Enterprise-level security and privacy
Our privacy philosophy: Data minimization and client control of data
Our security philosophy: Confidentiality, integrity, availability
Our security program is SOC 2 Type II compliant and aligned to ISO 27000 standards. In addition to maintaining industry-leading, multilayered administrative, physical, and technical safeguards to protect client data, we constantly monitor and improve our application, systems, and processes to meet the growing demands and challenges of an ever-evolving security landscape.
SOC 2 Type II certified
We have achieved SOC 1, 2, and 3 accreditation, which is reserved for organizations that have demonstrated standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. The American Institute of Certified Public Accountants (AICPA) and Service Organization Controls (SOC) reports give assurance over control environments as they relate to data retrieval, storage, processing, transfer, privacy, and more. Specifically, the SOC 2 reports evidence our achievement of key controls around the security, availability, and confidentiality of client data.SOC 3 report PDF
Privacy Shield certified
We are proudly registered with EU-U.S. and Swiss-U.S. Privacy Shield. The EU-U.S. and Swiss-U.S Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration to provide companies in Europe and the United States with a mechanism to comply with data protection requirements when transferring data from the European Union and Switzerland to the United States.Privacy Shield certificate
We are frequently audited and assessed by third parties and clients. For the past few years, we have partnered with TRUSTe/TrustArc, the leader in privacy compliance and data protection for over two decades, to ensure our clients’ data is safe and secure. Our controls are also annually audited by A-LIGN, a nationally recognized cybersecurity and compliance firm, to confirm our SOC 1 and 2 accreditation.
We perform vulnerability and automated network and application penetration scans. We also engage qualified external entities to perform independent application-level and infrastructure-level penetration tests. Finally, we work closely with clients who have strict security requirements, welcoming additional testing and verification to ensure our commitment to protecting your data.
Physical data centers
Client data is hosted in physical data centers in two locations in the United States. We use multi-vendor diversity to ensure that a single failure does not negatively impact our clients. Access to these physical data centers is strictly controlled and monitored by security staff. Our data center partners are ISO, SOC, PCI, FIPS, and HIPPA certified. Additionally, our data centers operate in environmentally-friendly LEED and Energy STAR certified facilities.
Robust data encryption
We encrypt your data — including emails, contacts, and calendar events — using AES-256-bit data-at-rest encryption and TLS 1.2 SHA-256 data-in-transit protection. The keys for these systems are frequently rotated to comply with industry standard KMS practices and are secured by KMS protections.
GDPR and CCPA compliance
We maintain compliance with GDPR, CCPA, and other applicable privacy regulations. We have built and continue to build our products with the principles of data minimization and client control and privacy in mind.
We have engaged EDPO as our GDPR Representative in the EU and the UK. We partner with EDPO, based in Brussels, Belgium, to ensure full compliance with the various individual rights of EU data subjects under GDPR, including the “right to be forgotten.”