Enterprise-level security and privacy

At Collective[i]®, our first priority is keeping your data private and secure. We recognize the importance of balancing confidentiality, integrity, and the availability of business information. From its inception, our application was designed with a multi-layered approach to securing key information. Our security and privacy program is designed to provide our clients with the utmost confidence in our protection of their data.

Our privacy philosophy: Data minimization and client control of data

The two core philosophies of data minimization and client control consistently inform how our team — from engineering to client success — builds our product and handles client data. Unlike many other AI/ML companies, we aim to collect the minimum data required to provide our services (and nothing more). Additionally, we always provide our clients transparency around and control over their data. They choose which CRM fields and email inboxes to provide via secure API access, and can turn off API access to any data source at any time. For more information on our privacy program, please see our Privacy Policy.

Our security philosophy: Confidentiality, integrity, availability

Our security program is SOC 2 Type II compliant and aligned to ISO 27000 standards. In addition to maintaining industry-leading, multilayered administrative, physical, and technical safeguards to protect client data, we constantly monitor and improve our application, systems, and processes to meet the growing demands and challenges of an ever-evolving security landscape.

SOC 2 Type II certified

We have achieved SOC 2, and 3 accreditation, which is reserved for organizations that have demonstrated standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. The American Institute of Certified Public Accountants (AICPA) and Service Organization Controls (SOC) reports give assurance over control environments as they relate to data retrieval, storage, processing, transfer, privacy, and more. Specifically, the SOC 2 reports evidence our achievement of key controls around the security, availability, and confidentiality of client data.

SOC 2 Report - 2021

Privacy Shield certified

We are proudly registered with EU-U.S. and Swiss-U.S. Privacy Shield. The EU-U.S. and Swiss-U.S Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration to provide companies in Europe and the United States with a mechanism to comply with data protection requirements when transferring data from the European Union and Switzerland to the United States.

Privacy Shield certificate

Third-party audits

We are frequently audited and assessed by third parties and clients. For the past few years, we have partnered with TRUSTe/TrustArc, the leader in privacy compliance and data protection for over two decades, to ensure our clients’ data is safe and secure. Our controls are also annually audited by A-LIGN, a nationally recognized cybersecurity and compliance firm, to confirm our SOC 1 and 2 accreditation.

Penetration testing

We perform vulnerability and automated network and application penetration scans. We also engage qualified external entities to perform independent application-level and infrastructure-level penetration tests. Finally, we work closely with clients who have strict security requirements, welcoming additional testing and verification to ensure our commitment to protecting your data.

Physical data centers

Client data is hosted in physical data centers in two locations in the United States. We use multi-vendor diversity to ensure that a single failure does not negatively impact our clients. Access to these physical data centers is strictly controlled and monitored by security staff. Our data center partners are ISO, SOC, PCI, FIPS, and HIPPA certified. Additionally, our data centers operate in environmentally-friendly LEED and Energy STAR certified facilities.

Robust data encryption

We encrypt your data — including emails, contacts, and calendar events — using AES-256-bit data-at-rest encryption and TLS 1.2 SHA-256 data-in-transit protection. The keys for these systems are frequently rotated to comply with industry standard KMS practices and are secured by KMS protections.

GDPR and CCPA compliance

We maintain compliance with GDPR, CCPA, and other applicable privacy regulations. We have built and continue to build our products with the principles of data minimization and client control and privacy in mind.

For more information, please see our Privacy Policy.

GDPR representative

We have engaged EDPO as our GDPR Representative in the EU and the UK. We partner with EDPO, based in Brussels, Belgium, to ensure full compliance with the various individual rights of EU data subjects under GDPR, including the “right to be forgotten.”

For more information, please see our Privacy Policy.

Security whitepaper and report request