At LeadSquared, we understand that securing and protecting your data is the most important responsibility we have. We have instituted organization wide processes across all our business functions to ensure that we fulfil the responsibility of securing your data. The following sections will give you a more detailed account on some of the systems we have put in place.
The LeadSquared development center in Bangalore is under 24×7 physical security protection. Only authorized personnel have access to the building and offices. Employees are granted access to the office only after authorization using biometric authentication. Critical locations in the office are accessible only to authorized individuals. Important documents are stored in cabinets accessible only to authorized persons. The office is equipped with surveillance cameras and its images are regularly monitored by authorized persons. A policy has been implemented to approve and regulate visitor access to the building. The office is provided with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure. LeadSquared hosts its application and data in industry-leading Amazon Web Services, whose data centers have been thoroughly tested for security, availability and business continuity. For more details, please refer to the AWS Security Whitepaper.
LeadSquared applications and services are all hosted in Amazon Web Services across its multiple regions. The infrastructure for databases and application servers is managed and maintained by the cloud service providers. At LeadSquared, we take an integrated approach to application security, to ensure everything from engineering to deployment, including architecture and quality assurance processes complies with our highest standards of security.
The application is initially protected by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is a web application firewall (WAF) which monitors against offending IPs, users and spam. While the application can be accessed only by users with valid user access, it should be noted that security in cloud-based products is a shared responsibility between the company and the businesses who own those accounts on the cloud. In addition to making it easy for administrators to enforce industry-standard password policies on users, our products also come with features aimed at securing business data on the cloud:
LeadSquared uses a multi-tenant data model to host all its applications. Each customer has a separate database and we ensure that the code always fetches the data that belongs to only the logged in tenant. Per this design, no customer has access to another customer’s data. Access to the application by the LeadSquared development team is also controlled, managed and audited. Access to the application and the infrastructure are logged for subsequent audits.
We follow secure software development lifecycle, where security testing is part of development, testing and pre-release acceptance. A security review is a mandatory part of application engineering (development and construction) process at LeadSquared.
Changes in our production environment follow a very well-defined, systematic process from development and test environments to verifying the changes finally on staging before production deployment. Production deployments are only done by authorized Devops team members, and nobody else has access to our production environment.
We have a dedicated 24×7 NOC team that monitors the application for suspicious activities or attacks. We conduct regular external third-party audits to certify the state of security in our applications and services.
LeadSquared takes the protection and security of its customers’ data very seriously. LeadSquared manages the security of its application and customers’ data. The LeadSquared development team has no access to data on production servers. Changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process. LeadSquared takes the integrity and protection of customers’ data very seriously. Data at rest is encrypted using AES-256 bit standards (key strength – 1024) with the keys being managed by AWS Key Management Service. All data in transit is encrypted using FIPS-140-2 standard encryption over a secure socket connection for all accounts hosted with us. Different environments are in use for development and testing purposes, access to systems are strictly managed, based on the principles of need to do/know basis appropriate to the information classification, with Segregation of Duties built in, and reviewed on a quarterly basis.
When your account with us is terminated, we ensure that all your data is deleted cleanly. The details are listed in our terms of service.
The LeadSquared office network where updates are developed, deployed, monitored and managed is secured by industry-grade firewalls and antivirus software, to protect internal information systems from intrusion and to provide active alerts in the event of a threat or an incident. Firewall logs are stored and reviewed periodically. Access to the production environment is via SSH and remote access is possible only via the office network. Audit logs are generated for each remote user session and reviewed. Also, the access to production systems are always through a multi-factor authentication mechanism. Our data centers are hosted in AWS are ISO 27001, SSAE-16 and HIPAA compliant.
At LeadSquared we take the protection of our customer’s data very seriously. If you have found any issues or flaws impacting the data security or privacy of LeadSquared users, please write to firstname.lastname@example.org with the relevant information so we can get working on it right away. We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you submit a vulnerability report, the LeadSquared security team and associated development teams will use reasonable efforts to:
We sincerely appreciate your help in detecting and fixing flaws in our platform, and will acknowledge your contribution to the world once the threat is resolved. Public Disclosure Policy By default, this program is in “PUBLIC NONDISCLOSURE” mode which means: “THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!” The Fine Print We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. LeadSquared/MarketXpander employees and their family members are not eligible for bounties.
LeadSquared is fully committed to being compliant prior to GDPR. We promise to safeguard your data.
[Contact email@example.com for any questions/comments]
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.
The full text of the GDPR can be found at https://gdpr-info.eu/ .
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
|Data Subject||A person who lives in the EU|
|Personal Data||Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)|
|A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed (for example using the LeadSquared services to market to prospects and customers), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.|
|A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. So for example, LeadSquared is the processor of the data you collect in your LeadSquared application. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction.|
|Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Data Protection Officer (DPO)||A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert|
|Data Privacy Impact Assessment (DPIA)||A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing|
|Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)|
|Third Countries||Countries outside the EU|
As per GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.
At the heart of GDPR lies a set of rights a person can exercise against organizations processing their personal data. Specifically, individuals have the right to:
|Access||Under GDPR, the Data Subject will be able to request access to his/her personal data and learn how an organization uses it.|
|Erasure||Data Subject will have a right to withdraw consent to store and use personal data and have the information erased.|
|Data Portability||Data Subject will have the right to transfer its data from one service provider to another, and current provider must comply with this request.|
|Rectification||Data Subject can also require any errors in personal data to be corrected, and an organization must reply to the request within one month.|
|To Be Informed||Under GDPR, companies must be transparent about how they gather personal information, and must do it before they collect the data. As part of this, Data Subject must freely give consent for their data to be gathered for a specific purpose.|
|Restrict Processing||This gives Data Subject the right to block and suppress processing of their personal data. Under suppressing, an organization can still store personal information but cannot use it in any way.|
|Stop Processing||Data Subject will have the right to object to using and processing their personal data. This includes direct marketing, profiling, processing for scientific or historical research, inclusion in statistical research and much more.|
Once a Data Subject objects, all his or her data processing must cease immediately.
Unless explictly clarified in any engagement, LeadSquared will be the Processor and Customer will be the Controller. Please refer to definitions in the beginning of this document.
No, there is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad.
The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU model clauses (Standard Contractual Clauses or SCC) provide a valid mechanism to lawfully transfer personal data. LeadSquared offers a Data Processing Agreement that incorporates the model clauses to our EU/EEA customers.
Is it mandatory for LeadSquared’s Customers dealing with EU Data Subjects to sign Data Processing Agreement (DPA)?
Yes, it is mandatory. Much before the deadline of 25th May, LeadSquared will reach out to all its Customers dealing with EU Data Subjects to sign the DPA.
We are currently at work making necessary changes to LeadSquared to ensure we’re compliant by the May 25th, 2018 deadline and to help our Customers meet obligations under the GDPR to the extent that LeadSquared is used to collect and store EU personal data. Some of the changes that have been already planned for execution:
Yes. When one of your contacts (i.e. data subjects) asks you to delete them from your records, you’ll have the ability to do so quickly and easily.
For those unfamiliar with this term, “double opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR does not require double opt-in (though certain countries may make this mandatory).
Opt-in proof or proof of legitimate interest will be needed.
If you’ve lost track of the opt-in status of your contacts or never confirmed opt-in, you can run an “opt-in confirmation” campaign to remove any unconfirmed contacts from future sends.
A opt-in confirmation is a one-time email campaign that requests any contacts who haven’t already used some form of opt-in to confirm that they would still like to receive emails from you. Only the contacts who confirm their subscription status are then kept on your list. Those who don’t confirm will then be opted out of your marketing emails. The result is a highly engaged list of contacts who have proven that they want to continue receiving marketing emails from your company.
A quick note to think about, though: just because you don’t have record of opt-in doesn’t mean you don’t have lawful basis to process a contact record. Lawful basis comes in multiple forms:
We are reviewing all our legal agreements to ensure we make any required changes in order to be compliant with GDPR. Here are some of the planned changes:
We encourage individuals outside our organization to help us find security vulnerabilities in our platform. Such individuals may use these guidelines to responsibly disclose issues:
The following domains are in scope:
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means: “THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”