Security & Trust

Product and Functionality

The Services - What is Integrate Event Lead Management?

Event Lead Management is a Software-as-a-Service (SaaS) solution for collecting and processing data from people, primarily at events. It comprises the following:

• A mobile application for data collection activity, available via the Apple iOS App Store or Google Play Store.
• A cloud-based dashboard for authorised users to setup and configure the mobile application and to access and export collected data.

Our Approach to Data Security

Handling your data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses Integrate Event Lead Management software. We have always been committed to investing in a continuous and growing security program since we first established Integrate Event Lead Management, and strive to go beyond the expectations of our customers wherever possible. Here are a few practical examples of security controls within our product:

• When synchronising devices with our secure online application, communication is routed via an enterprise grade Web Application Firewall, using HTTPS and encrypted using TLS 1.2+.
• All lead data that is collected is also encrypted at rest using AES 256 encryption algorithm.
• User access to the Integrate Events Dashboard is secured with strong, complex passwords, and features such as two-factor authentication and complexity controls can be enabled.
• We invest in scheduled, three-level penetration tests.‍
• We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of data.
• We also make use of external security experts from time to time to appraise our work and our data protection procedures.

You will see that some of the publicly available sections of the website are locked for security reasons. If you wish to see the locked sections of the page, please reach out to legal@integrate.com. Our team will send you a standard NDA to sign and share the full document with you. ‍

Glossary

For clarity, here are some terms we use in our security documents, and what they mean:

Data ownership, Acceptable Use & Access to Collected Data

Unambiguously, the data you collect is your data and reserved solely for your own use.

Data (including Personally Identifiable Information) collected via our software is stored for the sole use of the Controller - our customer. We facilitate the reliable collection and storage of data on our customers' behalf, and our intentions and actions will always be framed by this. Some members of the Integrate technical staff from time to time will have restricted access to the data we store on your behalf in order that we can carry out absolutely necessary service tasks such as the monitoring and improving the quality and performance of our own services. However, under no circumstances are we or any third-party unrelated to the services able to access your data for any other purpose, such as marketing or communication purposes. Data will never be disclosed to any third-party except in accordance with our Privacy Policy and/or Data Processing Agreement. The exceptions are:

• To provide a core feature or functionality which you request through the dashboard that depends on a third-party service.
• If we, or substantially all of our assets, are acquired or are in the process of being acquired by a third-party, in which case Personally Identifiable Information held by us, about our customers, will be one of the transferred assets.
• If we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings.

Compliance

UK & EU Compliance

We operate within the jurisdiction of UK and EU data law. We are compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and are regulated by the Information Commissioner’s Office (ICO) in the UK. In light of the UK's potential withdrawal from the European Union (EU), we will continue to appraise the situation and adopt the most customer-favourable position on data security that we can achieve. UK has enshrined the GDPR standard of data protection in its own legislation, through the Data Protection Act 2018. GDPR equivalent standards are set to apply in the UK even after it exits the EU and is no longer bound by its laws. UK is also in a good position to be granted an adequacy decision for data transfers by the EU after its exit from the bloc. This means, in short, that nothing would change in the way we work, or contract with our customers. We do have contingency plans in place in case no such adequacy decision is granted, including possibility of entering into Standard Contractual Clauses with our customers. You can read more about Standard Contractual Clauses here. We are committed to continuing to provide our European customers with the same high standards of privacy and security practices which they always enjoyed using Integrate Event Lead Management. You can find out more about Integrate’s commitment to meeting the requirements of the GDPR right here – GDPR & Integrate Events.

US & Global Compliance

As a company registered in the UK, we are regulated by European laws which are widely considered stricter than many outside of the region. In April 2019, we were acquired by US based Integrate.com, Inc. Our parent company is Privacy Shield certified – you can view their listing here. We are in the process of unifying our Data Processing Agreements (DPA) with those of our parent company. Our new DPA will be rolled out in 2020 and will feature wording addressing compliance with global laws, such as the California Consumer Protection Act and Canada Anti-Spam Law. This DPA will be sent to any new customers. Any existing customers can request the updated DPA at privacy@integrate.com.

Compliance Queries

If you are unsure about how this impacts your use of Integrate Event Lead Management, we suggest you contact privacy@integrate.com for queries around product compliance, or seek additional independent legal advice to assess your own situation. We generally find compliance teams find parity even where we do not comply to a specific foreign law. Our Privacy Team will review and respond to all compliance requests from our existing and prospective customers.

Data Processing Addendum (DPA)

We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with Integrate (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties' agreement with regard to the processing of personal data performed using the Integrate Events service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act) and CASL(Canada Anti-Spam Law) commitments. If you are an existing customer or vendor and wish to execute a DPA, please contact us at privacy@integrate.com.

Accreditations & Certifications

We continually and successfully work with data providers and organisations that already work within standardised frameworks such as ISO 27001 or SOC2. Integrate Events is working towards meeting it's its own first international standards, so our current approach is to provide our own body of documents and policies that meet the requirements of organisations that do maintain these standards. Our data is stored within certified facilities and our infrastructure built upon certified services. If you require any further information, please contact privacy@integrate.com.

Registration with the UK Information Commissioner (ICO)

We are registered as a fee payer with the United Kingdom's Information Commissioner's Office (ICO), our registration number is ZA033795.

The Relationship Between You & Us

Data Life & Disposal

Data Life, Retention & Protection

Data associated with your Integrate Event Lead Management account (including personal information and collected record data) is retained for as long as you have an Integrate Event Lead Management account and for a longer period as may be required by law. We don’t cancel a licence or account for inactivity. If you cancel your licence, or it terminates for any reason, your data will be retained for a period of 90 days then permanently erased. You may delete your data from your dashboard and apps at any time. Given Integrate EventLead Management is intended to enable you to follow up quickly with prospects whose data you collect using our software, we strongly recommend you delete the data promptly after exporting it or after it has entered your own CRM or marketing automation software.

• Data deleted in these ways will be made inaccessible immediately - 'soft deleted'. Once deleted after 30 days from your account, you can contact us to request a permanent deletion of the soft-deleted data.
• We only retain your data to allow us to recover it should you accidentally delete it.
• We cannot guarantee that we will be able to restore any data you have deleted.
• We do not use soft-deleted data for any purpose other than to permit you an opportunity to restore it. Sometimes we may retain deleted data to comply with our legal obligations, resolve disputes, or enforce our agreements. In these cases, we ensure that access to such data is blocked except for the purposes for which we have been required to retain the information.
• It is the client’s responsibility to export, archive and delete data they collect, as well as to handle personal data stored inside Integrate Events in a manner that complies with any local laws or restrictions. For example, you may want to consider the length of time in which you hold personal data on file. Integrate Events is not a back-up or archiving service, so we always advise customers to make sufficient alternative back up arrangements.

We will notify the Account Owner or Key Contact via email in advance when an account is being prepared for deletion. We provide a 90 day grace period after the account is expired to stop the process. Erasure is permanent. We can't reactivate a user or account once they have been deleted, however if you decide to sign up with again, we can simply create a new account for you.

Permanent Deletion

You can delete collected records data or event data from inside your Integrate Events dashboard which will 'soft-delete' it. Once deleted from your account, you can contact us to request a permanent deletion of the soft-deleted data.

Data on Devices

Data collected via the mobile app is stored on devices, and we use username and passcode based user authentication to prevent access to viewing and managing the data. The Username / Passcode combination is then submitted via an API, and upon successful authentication a bearer token is generated which is used for authorisation. Records can be viewed or edited individually by authenticated users, however there is no way to extract or download bulk record data from inside the app. Any single user of the app will only see the data they collected in the app; not data collected by any other app user. The authorised user of the Dashboard then gets a holistic view of records collected by all app users. When collecting data offline, all this data is stored inside the application until a connection can be established. At this point, all collected data is transferred automatically to the server. Uninstalling the app erases all data from the device permanently. Users should ensure not to clear the cache or delete the app before data is synced with the dashboard to avoid data loss. Integrate Events does not have the ability to assist the customers with purging data remotely at present. We strongly suggest that our customers ensure this is covered in their corporate device policy or BYOD policy.

Backup Copies

We maintain regular secure encrypted backups. It may take up to 12 months from the point you start record deletion to erase all traces of the data stored in our backup systems. We describe this as 'residual data', and this data is not accessible via the Integrate Event Lead Management dashboard.

Hardware Management & Disposal

Computer equipment and storage media are securely reformatted and repurposed or destroyed beyond repair at their end of life. Our hosting provider decommissions end-of-life hardware using techniques detailed in NIST 800-88 (although we are unable to provide certification for individual pieces of hardware), and we securely erase or destroy any storage media we use within the organisation. All computer hardware and devices are issued and managed centrally, and are logged in our central asset management system.

Servers & Physical Location

Data Centre Location

Our data is based in AWS facilities in Oregon, US. AWS’ security certifications are referenced at https://aws.amazon.com/compliance/programs/. If you have any questions about changes to where your data is stored, please reach out to privacy@integrate.com.

• We store backup data and some auxiliary data in Amazon's AWS S3 & Glacier facilities in Ireland (EU). In 2020 we will be moving our back up arrangements to AWS facilities in Oregon, US.

Physical Security

AWS data centres implement the following access controls at its premises and facilities:

• N+1 redundancy standard
• Limited employee access in line with the principle of least privilege
• Physical access is logged, monitored and retained
• 24/7 access monitoring
• CCTV, MFA, detection systems, alarms
• 24/7 Intrusion Detection with alerting
• End of life hardware is decommissioned using techniques detailed in NIST 800-88
• Physical controls including monitoring and control of climate and temperature, leakage prevention, fire detection

Our Software Update Policy is here.

How Personal Data Enters Our Software

Personal data enters the Integrate Events System when an individual willingly enters their details via our software (on any device), or if data is loaded into the Application via the Integrate Event Lead Management Dashboard or the documented Integrate Events API.

How Personal Data Leaves Our Software

Personal data leaves the Integrate Events System when you export it as a downloadable file from the Integrate Event Lead Management Dashboard or establish an integration or webhook which sends the data to a location of your choice (CRM or marketing automation software). Please also see Data Life section above on how long data is retained for within Integrate Event Lead Management.

Third-party Services

We use sub-processors for some of our product features. Some of our optional premium or custom product features require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we work with companies that operate with appropriate safeguards for transfers outside of the EEA, such as the EU-US Privacy Shield, standard contractual clauses, binding corporate rules etc.

Business Card Scanning (BCS) & Transcription Feature

In order to transcribe cards quickly but reliably we use a highly effective human element in the processing. We have contractual relationship with a UK based third-party company, who utilise their employees for the service. The employees are based outside of the EU, but work within the office location of the third party who are ISO 27001 certified. Our third-party partner carries out an accurate validation and transcription of the images taken using the feature in the app. The cards are provided to the third-party digitally and anonymously on secure, time-limited URLs, supplied to them without context and viewable only, and never leaving our servers. For instance they are unable to identify the origin of the card, who supplied the card or on whose behalf they are transcribing the data. They are aware that Integrate Events is the origin of the card, however we never provide any specific identifying information unless you provide it within the scanned image. Once transcribed the images are 'expired' automatically and no longer retrievable.

Service Failure, Backups & Disaster Recovery

Backup Schedule

• We conduct daily database backups, which are retained for a period of 35 days.
• Backups are stored and managed by internal AWS services (RDS and S3).
• Databases have have multiple layers of redundancy, leverage real-time database replication and depending on technology use a multi-node cluster.
• Given the redundancy and replication process in place, point in time restoration is possible for certain parts of the platform. This is however not guaranteed though.
• Backups older than 35 days are automatically deleted on cyclical basis.
• All backups are encrypted at rest using an AES 256 encryption algorithm.

Please note, our business is not a dedicated backup and archival service, so we always encourage our customers to take sensible actions to make their own backup provisions in addition to the measures we take.

Business Continuity, Disaster Recovery & Resilience

Our comprehensive backup schedule and redundant, versioned, distributed backup means that in the event of a major disruption, we are in a strong position to recover very recent data and return servers to an operational state. Our apps have the capacity to work in offline mode when there is poor connection to our server. If the main server hosted applications are offline, it will not affect any unsynchronised data on the apps.

Policies

Privacy Policy

• Our privacy policy is available here.
• We carry out an annual scheduled review of all privacy and security practices and policy at Integrate to ensure up-to-date and appropriate practices.

We will notify account owners by email if we make material changes to our privacy policy or security practices.

Privacy Compliance Violation & Remediation Policy

In an event of becoming or being made aware of a privacy violation or breach, we will notify our affected customers as the data controllers without undue delay. Customers should report any suspected issues with the software to support@integrate.com and any suspected data breaches to privacy@integrate.com.

Staff Roles & Privilege Auditing

• Engineering, support and account management members of staff have access to data on a need to know basis.
• We carry out an annual schedule of recorded, signed scheduled certification of user privileges to check correct permissions, and remediate any inconsistency
• We carry out a quarterly schedule of recorded investigation of user privileges for people with administrator rights to check correct permissions, and remediate any inconsistency

Data Access Joiners, Movers & Leavers (JML) Policy

Staff privileges are assigned appropriate to their specific roles by senior staff members, and reviewed when employment ceases or when they change roles. When a staff member leaves employment at Integrate, we deactivate access to staff accounts as soon as we physically can, which is usually immediately. This deactivation always occurs within 48h of the end of their employment. All role changes are logged.

Physical Security

Our UK office is based in London. Physical measures in our office location include:

• Access by key fob only.
• Visitors are accompanied by a member of staff at all times.
• Out of hours access with a gate code and main door key in addition to the key fob.
• Manned reception during working hours.
• Locked gate outside of working hours.

Data retention & protection policies

How we handle data life in our data retention and protection policies can be found here.

Network Security Policy

Any new system level components installed with vendor default settings in place are reset beforehand to remove risk of unsecure defaults. Any redundant components, protocols, services and functions are shut down and removed as soon as technically feasible. Any audit logs are established to be kept for a period of 30 days, and longer wherever possible. Examples of data that is logged includes, but is not limited to promotion of users to administrators, login attempts, password resets, mobile app device usage, interactions with public API etc. Any new service, protocol and or additional grant of port access are subject to our Change Management & Change Control Policies.

Change Management & Change Control Policy

Change Control provides an orderly way to make changes to key process at Integrate. It means notifying anyone affected by the change, and listening to the response should the change adversely affect team members or customers. It also means devising reasonable contingency plans for restoring the system if a change doesn't work. By using a series of standardized and repeatable procedures and actions, we are able to introduce changes to the Integrate Event Lead Management infrastructure in such a way that any negative impact is minimized. This policy describes the process that is to be used for requesting and managing these changes. The following are the key roles specific to the Change Control process. One individual may be responsible for several roles as well as several individuals may be fulfilling a single role.

Risk Assessment & Management policy

Our risk assessment & management programme is by our internal, cross-functional Risk Team.

• We conduct risk assessments quarterly. We have members of our senior leadership team attend, from Legal, Engineering and IT as permanent members, with additional stakeholders included where necessary.
• Our risk assessment covers privacy, people, processes, data and technology (threats including malicious, natural, accidental, cyber, business changes (transaction volume).
• Appropriate investigations are made into risks, and depending on the importance of the risk, then ownership of the risk challenge is assigned.
• We maintain a Vendor Management programme which tracks the list of vendors who handle personal data.

Data Classification

All company owned information and information entrusted to us from third parties falls into one of four classifications:

Email, Removable Media & Customer Data Transfer Policy

It is our policy that Customer Confidential data must not be sent via email or any publicly accessible electronic communication service without first being encrypted with a secure password that complies with our internal password policies. Data should only be transmitted this way when for whatever reason the usual encrypted data flow channels are not available or delayed. Passwords must be transmitted by an unassociated medium other than the medium the files are transmitted, such as via phone call. We also do not ordinarily permit the storage or transfer of Customer Confidential data on removable media such as USB keys and external hard drives. Should it be necessary or unavoidable, any such data transfer or storage on removable media would have to be carried out by our IT & Security department or with their approval using devices issued by them.

Company Owned Device & Operating System Policy

Our staff are issued with modern Apple or Dell devices for the conduct of their work. Laptops are centrally managed by our Corp IT team who enforce all updates in a timely manner. We enforce disk encryption for all company issued devices. We deliver security training to all new team members, with annual re-training thereafter and continuous testing (e.g.phishing testing; incorrect response from an employee-user results in additional cybersecurity training for that employee). All employees are required to complete security training as well as acknowledge the employee handbook and code of conduct, all of which address the importance of privacy, security and confidentiality and emphasizes that any violations will be subject to disciplinary action up to and including termination.

Security Incident & Breach Reporting Policy

We have a documented Incident Response Plan. Any security incidents would be escalated in accordance with the internal P1 process and an incident manager would be assigned. We maintain a centralised, fast, secure reporting system for the communication of all security and privacy issues. If a security or privacy issue is raised, a Senior Director of IT and Security is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action. Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue. Customers should signup for https://status.integrate.com to be informed of any updates on minor bugs as well as critical incidents. We would also notify the relevant authorities in accordance with applicable laws where required.

Clean Desk Policy

We run a Clean Desk Policy at Integrate. We do not permit the printing or creation of physical copies of customer data.

Application Software Update & Vulnerability Management Policy

Application Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database. No changes are made outside of this peer review and QA process. The final deployment of an Application update is automated and migrating to a new version requires no humanly noticeable downtime. We update our servers with new patches on a regular schedule. We also monitor for zero-day critical vulnerabilities and where possible, implement fixes within 24 hours or sooner where a patch is available. We work on critical vulnerabilities as a matter of priority.

Customer Device Support Policy

We support the current and immediately prior major versions of iOS and Android. We provide an up to date list of supported devices and operating systems here. We encourage customers to have a robust BYOD policy where app is to be used on their employees’ own devices.

Policy Review Schedule

We review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.

Penetration Testing & Summaries

We carry out a scheduled three-layer penetration test conducted by trusted third-party security company each year. Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible. The scope of our penetration test consists of:

• a network level scan
• an un-authenticated application penetration test
• a fully-authenticated application test, including privilege escalation
• An abbreviated summary of our most recent penetration test (scope, results and remedial) are available upon request. For reasons of infrastructure security, we will not be able to supply the unabridged report.

Further information

If you require access to any resources referenced in our security documents, please reach out to support@integrate.com or privacy@integrate.com to enquire about obtaining copies.