Act! and Security

Summary

This page describes the technical and organisational security measures taken by Act! in relation to:

  • Act! products,
  • personal data which Act! processes on behalf of its end users as a data processor, and
  • personal data which Act! controls as a data controller.

This is to assist customers to comply with their security obligations under GDPR when they contract with Act!.

Background

The General Data Protection Regulation (GDPR) came into effect from 25th May 2018. The GDPR ensures that all organisations which use personal data of European residents only do so in accordance with the privacy and other standards set out in the GDPR. One of the standards set out by the GDPR is that organisations must process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. In this document GDPR defined terms are intended to have the same meaning.

What technical security measures does Act! take in relation to its products: Act! Pro, Act! Cloud and Desktop Products and Act! Marketing Automation?

Explanation of the different types of Act! products
The technical measures taken differs depending on how Act! has been deployed by the user. Act! is available to purchase from Act! LLC on a ‘cloud’ deployment, when the Act! CRM software and database is hosted by Act! LLC on servers at a remote data centre and accessed through an Internet (or ‘cloud’) connection via a web browser. Act! CRM, Act! CRM Cloud and Act! Growth Suite (Cloud deployment) are examples of our cloud products. Act! Premium can be installed on computers controlled directly by the user (or their sub-contractor) – we call this deployment method ‘On Premises’ – it is also known as a ‘self-hosting’ or ‘desktop’ deployment. (Act! Premium and Act! Pro are solely self-hosted products).  If you are unsure whether your use of Act! is On Premises or on a Cloud deployment please consult your invoice and related Act! documentation. 

Self-hosted Act! software
The level of security in place for self-hosted Act! software will depend on how the Act! administrator has secured it. If you are not the administrator and need more information, please contact them. In the event an administrator has involved a third party (for example hosting provider, or Act! Certified Consultant – ACC) to host its Act! software, the administrator should contact its hosting provider or ACC.

What product level security is available to secure Act! when it is self-hosted?
Act! CRM has security measures built into the product, all managed by the Act! administrator, for example:

  • Username and passwords,
  • Definable password policy
  • Field level security (controlling what individual users can see)
  • Record level access (controlling access to specific entities)
  • Five security roles
  • Configuring the Act! CRM cloud client to connect securely, for example using SSL encryption.

For more information on how self-hosted products can help with GDPR compliance, please see our detailed ebook available from https://www.act.com/en-gb/guides/act-crm-and-gdpr-compliance.

Act! CRM products
This section covers Act! CRM products hosted by Act! Software Limited and its affiliate Act! LLC (“Act LLC”), including Act! CRM Cloud, Act! Growth Suite (cloud deployment) and Act! CRM (“Act! CRM”). This section relates to personal data which customers have stored in databases on the Act! CRM servers, where Act! LLC does not determine the use of that data, so is a data processor as defined by GDPR.

Security of Act! Cloud
The product level security measures outlined above apply to the Act! CRM. However the item for Act! CRM for Web is not relevant, as Act! LLC manages the encryption of browser connections. The following section outlines the additional security measures which apply to the Act! CRM Cloud.

Communication between your device and your instance (or copy) of an Act! CRM Cloud 
When you access an Act! CRM you do so via a browser on your device. You should ensure this device is secure. Your device will communicate with Act! CRM using up to date industry standard encryption. For example at the time of writing (May 2018) we support TLS 1.2.  We will update communications security in line with industry developments.

Securing your instance of Act! CRM on the servers hosted by Amazon
Each customer’s Act! database is stored and backed up as an independent database. This means it is not possible for one customer’s data to be mixed up with another customer’s on the same server, or for one customer to access another customer’s data.

For customers which require the ability to add additional security to their Act! CRM instance, a ‘single tenant’ option is available. Please contact your usual sales representative or ACC if you are interested in this option. Each server has an anti-virus solution installed and updated as needed. Behind the scenes monitoring tools enable Act! Cloud operations team to monitor servers for any unusual performance or behavior. This monitoring is 24×7 and if any issues or concerns are detected, the operations team is notified and takes action.

Securing your instance of Act! CRM  
Act! CRM servers are hosted by Amazon using its Amazon Web Services (AWS) service. They are located in Frankfurt, Germany for customers with a billing address in the EU, and in London, England for customers with a billing address in the UK. In addition, a GDPR compliant data processing agreement is in place between Act! and Amazon regarding this service.

Act! Marketing Automation
Act! Marketing Automation is marketing automation software which is delivered as a service via the Internet, integrated with Act! CRM (Cloud deployed or self-hosted) and accessed via a browser. Act! Marketing Automation servers are hosted by Amazon using its AWS service. They are located in Frankfurt, Germany for customers with a billing address in the EU (excluding the UK), and in London, England for customers with a billing address in the UK. In addition, a GDPR compliant data processing agreement is in place between Act! LLC and Amazon regarding this service. For more information about AWS and GDPR compliance please visit Amazon’s GDPR information page. We use Sparkpost to deliver Emails sent from AMA; as part of providing this service, recipients’ emails are temporarily stored (for approximately 10 days) on Sparkpost’s servers, which are based in the US. A GDPR compliant data processing agreement is in place between Act! LLC and Sparkpost regarding this service.

What organisational measures does Act! take to secure personal data?

Our own premises and business
Act! LLC physical locations are access controlled via proximity passes. A process manages the activation and deactivation of these for employees. A separate process secures access by visitors. IT storage areas (for example of file servers and communications hardware) are locked, with access limited only to IT staff. 24×7 CCTV video recording of access areas is used at all our premises.

Generally, no personal data in customers’ Act! databases is stored at Act! LLC premises. An exception to this is if you have requested a service directly from us which requires us to work with your data, for example a professional service to convert an Act! database to the latest version. Please see the documentation we provided you about that service for more information about how we use and store data (not just personal data) in those circumstances.

Our people and confidentiality
All our employees are identity checked before they join us. All our employees sign contractually binding confidentiality commitments with us. Employees in our European office in Newcastle upon Tyne, UK have been through GDPR training. All our employees go through role specific induction and training, for example our sales team receive annual updates on PCI compliance and our technical support team are regularly Quality Audited. Phone calls with customers are all recorded for security and training purposes and these are often played back and reviewed by the employee and their manager when any improvement areas – including relating to compliance – are identified and appropriate actions taken.

Our working practices
We have IT Use policies which all staff must follow to keep our system hardware and infrastructure secure. We have written Standard Operating Procedures for customer facing activities. This helps employees to comply with our processes and ensures the quality and consistency of our service delivery. (‘Do the right thing’ is a core value of ours.)

SOC2 and SOC3 Certification
In 2017 we conducted a Service Organization Control (SOC) 2 report. Each year we updated this and augment it with a SOC 3 report, which is available on written request. Each report is the result of a rigorous 2 step independent auditor’s examination of our internal systems relevant to the Trust Services Principles and Criteria for Security, Processing Integrity, Availability, Privacy and Confidentiality. Each principle may have up to 35 sub-categories. To complete a report the auditor conducted an examination covering the entire spectrum of our service offering, including technical data security, disaster recovery, physical security, human resourcing, related business processes. There were two types of SOC 2 audit. Type 1 examined our controls (processes) to validate they adhere to the mandated principles and standards at the time of the audit. The Type 2 audit was conducted at least four months after the Type 1 audit and confirmed that the controls (processes) evaluated in the Type 1 audit functioned as designed on a day-to-day basis. We provided over 450 artefacts for the Type 1 audit and 200 artefacts for the Type 2 Audit. Audits were conducted onsite taking five and three days respectively. Once the final report was completed we were considered compliant. To remain compliant on an ongoing basis we will conduct annual audits. To request a copy of the SOC 3 report (which is a summary of the SOC 2 report, suitable for a general audience) please email privacy@act.com or alternatively click here to download a copy of the report.

Sub-processors (as defined by GDPR)
Act! engages a number of organisations to process customer data on its behalf. As required by GDPR we require all sub processors to enter into a data processing agreement and if they are outside the EU/EEA to take appropriate measures to safeguard the security of personal data.

Additional organisational measures taken for Act! CRM 

  • Personnel security:  Act! staff do not have physical access to the Act! CRM servers, other than as occasional visitors to the relevant facility. Physical access to the servers by Amazon personnel is covered by the relevant web pages (links above) of Amazon.
  • Customer data security: Act! staff can only access customers’ data held on the Act! CRM servers through proprietary in house software tools which ensure that only authorised staff have access to that customer data and then only in a controlled and audited way.
    When (exceptionally) we have to import an Act! CRM customer’s data manually we inform the customer at the time of the import of the security steps taken.
    Data stored on Act! CRM databases is owned and controlled by the customer who will direct Act! when and how the data should be uploaded at the beginning of a contract, and when appropriate destroyed. At the end of the Act! CRM contract the customer will have the option to export its data using tools available in Act!.  Act! LLC will keep that data for a limited time (approximately seven days) after the contract ends and then delete it in accordance with Act! LLC’s then current internal policy.
  • Backing up Act! CRM product databases:  Backups of Act! CRM databases are taken every 6 hours. The first (and full) backup in a day is taken at 02:00 UTC (Universal Time Coordinated) and then differential backups are taken every 6 hours throughout the day. The full backup schedule is 02:00 UTC, 08:00 UTC, 14:00 UTC and 20:00 UTC. Times are stated in UTC so that the schedule is universal across all time-zones. Backups are kept for 7 calendar days from the time at which they are created. For example, a backup created on Monday at 02:00 UTC will be available until the following Monday at 02:00 UTC.  This information is correct as at May 2018; please check this KB article for any updates to this information.
  • Sub-processors:  Act! engages Amazon for Act! CRM and Act! Marketing Automation as its sub-processors providing data centre services. Amazon has to provide information about its own sub-processors. This information can be accessed via the relevant web pages, see above links.

Is there a data processor agreement we can sign covering our use of Act! Cloud products so we can comply with the GDPR requirement to have one?

Yes. Please email GDPR.DPA@act.com for a pre-signed copy for you to sign, scan and email back to us. Please note that we only enter into this agreement and will not consider any other version of it, for example if your own lawyers have drafted one for you to ask us to sign. Also, we do not accept any amendments to the standard form. Please also note that a data processor agreement is not required when Act! processes personal data of your organisation’s employees in relation to a transaction between your organisation and Act!. This is because Act! determines the use of the personal data in those circumstances so is a data controller required to comply with GDPR on its own behalf.

Is any personal data transferred outside the EU? Are adequate levels of protection in place when it is? What are those safeguards?

Please see our Privacy Notice for up to date information about this.

Which processors does Act! engage to process personal data in the course of its own business? Are sufficient guarantees in place?

In accordance with Act! GDPR obligations, Act! has put in place written contracts with processors it appoints to process your personal information.
Those which are based in the USA have self-certified with the US Department of Commerce Privacy Shield framework.