Event Lead Management is a Software-as-a-Service (SaaS) solution for collecting and processing data from people, primarily at events. It comprises the following:
Handling your data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses Integrate Event Lead Management software.
We have always been committed to investing in a continuous and growing security program since we first established Integrate Event Lead Management, and strive to go beyond the expectations of our customers wherever possible.
Here are a few practical examples of security controls within our product:
You will see that some of the publicly available sections of the website are locked for security reasons. If you wish to see the locked sections of the page, please reach out to firstname.lastname@example.org. Our team will send you a standard NDA to sign and share the full document with you.
For clarity, here are some terms we use in our security documents, and what they mean:
Data (including Personally Identifiable Information) collected via our software is stored for the sole use of the Controller - our customer.
We facilitate the reliable collection and storage of data on our customers' behalf, and our intentions and actions will always be framed by this.
Some members of the Integrate technical staff from time to time will have restricted access to the data we store on your behalf in order that we can carry out absolutely necessary service tasks such as the monitoring and improving the quality and performance of our own services. However, under no circumstances are we or any third-party unrelated to the services able to access your data for any other purpose, such as marketing or communication purposes.
We operate within the jurisdiction of UK and EU data law. We are compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and are regulated by the Information Commissioner’s Office (ICO) in the UK.
In light of the UK's potential withdrawal from the European Union (EU), we will continue to appraise the situation and adopt the most customer-favourable position on data security that we can achieve. UK has enshrined the GDPR standard of data protection in its own legislation, through the Data Protection Act 2018. GDPR equivalent standards are set to apply in the UK even after it exits the EU and is no longer bound by its laws. UK is also in a good position to be granted an adequacy decision for data transfers by the EU after its exit from the bloc. This means, in short, that nothing would change in the way we work, or contract with our customers.
We do have contingency plans in place in case no such adequacy decision is granted, including possibility of entering into Standard Contractual Clauses with our customers. You can read more about Standard Contractual Clauses here.
We are committed to continuing to provide our European customers with the same high standards of privacy and security practices which they always enjoyed using Integrate Event Lead Management.
You can find out more about Integrate’s commitment to meeting the requirements of the GDPR right here – GDPR & Integrate Events.
As a company registered in the UK, we are regulated by European laws which are widely considered stricter than many outside of the region.
In April 2019, we were acquired by US based Integrate.com, Inc. Our parent company is Privacy Shield certified – you can view their listing here.
We are in the process of unifying our Data Processing Agreements (DPA) with those of our parent company. Our new DPA will be rolled out in 2020 and will feature wording addressing compliance with global laws, such as the California Consumer Protection Act and Canada Anti-Spam Law. This DPA will be sent to any new customers. Any existing customers can request the updated DPA at email@example.com.
If you are unsure about how this impacts your use of Integrate Event Lead Management, we suggest you contact firstname.lastname@example.org for queries around product compliance, or seek additional independent legal advice to assess your own situation.
We generally find compliance teams find parity even where we do not comply to a specific foreign law.
Our Privacy Team will review and respond to all compliance requests from our existing and prospective customers.
We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with Integrate (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties' agreement with regard to the processing of personal data performed using the Integrate Events service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act) and CASL(Canada Anti-Spam Law) commitments.
If you are an existing customer or vendor and wish to execute a DPA, please contact us at email@example.com.
We continually and successfully work with data providers and organisations that already work within standardised frameworks such as ISO 27001 or SOC2.
Integrate Events is working towards meeting it's its own first international standards, so our current approach is to provide our own body of documents and policies that meet the requirements of organisations that do maintain these standards.
Our data is stored within certified facilities and our infrastructure built upon certified services.
If you require any further information, please contact firstname.lastname@example.org.
We are registered as a fee payer with the United Kingdom's Information Commissioner's Office (ICO), our registration number is ZA033795.
Data associated with your Integrate Event Lead Management account (including personal information and collected record data) is retained for as long as you have an Integrate Event Lead Management account and for a longer period as may be required by law.
We don’t cancel a licence or account for inactivity. If you cancel your licence, or it terminates for any reason, your data will be retained for a period of 90 days then permanently erased.
You may delete your data from your dashboard and apps at any time. Given Integrate EventLead Management is intended to enable you to follow up quickly with prospects whose data you collect using our software, we strongly recommend you delete the data promptly after exporting it or after it has entered your own CRM or marketing automation software.
We will notify the Account Owner or Key Contact via email in advance when an account is being prepared for deletion. We provide a 90 day grace period after the account is expired to stop the process. Erasure is permanent. We can't reactivate a user or account once they have been deleted, however if you decide to sign up with again, we can simply create a new account for you.
You can delete collected records data or event data from inside your Integrate Events dashboard which will 'soft-delete' it. Once deleted from your account, you can contact us to request a permanent deletion of the soft-deleted data.
Data collected via the mobile app is stored on devices, and we use username and passcode based user authentication to prevent access to viewing and managing the data. The Username / Passcode combination is then submitted via an API, and upon successful authentication a bearer token is generated which is used for authorisation.
Records can be viewed or edited individually by authenticated users, however there is no way to extract or download bulk record data from inside the app. Any single user of the app will only see the data they collected in the app; not data collected by any other app user. The authorised user of the Dashboard then gets a holistic view of records collected by all app users.
When collecting data offline, all this data is stored inside the application until a connection can be established. At this point, all collected data is transferred automatically to the server.
Uninstalling the app erases all data from the device permanently. Users should ensure not to clear the cache or delete the app before data is synced with the dashboard to avoid data loss.
Integrate Events does not have the ability to assist the customers with purging data remotely at present. We strongly suggest that our customers ensure this is covered in their corporate device policy or BYOD policy.
We maintain regular secure encrypted backups. It may take up to 12 months from the point you start record deletion to erase all traces of the data stored in our backup systems. We describe this as 'residual data', and this data is not accessible via the Integrate Event Lead Management dashboard.
Computer equipment and storage media are securely reformatted and repurposed or destroyed beyond repair at their end of life. Our hosting provider decommissions end-of-life hardware using techniques detailed in NIST 800-88 (although we are unable to provide certification for individual pieces of hardware), and we securely erase or destroy any storage media we use within the organisation.
All computer hardware and devices are issued and managed centrally, and are logged in our central asset management system.
As of 2020, our UK based Data Centre is located in Powergate Business Park in the Thames Valley (we refer to this as our London data centre in this document) and is operated by Equinix Telecity. Equinix Telecity hold the following security related accreditations.
In 2020 we will be moving our data to AWS facilities based in the Oregon, US. AWS’ security certifications are referenced at https://aws.amazon.com/compliance/programs/. If you have any questions about changes to where your data is stored, please reach out to email@example.com.
AWS data centres implement the following access controls at its premises and facilities:
Our Software Update Policy is here.
Personal data enters the Integrate Events System when an individual willingly enters their details via our software (on any device), or if data is loaded into the Application via the Integrate Event Lead Management Dashboard or the documented Integrate Events API.
Personal data leaves the Integrate Events System when you export it as a downloadable file from the Integrate Event Lead Management Dashboard or establish an integration or webhook which sends the data to a location of your choice (CRM or marketing automation software).
Please also see Data Life section above on how long data is retained for within Integrate Event Lead Management.
We use sub-processors for some of our product features. Some of our optional premium or custom product features require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we work with companies that operate with appropriate safeguards for transfers outside of the EEA, such as the EU-US Privacy Shield, standard contractual clauses, binding corporate rules etc.
In order to transcribe cards quickly but reliably we use a highly effective human element in the processing. We have contractual relationship with a UK based third-party company, who utilise their employees for the service. The employees are based outside of the EU, but work within the office location of the third party who are ISO 27001 certified. Our third-party partner carries out an accurate validation and transcription of the images taken using the feature in the app.
The cards are provided to the third-party digitally and anonymously on secure, time-limited URLs, supplied to them without context and viewable only, and never leaving our servers. For instance they are unable to identify the origin of the card, who supplied the card or on whose behalf they are transcribing the data.
They are aware that Integrate Events is the origin of the card, however we never provide any specific identifying information unless you provide it within the scanned image. Once transcribed the images are 'expired' automatically and no longer retrievable.
Please note, our business is not a dedicated backup and archival service, so we always encourage our customers to take sensible actions to make their own backup provisions in addition to the measures we take.
Our comprehensive backup schedule and redundant, versioned, distributed backup means that in the event of a major disruption, we are in a strong position to recover very recent data and return servers to an operational state. Our apps have the capacity to work in offline mode when there is poor connection to our server. If the main server hosted applications are offline, it will not affect any unsynchronised data on the apps.
In an event of becoming or being made aware of a privacy violation or breach, we will notify our affected customers as the data controllers without undue delay.
Staff privileges are assigned appropriate to their specific roles by senior staff members, and reviewed when employment ceases or when they change roles.
When a staff member leaves employment at Integrate, we deactivate access to staff accounts as soon as we physically can, which is usually immediately. This deactivation always occurs within 48h of the end of their employment. All role changes are logged.
Our UK office is based in London. Physical measures in our office location include:
How we handle data life in our data retention and protection policies can be found here.
Any new system level components installed with vendor default settings in place are reset beforehand to remove risk of unsecure defaults.
Any redundant components, protocols, services and functions are shut down and removed as soon as technically feasible.
Any audit logs are established to be kept for a period of 30 days, and longer wherever possible. Examples of data that is logged includes, but is not limited to promotion of users to administrators, login attempts, password resets, mobile app device usage, interactions with public API etc.
Any new service, protocol and or additional grant of port access are subject to our Change Management & Change Control Policies.
Change Control provides an orderly way to make changes to key process at Integrate. It means notifying anyone affected by the change, and listening to the response should the change adversely affect team members or customers. It also means devising reasonable contingency plans for restoring the system if a change doesn't work.
By using a series of standardized and repeatable procedures and actions, we are able to introduce changes to the Integrate Event Lead Management infrastructure in such a way that any negative impact is minimized.
This policy describes the process that is to be used for requesting and managing these changes. The following are the key roles specific to the Change Control process. One individual may be responsible for several roles as well as several individuals may be fulfilling a single role.
Our risk assessment & management programme is by our internal, cross-functional Risk Team.
All company owned information and information entrusted to us from third parties falls into one of four classifications:
It is our policy that Customer Confidential data must not be sent via email or any publicly accessible electronic communication service without first being encrypted with a secure password that complies with our internal password policies. Data should only be transmitted this way when for whatever reason the usual encrypted data flow channels are not available or delayed. Passwords must be transmitted by an unassociated medium other than the medium the files are transmitted, such as via phone call.
We also do not ordinarily permit the storage or transfer of Customer Confidential data on removable media such as USB keys and external hard drives. Should it be necessary or unavoidable, any such data transfer or storage on removable media would have to be carried out by our IT & Security department or with their approval using devices issued by them.
Our staff are issued with modern Apple or Dell devices for the conduct of their work. Laptops are centrally managed by our Corp IT team who enforce all updates in a timely manner. We enforce disk encryption for all company issued devices.
We deliver security training to all new team members, with annual re-training thereafter and continuous testing (e.g.phishing testing; incorrect response from an employee-user results in additional cybersecurity training for that employee). All employees are required to complete security training as well as acknowledge the employee handbook and code of conduct, all of which address the importance of privacy, security and confidentiality and emphasizes that any violations will be subject to disciplinary action up to and including termination.
We have a documented Incident Response Plan.
Any security incidents would be escalated in accordance with the internal P1 process and an incident manager would be assigned.
We maintain a centralised, fast, secure reporting system for the communication of all security and privacy issues. If a security or privacy issue is raised, a Senior Director of IT and Security is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action.
Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue.
Customers should signup for https://status.integrate.com to be informed of any updates on minor bugs as well as critical incidents.
We would also notify the relevant authorities in accordance with applicable laws where required.
We run a Clean Desk Policy at Integrate. We do not permit the printing or creation of physical copies of customer data.
Application Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database. No changes are made outside of this peer review and QA process.
The final deployment of an Application update is automated and migrating to a new version requires no humanly noticeable downtime.
We update our servers with new patches on a regular schedule. We also monitor for zero-day critical vulnerabilities and where possible, implement fixes within 24 hours or sooner where a patch is available. We work on critical vulnerabilities as a matter of priority.
We support the current and immediately prior major versions of iOS and Android. We provide an up to date list of supported devices and operating systems here.
We encourage customers to have a robust BYOD policy where app is to be used on their employees’ own devices.
We review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.
We carry out a scheduled three-layer penetration test conducted by trusted third-party security company each year.
Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible.
The scope of our penetration test consists of: