Introduction

Our Company and Products

Datadrive’s goal is to help marketing professionals and agencies reach and surpass their benchmarks for success. We believe in enhancing automation, improving communication, and boosting scalability in a consumer-friendly way, and we consistently provide future-embracing updates that exemplify these priorities.

Our all-in-one sales, marketing, and customer relationship management (CRM) platform offers numerous features that are essential to agencies and marketers. This expansive software solution provides limitless opportunities for our customers to set lofty sales goals and actually achieve them while being supported by our team of experts. We also encourage our customers to rebrand our platform as their own, truly offering agencies and marketers everything they need to scale beyond what they ever thought possible for themselves, their businesses, and their clients.


Datadrive Security and Risk Focus

Datadriveā€™s primary security focus is to safeguard our customersā€™ data. Datadrive has invested in the appropriate controls to protect and service our customers. This investment includes implementing dedicated corporate, product, and infrastructure security programs. Our Legal Team, in partnership with other departments, oversees the implementation of these programs.


Our Security and Compliance Objectives

We have developed our security framework using best practices for the SaaS industry. Our key objectives include:

Customer Trust and Protection: deliver superior products and services while protecting the privacy and conļ¬dentiality of data

Availability and Continuity of Service: ensure availability of the service and minimize risks to service continuity

Information and Service Integrity: make sure that customer information is never corrupted or altered inappropriately

Compliance with Standards: aim to comply with or exceed industry standard best practices.


Datadrive Security Controls

In order to protect the data that is entrusted to us, Datadrive utilizes layers of administrative, technical, and physical security controls throughout our organization. The following sections describe a subset of our most frequently asked questions about control.


Infrastructure Security

Cloud Hosting Provider

Datadrive does not host any product systems or data within its physical ofļ¬ces. Datadrive outsources hosting of its product infrastructure to leading cloud infrastructure providers such as Google Cloud Platform Services and Amazon Web Services. Our product infrastructure resides in the United States. We place reliance on Googleā€™s and AWSā€™s audited security and compliance programs for the efļ¬cacy of their physical, environmental, and infrastructure security controls.

Google provides a monthly uptime percentage to customers of at least 99.5%. You can ļ¬nd more information about the controls, processes, and compliance measures implemented by Google on their publicly available Compliance Resource Center.

AWS guarantees between 99.95% and 100% service reliability, ensuring redundancy to all power, network, and HVAC services. The business continuity and disaster recovery plans for the AWS services have been independently validated as part of their SOC 2 Type 2 report and ISO 27001 certiļ¬cation. AWSā€™s compliance documentation and audit reports are publicly available at the AWS Cloud Compliance Page and the AWS Artifacts Portal.

Network and Perimeter

The Datadrive product infrastructure enforces multiple layers of ļ¬ltering and inspection on all connections across our web application, logical ļ¬rewalls, and security groups. Network-level access control lists are implemented to prevent unauthorized access to our internal product infrastructure and resources. By default, ļ¬rewalls are conļ¬gured to deny network connections that are not explicitly authorized. Changes to our network and perimeter systems are controlled by standard change control processes. Firewall rulesets are reviewed periodically to help ensure that only necessary connections are conļ¬gured.

Conļ¬guration Management

Automation drives Datadriveā€™s ability to scale with our customersā€™ needs and rigorous conļ¬guration management is baked into our day-to-day infrastructure processing. The product infrastructure is a highly automated environment that expands capacity as needed. All server conļ¬gurations are embedded in images and conļ¬guration ļ¬les, which are used when new containers are provisioned. Each container includes its own hardened conļ¬guration and changes to the conļ¬guration and standard images are managed through a controlled change pipeline.

Server instances are tightly controlled from provisioning through deprovisioning, ensuring that deviations from conļ¬guration baselines are detected and reverted at a predeļ¬ned cadence. In the event that a production server deviates or drifts from the baseline conļ¬guration, it will be overwritten with the baseline within 30 minutes. Patch management is handled using automated conļ¬guration management tools or by removing server instances that are no longer compliant with the expected baseline.

Logging

Actions and events that occur within the Datadrive application are consistently and comprehensively logged. These logs are indexed and stored in a central logging solution hosted in Datadriveā€™s cloud environment. Security relevant logs are also retained, indexed, and stored to facilitate investigation and response activities. The retention period of logs depends on the nature of the data logged. Write access to the storage service in which logs are stored is tightly controlled and limited to a small subset of engineers who require access.

Alerting and Monitoring

Datadrive invests in automated monitoring, alerting, and response capabilities to continuously address potential issues.

The Datadrive product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses or alerts to the appropriate teams for response, investigation, and correction. Many automated triggers are also designed to immediately respond to anomalous situations. For example, trafļ¬c throttling, process termination, and similar functions are triggered at predeļ¬ned thresholds.


Application Security

Web Application Defenses

All customer content hosted on the platform is protected by ļ¬rewall and application security. The monitoring tools actively monitor the application layer and can alert on malicious behavior based on behavior type and session rate. The rules used to detect and block malicious trafļ¬c are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP), speciļ¬cally the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure customersā€™ web sites and other parts of the Datadrive products are continuously available.

Development and Release Management

Datadrive optimizes our products through a modern continuous delivery approach to software development. New code is regularly deployed. Code reviews, testing, and merge approval is performed before deployment. Static code analysis runs regularly against code repositories and blocks known misconļ¬gurations from entering the code base. Approval is controlled by designated repository owners and once approved, code is automatically submitted to Datadriveā€™s continuous integration environment where compilation, packaging and unit testing occur.

Dynamic testing for security vulnerabilities is performed periodically against our applications. Newly developed code is ļ¬rst deployed to a dedicated and separate QA environment for the last stage of testing before being promoted to production. Network-level and project-level segmentation prevents unauthorized access between QA and production environments. All code deployments are automated and in case of failures, the changes can be reverted. The deploying team manages notiļ¬cations regarding the health of their applications and if a failure occurs, rollback processes are immediately engaged. We use extensive software gating and trafļ¬c management to control features based on customer preferences (private beta, public beta, full launch).

Datadrive features seamless updates and, as a SaaS application, there is no downtime associated with releases. Major feature changes are communicated through in-app messages and/or product update posts.

Vulnerability Management

The Datadrive team manages a multi-layered approach to vulnerability management, using a variety of industry-recognized tools and threat feeds to ensure comprehensive coverage of our technology stack. Vulnerability scans are conļ¬gured to scan for vulnerabilities on a regular basis, using adaptive scanning inclusion lists for asset discovery as well as the latest vulnerability detection signatures. We perform annual penetration tests against our applications and infrastructures to identify vulnerabilities that may present security related risks. Relevant ļ¬ndings are assessed, and mitigations are prioritized accordingly.


Customer Data Protection

Data Classiļ¬cation

Per the Datadriveā€™s Terms of Service, our customers are responsible for ensuring they only capture appropriate information to support their marketing, sales, services, content management, and operations processes. The Datadrive products should not be used to collect or store sensitive information, such as credit or debit card numbers, ļ¬nancial account information, Social Security numbers, passport numbers, ļ¬nancial or health information except as otherwise permitted.

Tenant Separation

Datadrive provides a multi-tenant SaaS solution where customer data is logically separated using unique IDs to associate data and objects to speciļ¬c customers. Authorization rules are incorporated into the design architecture and validated on a continuous basis. Additionally, we log application authentication and associated changes, application availability, and user access and changes are logged.

Encryption

All data is encrypted in transit with TLS version 1.2, or 1.3 and 2,048 bit keys or better. Transport layer security (TLS) is also a default for customers who host their websites on the Datadrive platform.

Datadrive leverages several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices, and are encrypted at rest.

Key Management

Encryption keys for both in transit and at rest encryption are securely managed by the Datadrive platform. TLS private keys for in transit encryption are managed through our content delivery partner. Volume and ļ¬eld level encryption keys for at rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated at varying frequencies, depending upon the sensitivity of the data they govern. In general, TLS certiļ¬cates are renewed annually. Datadrive is unable to use customer supplied encryption keys at this time.


Data Backup and Disaster Recovery

System Reliability and Recovery

Datadrive is committed to minimizing system downtime. All Datadrive product services are built with redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and all web, application, and database components are deployed with a point in time recovery.

Back up Strategy

System Backups

Systems are backed up on a regular basis with established schedules and frequencies. Seven daysā€™ worth of backups are kept for any database in a way that ensures restoration can occur easily.

Backups are monitored for successful execution, and alerts are generated in the event of any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily to the local region. Monitoring and alerting is in place for replication failures and triaged accordingly.

Physical Backup Storage

Because we leverage public cloud services for hosting, backup, and recovery, Datadrive does not implement physical infrastructure or physical storage media within its products. Datadrive does not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.

Backup Protections

By default, all backups are protected through access control restrictions and write once read many (WORM) protections on Datadrive product infrastructure networks, and access control lists on the ļ¬le systems storing the backup ļ¬les.

Customer Data Backup Restoration

Datadrive customers don’t have access to the product infrastructure in a way that would allow a customer-driven failover event. Disaster recovery and resiliency operations are managed by Datadrive product engineering teams. In some cases, customers can use the recycle bin to directly recover and restore contacts, opportunities, custom ļ¬elds, custom values, tags, notes, and tasks up to 30 days after they were deleted. Changes to web pages, blog posts, or emails can be restored to previous versions of content using version history. For customers who wish to additionally back up their data, the Datadrive platform provides many ways of ensuring that you have what you need.

Many of the features within your Datadrive portal contain export options, and the Datadrive library of public APIs can be used to synchronize your data with other systems.


Identity and Access Control

Product User Management

The Datadrive products allow for granular authorization rules. Customers are empowered to create and manage the users in their portals, assign the privileges that are appropriate, and limit access as they see ļ¬t.

Product Login Protections

The Datadrive products allow users to login to their Datadrive accounts using the native Datadrive login. The native login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower and upper case letters, special characters,, and numbers. People who use Datadriveā€™s native login cannot change the default password policy. Customers who use Datadriveā€™s built-in login are protected by two-factor authentication for their Datadrive accounts. Portal administrators may require all users to have two-factor authentication enabled.

Datadrive Employee Access to Customer Data

Access to Production Infrastructure

User access to internal data stores and production infrastructure is strictly controlled. Datadrive employees are granted access using a role-based access control (RBAC) model. Day to day access is minimized to members of the Engineering team and persistent administrative access is restricted. Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate ļ¬rst through a bastion host or “jump box” or have assigned IAM role to the resource before accessing server environments.

Access to Customer Portals

By default, Customer Support, Services, and other customer engagement staff can obtain limited access to parts of your Datadrive account to help you with using Datadrive. 

When accessing a portal, Datadrivers are unable to perform high-risk actions without your consent such as:

  • Changing domain or SSO settings Exporting users/contacts
  • Viewing/creating/deleting/rotating private app keys Importing data to the CRM
  • Deleting contacts, companies, deals, and tickets

User logins, Datadrive employee access, security activity, and content activity is logged.

Corporate Authentication and Authorization

Access to the Datadrive company network requires MFA. Password policies follow industry best practices for required length, complexity, and rotation frequency. Password vaults are in place to manage certain administrative account passwords, and access to the vault is managed through Role Based Access Control. We have built an extensive support system to streamline and automate our security management and compliance activities.

In addition to many other functions, we ensure that permission grants are appropriate, employee events are managed, access revocations are timely, change logs are effectively collected, and compliance evidence is preserved. Employee access and permissions to key internal systems are manually reviewed semi-annually to help ensure access granted is necessary for their job function.


Organizational and Corporate Security

Policy Management

To help keep all our employees on the same page with regard to protecting data, Datadrive documents and maintains written policies and procedures. Speciļ¬cally, Datadrive maintains a core Written Information Security Policy, which covers a variety of topics such as data handling requirements, privacy considerations, and disciplinary actions for policy violations.

Policies are reviewed and approved at least annually.

Security Awareness Training

Datadrive employees are required to complete CyberSafety training when they start their employment, and training is made available annually thereafter. The CyberSafety training also includes phishing awareness.

Vendor Management

Datadrive may leverage third party service providers to support the development of our product as well as internal operations. We ensure that our vendors have appropriate security and privacy controls in place as part of our contractual relationship with them. We also maintain a list of our sub-processors (which may change from time-to-time) within our Data Processing Agreement.

Endpoint Protection

Company issued laptops are centrally managed and are conļ¬gured to maintain full disk encryption. We implement a Mobile Device Management solution that provides a centralized platform for IT administrators to manage and monitor mobile devices in an organization. This includes conļ¬guring device settings, enforcing security policies, deploying apps, and ensuring compliance with corporate policies.


Compliance

Sensitive Data Processing and Storing

Please see our Terms of Service and Privacy Policy for additional information on how and why we process data. Please note that, while Datadrive customers may pay for services by credit card, Datadrive does not store, process, or collect credit card information submitted to us by customers, and we are not PCI-DSS compliant. We leverage PCI-compliant payment card processors to ensure that our payment transactions are handled securely.


Privacy

As described in our Privacy Policy, we do not sell your personal data to third parties. The protections described in this document and other protections that we have implemented are designed to ensure that your data stays private and unaltered.

Data Retention and Data Deletion

Customer data is retained for as long as you remain an active customer. Current and former customers can make written requests to have certain data deleted, and Datadrive will fulļ¬ll those requests as required by privacy rules and regulations. Datadrive retains certain data like logs and related metadata in order to address security, compliance, or statutory needs. Datadrive does not currently provide customers with the ability to deļ¬ne custom data retention policies.

Privacy Program Management

Datadriveā€™s Legal Team collaborates with our engineering and product development teams to implement an effective privacy program. Information about our commitment to the privacy of your data is described in greater detail in our Privacy Policy and Data Processing Agreement.

Breach Response

Datadrive will notify customers as required by law if it becomes aware of a data breach that impacts your personal data.


GDPR

Datadrive aims to provide features that enable our customers to easily achieve and maintain their GDPR compliance requirements. Please refer to our GDPR page for more information. While Datadrive seeks to enable your GDPR compliance efforts, use of the Datadrive product alone does not make you GDPR compliant.


Document Scope and Use

This document is intended to be a resource for our customers. It is not intended to create a binding or contractual obligation between Datadrive and any parties, or to amend, alter or revise any existing agreements between the parties. Datadrive is continuously improving the protections that we have implemented, so our procedures may be subject to change.


Contact Us

Questions about this document? We want to hear from you! You can reach as at bertie@datadrive.digital