We understand how important the privacy and security of your subscriber lists, credit cards and email campaigns are to you.We've put a variety of measures in place to protect them from accident or attack and are compliant with GDPR.
The General Data Protection Regulation (GDPR)
Established in 2016, the General Data Protection Regulation (GDPR) — a joint proposal by the European Commission, European Parliament, and the Council of the EU which provides individuals with even greater control over the collection and use of their personal data — was adopted by the European Union in 2018.
We are committed to ensuring our customers are able to comply with their requirements under the GDPR. In particular, we are:
- documenting all data processing activities that involve the collection, treatment, and safeguarding of personal data
- building an improving processes and features to ensure we can quickly and effectively address any requests from our customers when their subscribers wish to exercise their rights (including Right of Access, Right to Recitification, Right to Object, Right to be Forgotten, and the Right of Portability)
- re-evaluating our sub-processors to ensure they have adequate security measures for safeguarding personal data
Operational security
Our adaptive, forward-looking measures are our promise to you.
Dedicated security team
We have a dedicated information security team, responsible for securing the application, identifying vulnerabilities and responding to security events.
Security policies
We have a suite of security guidelines with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
We provide an ongoing program of security awareness training designed to keep all members of staff informed and vigilant of security risks. This includes regular assessment of comprehension to measure the program's effectiveness.
Physical security
We implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data centre controls
We only use state of the art data centres and cloud providers. Our data centres are monitored 24x7 for all aspects of operational security and performance. They are also equipped with state-of-the-art security such as biometrics, sensors for intrusion detection, keycards, and around-the-clock interior and exterior surveillance.
In addition, access is limited to authorized data centre personnel; no one can enter the production area without prior clearance and an appropriate escort. Every data centre employee undergoes background security checks.
Data centre compliance
Our data centre provider is certified to the following compliance standards: HIPAA, PCI-DSS, SOC 1 Type 2, SOC 2 Type 2, ISO 27001 and FISMA/NIST.
Our cloud provider has the following certifications: PCI-DSS, ISO 27001, SOC 1/2/3, IRAP, ISO 27018 and ISO 9001.
Application security
Our application has been designed with a focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.
Security testing
We use a combination of regularly scheduled scans of our application, and penetration testing and bug bounty programs, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application's data and its availability.
Security controls
We never give, rent, or sell access to your data to anyone else, nor do we make use of it ourselves for any purpose other than to provide our services. See our full privacy policy for more information.
We store each account's data within a unique identifier, which is used to retrieve data via the application. Each request is authenticated and logged.
Secure code development
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development. We do not use production data in our test and development environments.
Data encryption
To protect data we encrypt information in transit by supporting TLS 1.0, 1.1 and 1.2. Data at rest is also encrypted using AES-256 encryption.
User access
We put considerable effort into ensuring the integrity of sessions and authentication credentials. Password storage and verification is based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser.
Logging and cookie management
We use cookies for user authentication. We use session IDs to identify user connections. Those session IDs are contained in HTTPS-only cookies not available to JavaScript.
All key actions on the application are logged and audited, for instance whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.