Security Policy

Last updated: May 25, 2018

Overview

Prospect.io respects our customers' privacy and keeping our customers' data protected at all times is our highest priority.

This security policy provides a high-level overview of the security practices put in place to achieve that objective.

Have questions or feedback? Feel free to reach out to us at support@prospect.io

Infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Heroku (Salesforce, Inc.) which itself is hosted on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here:

DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by Cloudflare, Inc.

Data encryption

Encryption in transit

All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.

Encryption at rest

All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database by our database providers Heroku (Salesforce, Inc.) and Redis Labs, Inc.

Data retention and removal

We retain our users data for a period of 60 days after your subscription ends. All data is then completely removed from our servers with the exception of payment and invoices data. Every user can request the removal of usage data by contacting support. Read more about our privacy settings at prospect.io/privacy .

Business continuity and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Application security monitoring

We use Bugsnag to monitor exceptions, logs and detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications activity.

Application security protection

A Web Application Firewall is set up to filter incoming requests trying to compromise the service.
A firewall is systematically used on Prospect.io’s servers to prevent access from non-approved IP addresses.
Critical admin interfaces are protected using at least double-authentication.
Our software infrastructure is regularly update using automatic update mechanisms when possible.
End-to-end encrypted messaging systems are available to Prospect.io’s employees and contractors, and used for most communications.

Secure development

We apply development best practices for your chosen development language and framework to mitigate known vulnerability types such as those on the OWASP Top 10 Web Application Security Risks.

Compliance

General Data Protection Regulation (GDPR) We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

Employee access

Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support.