccessible from outside the network; and

• Recovery processes are documented and procedures have been tested.

7. External Security Audits

We continually validate the effectiveness of our security program to understand the risks posed to our environment and ensure that the critical systems and data under our control do not suffer a major security breach. We contract with respected external penetration testing security firms that perform audits of the Platform to verify that we have sound security practices. They are certified professionals with extensive experience and training to test our Platform for new vulnerabilities discovered by the security research community.

8. SOC 2 Compliance

Our Platform is SOC 2 Type 2 compliant. SOC 2 compliance is a component of the American Institute of CPAs (AICPA)'s Service Organization Control reporting platform. Its goal is to make sure that systems are set up so they assure the security, availability, processing integrity, confidentiality, and privacy of customer data.

9. System Availability

We are committed to making the Platform a highly available and reliable service. Our infrastructure was engineered and tested from the ground up to be secure, fault-tolerant, and robust. For further information, please see our Service Level Agreement.

10. Incident Management & Response

We have incident management policies and procedures in the event of a security breach. We will promptly notify you in the event of a security breach or unauthorized access to your data.

11. Privacy Policy

Your privacy is important to us. Our privacy practices in the Platform comply with the EU General Data Protection Regulation and California Consumer Privacy Act. Further, our Platform is audited annually by an external auditing firm to verify our compliance with applicable data protection laws and regulations. Please check our Privacy Policy for specific details about how we safeguard your information and what you can do if you have concerns or privacy-related questions or requests.