Swiftpage and Security

 

Summary

This page describes the technical and organisational security measures taken by Swiftpage in relation to:

  • Swiftpage’s products,
  • personal data which Swiftpage processes on behalf of its end users as a data processor, and
  • personal data which Swiftpage controls as a data controller.

This is to assist customers to comply with their security obligations under GDPR when they contract with Swiftpage.

 

Background

The General Data Protection Regulation (GDPR) came into effect from 25th May 2018. The GDPR ensures that all organisations which use personal data of European residents only do so in accordance with the privacy and other standards set out in the GDPR. One of the standards set out by the GDPR is that organisations must process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. In this document GDPR defined terms are intended to have the same meaning.

 

What technical security measures does Swiftpage take in relation to its products: Act! Pro, Act! Premium and Act! Premium Plus, Act! emarketing and Swiftpage emarketing?

Explanation of the different types of Swiftpage products
The technical measures taken differs depending on how Act! has been deployed by the user. Act! can be installed on computers controlled directly by the user (or their sub-contractor) – we call this deployment method ‘self-hosting’ – it also known as an ‘on premises’ or ‘desktop’ deployment. Act! Pro is a solely self-hosted product and Act! Premium and Act! Premium Plus can be self-hosted. Act! Premium and Act! Premium Plus can also be purchased from Swiftpage on the basis of the Act! database being installed on servers hosted at a remote data centre and accessed through an Internet (or ‘Cloud’) connection via a web browser – we call this a ‘Cloud’ deployment, hence the terms “Act! Premium Cloud” and “Act! Premium Plus Cloud”. Swiftpage Emarketing and Act! Emarketing are also Cloud services. If you are unsure whether your use of Act! is self-hosted or on a Cloud deployment please consult your invoice and related Act! documentation.

Self-hosted Act! software
The level of security in place for self-hosted Act! software will depend on how the Act! administrator has secured it. If you are not the administrator and need more information, please contact them. In the event an administrator has involved a third party (for example hosting provider, or Act! Certified Consultant - ACC) to host its Act! software, the administrator should contact its hosting provider or ACC.

What product level security is available to secure Act! when it is self-hosted?
Act! Premium and Act! Premium Plus have security measures built into the product, all managed by the Act! administrator, for example:

  • Username and passwords,
  • Definable password policy
  • Field level security (controlling what individual users can see)
  • Record level access (controlling access to specific entities)
  • Five security roles
  • Configuring the Act! Premium for Web client to connect securely, for example using SSL encryption.

For more information on how self-hosted products can help with GDPR compliance, please see our detailed ebook available from https://www.act.com/en-uk/guides/act-crm-and-gdpr-compliance.

Act! Cloud products
This section covers Act! Premium Cloud and Act! Premium Plus Cloud, which we refer to as ‘Act Cloud products’. This section relates to personal data which customers have stored in databases on the Act Cloud products’ servers, where Swiftpage does not determine the use of that data, so is a data processor as defined by GDPR.

Security of Act! Premium Cloud and Act! Premium Plus Cloud
The product level security measures outlined above apply to the Act Cloud Products. However the item for Act Premium for Web is not relevant, as Swiftpage manages the encryption of browser connections. The following section outlines the additional security measures which apply to the Act Cloud products.

Communication between your device and your instance (or copy) of an Act Cloud Product
When you access an Act Cloud product you do so via a browser on your device. You should ensure this device is secure. Your device will communicate with the Act Cloud products using up to date industry standard encryption. For example at the time of writing (May 2018) we support TLS 1.2 and TLS 1.1; we are monitoring the introduction of TLS 1.3 and the timing for the end of life program for TLS 1.0.

Securing your instance of an Act Cloud Product on our servers on the Google Cloud Platform
Each customer’s instance of Act! is segregated from other customers’ instances on the same server using a unique virtual directory. This means it is not possible for one customer’s data to be mixed up with another customer’s on the same server, or for one customer to access another customer’s data.
For customers which require the ability to add additional security to their Act! Premium Plus Cloud instance, a ‘single tenant’ option is available. Please contact your usual sales representative or ACC if you are interested in this option. Each server has an anti-virus solution installed and updated as needed. Behind the scenes monitoring tools enable Swiftpage’s Cloud operations team to monitor servers for any unusual performance or behavior. This monitoring is 24x7 and if any issues or concerns are detected, the operations team is notified and takes action.

Data Centre Security
Act Cloud Products are hosted by Google using its Google Cloud Platform service. A GDPR compliant data processing agreement is in place between Swiftpage and Google regarding this service, including provisions to commit Google to transfering the data to the USA only with adequate safeguards, as required by GDPR. The Act! databases of customers based in the EU are stored on servers in Google’s data centres based in Europe. For more information about the security of the Google Cloud Platform please visit Google’s web page about the security of their data centres.

Act! emarketing
Act emarketing is a cloud based Email Marketing product which is integrated with all Act! products, both self-hosted and Cloud deployed. Even if your Act! product is self-hosted, Act emarketing is deployed on the Cloud. This means that when you send a campaign from Act! using Act! emarketing, all recipient personal data is transferred to the Act! emarketing servers. These Act! emarketing servers are hosted by Amazon using its AWS service. They are located in the USA. A GDPR compliant data processing agreement is in place between Swiftpage and Google regarding this service, including provisions to commit Google to transferring the data to the USA with adequate safeguards as required by GDPR. For more information about AWS and GDPR compliance please visit Amazon’s GDPR information page.

Swiftpage emarketing
Swiftpage emarketing is a standalone Cloud based service Email marketing service which Swiftpage no longer actively promotes. It is hosted on servers located in Denver, Colorado, USA on servers managed by Viawest. No GDPR data processing agreement is in place and no safeguards regarding the transfer of data to the USA are in place. Please do not use Swiftpage Emarketing if you wish to comply with GDPR.

 

What organisational measures does Swiftpage take to secure personal data?

Our own premises and business
Swiftpage’s physical locations are access controlled via proximity passes. A process manages the activation and deactivation of these for employees. A separate process secures access by visitors. IT storage areas (for example of file servers and communications hardware) are locked, with access limited only to IT staff. 24x7 CCTV video recording of access areas is used at all our premises.
Generally, no personal data in customers’ Act databases is stored at Swiftpage’s premises. An exception to this is if you have requested a service directly from us which requires us to work with your data, for example to attempt to restore a corrupt Act database. Please see the documentation we provided you about that service for more information about how we use and store data (not just personal data) in those circumstances.

Our people and confidentiality
We call our people Swifties! All our Swifties are identity checked before they join us. All our Swifties sign contractually binding confidentiality commitments with us. Swifties in our European office in Newcastle upon Tyne, UK have been through GDPR training. All our Swifties go through role specific induction and training, for example our sales team receive annual updates on PCI compliance and our tec support team are regularly Quality Audited. Phone calls with customers are all recorded for security and training purposes and these are often played back and reviewed by a Swifty and their manager when any improvement areas – including relating to compliance – are identified and appropriate actions taken.

Our working practices
We have IT Use policies which all staff must follow to keep our system hardware and infrastructure secure. We have written Standard Operating Procedures for customer facing activities. This helps Swifties to comply with our processes and ensures the quality and consistency of our service delivery. (‘Do the right thing’ is a core value of ours.)

SOC2 and SOC3 Certification
In 2017 we conducted a Service Organization Control (SOC) 2 report. In November 2018 we updated this and augmented it with a SOC 3 report, which is available on written request. Each report is the result of a rigorous 2 step independent auditor's examination of our internal systems relevant to the Trust Services Principles and Criteria for Security, Processing Integrity, Availability, Privacy and Confidentiality. Each principle may have up to 35 sub-categories. To complete a report the auditor conducted an examination covering the entire spectrum of our service offering, including technical data security, disaster recovery, physical security, human resourcing, related business processes. There were two types of SOC 2 audit. Type 1 examined our controls (processes) to validate they adhere to the mandated principles and standards at the time of the audit. The Type 2 audit was conducted at least four months after the Type 1 audit and confirmed that the controls (processes) evaluated in the Type 1 audit functioned as designed on a day-to-day basis. We provided over 450 artefacts for the Type 1 audit and 200 artefacts for the Type 2 Audit. Audits were conducted onsite taking five and three days respectively. Once the final report was completed we were considered compliant. To remain compliant on an ongoing basis we will conduct annual audits. To request a copy of the SOC 3 report (which is a summary of the SOC 2 report, suitable for a general audience) please email privacy@swiftpage.com.

Sub-processors (as defined by GDPR)
Swiftpage engages a number of organisations to process customer data on its behalf. As required by GDPR we require all sub processors to enter into a data processing agreement and if they are outside the EU/EEA to take appropriate measures to safeguard the security of personal data.

Additional organisational measures taken for Act! Premium Cloud and Act! Premium Plus Cloud

  • Personnel security: Swiftpage staff do not have physical access to the Act Cloud Products servers, other than as occasional visitors to the relevant facility. Physical access to the servers by Google and Amazon personnel is covered by the relevant web pages (links above) of Google and Amazon as appropriate.
  • Customer data security: Swiftpage staff can only access customers’ data held on the Cloud Product servers through proprietary in house software tools which ensure that only authorised staff have access to that customer data and then only in a controlled and audited way.
    When (exceptionally) we have to import a Cloud customer’s data manually we inform the customer at the time of the import of the security steps taken.
    Data stored on Act Cloud Product databases is owned and controlled by the customer who will direct Swiftpage when and how the data should be uploaded at the beginning of a contract, and when appropriate destroyed. At the end of the Act Cloud Product contract the customer will have the option to export its data using tools available in Act. Swiftpage will keep that data for a limited time after the contract ends and then delete it in accordance with its then current policy.
  • Backing up Act! Cloud product databases: Backups of Act! Premium Cloud databases are taken every 6 hours. The first backup in a day is taken at 02:00 UTC (Universal Time Coordinated) and then every 6 hours throughout the day. The full backup schedule is 02:00 UTC, 08:00 UTC, 14:00 UTC and 20:00 UTC. Times are stated in UTC so that the schedule is universal across all time-zones. Backups are kept for 7 calendar days from the time at which they are created. For example, a backup created on Monday at 02:00 UTC will be available until the following Monday at 02:00 UTC. This information is correct as at May 2018; please check this KB article for any updates to this information.
  • Sub-processors: Swiftpage engages Google for Act Premium Cloud and Act Premium Cloud Plus and Amazon for Act Emarketing as its sub-processors providing data centre services. Both Google and Amazon have provide information about their own sub-processors. This information can be accessed via the relevant web pages, see above links.

 

Is there a data processor agreement we can sign covering our use of Act! Cloud products so we can comply with the GDPR requirement to have one?

Yes. Please email GDPR.DPA@swiftpage.com for a pre-signed copy for you to sign, scan and email back to us. Please note that we only enter into this agreement and will not consider any other version of it, for example if your own lawyers have drafted one for you to ask us to sign. Also, we do not accept any amendments to the standard form. Please also note that a data processor agreement is not required when Swiftpage processes personal data of your organisation’s employees in relation to a transaction between your organisation and Swiftpage. This is because Swiftpage determines the use of the personal data in those circumstances so is a data controller required to comply with GDPR on its own behalf.

 

Is any personal data transferred outside the EU? Are adequate levels of protection in place when it is? What are those safeguards?

Please see our Privacy Notice for up to date information about this.

 

Which processors does Swiftpage engage to process personal data in the course of its own business? Are sufficient guarantees in place?

In accordance with Swiftpage’s GDPR obligations, Swiftpage has put in place written contracts with processors it appoints to process your personal information.
Those which are based in the USA have self-certified with the US Department of Commerce Privacy Shield framework.