Product and Functionality
The Services - What is Integrate Event Lead Management?Event Lead Management is a Software-as-a-Service (SaaS) solution for collecting and processing data from people, primarily at events. It comprises the following:
- A mobile application for data collection activity, available via the Apple iOS App Store or Google Play Store.
- A cloud-based dashboard for authorised users to setup and configure the mobile application and to access and export collected data.
Our Approach to Data SecurityHandling your data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses Integrate Event Lead Management software. We have always been committed to investing in a continuous and growing security program since we first established Integrate Event Lead Management, and strive to go beyond the expectations of our customers wherever possible. Here are a few practical examples of security controls within our product:
- When synchronising devices with our secure online application, communication is routed via an enterprise grade Web Application Firewall, using HTTPS and encrypted using TLS 1.2+.
- All lead data that is collected is also encrypted at rest using AES 256 encryption algorithm.
- User access to the Integrate Events Dashboard is secured with strong, complex passwords, and features such as two-factor authentication and complexity controls can be enabled.
- We invest in scheduled, three-level penetration tests.
- We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of data.
- We also make use of external security experts from time to time to appraise our work and our data protection procedures.
GlossaryFor clarity, here are some terms we use in our security documents, and what they mean:
The Processor/Data Processor
Integrate (Europe) Ltd
The Controller/Data Controller
You, Your Business
The Integrate Event Lead Management Dashboard Software, Forms & Mobile Applications
Data ownership, Acceptable Use & Access to Collected Data
- To provide a core feature or functionality which you request through the dashboard that depends on a third-party service.
- If we, or substantially all of our assets, are acquired or are in the process of being acquired by a third-party, in which case Personally Identifiable Information held by us, about our customers, will be one of the transferred assets.
- If we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings.
UK & EU ComplianceWe operate within the jurisdiction of UK and EU data law. We are compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and are regulated by the Information Commissioner’s Office (ICO) in the UK. In light of the UK's potential withdrawal from the European Union (EU), we will continue to appraise the situation and adopt the most customer-favourable position on data security that we can achieve. UK has enshrined the GDPR standard of data protection in its own legislation, through the Data Protection Act 2018. GDPR equivalent standards are set to apply in the UK even after it exits the EU and is no longer bound by its laws. UK is also in a good position to be granted an adequacy decision for data transfers by the EU after its exit from the bloc. This means, in short, that nothing would change in the way we work, or contract with our customers. We do have contingency plans in place in case no such adequacy decision is granted, including possibility of entering into Standard Contractual Clauses with our customers. You can read more about Standard Contractual Clauses here. We are committed to continuing to provide our European customers with the same high standards of privacy and security practices which they always enjoyed using Integrate Event Lead Management. You can find out more about Integrate’s commitment to meeting the requirements of the GDPR right here – GDPR & Integrate Events.
US & Global ComplianceAs a company registered in the UK, we are regulated by European laws which are widely considered stricter than many outside of the region. In April 2019, we were acquired by US based Integrate.com, Inc. Our parent company is Privacy Shield certified – you can view their listing here. We are in the process of unifying our Data Processing Agreements (DPA) with those of our parent company. Our new DPA will be rolled out in 2020 and will feature wording addressing compliance with global laws, such as the California Consumer Protection Act and Canada Anti-Spam Law. This DPA will be sent to any new customers. Any existing customers can request the updated DPA at firstname.lastname@example.org.
Compliance QueriesIf you are unsure about how this impacts your use of Integrate Event Lead Management, we suggest you contact email@example.com for queries around product compliance, or seek additional independent legal advice to assess your own situation. We generally find compliance teams find parity even where we do not comply to a specific foreign law. Our Privacy Team will review and respond to all compliance requests from our existing and prospective customers.
Data Processing Addendum (DPA)We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with Integrate (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties' agreement with regard to the processing of personal data performed using the Integrate Events service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act) and CASL(Canada Anti-Spam Law) commitments. If you are an existing customer or vendor and wish to execute a DPA, please contact us at firstname.lastname@example.org.
Accreditations & CertificationsWe continually and successfully work with data providers and organisations that already work within standardised frameworks such as ISO 27001 or SOC2. Integrate Events is working towards meeting it's its own first international standards, so our current approach is to provide our own body of documents and policies that meet the requirements of organisations that do maintain these standards. Our data is stored within certified facilities and our infrastructure built upon certified services. If you require any further information, please contact email@example.com.
Registration with the UK Information Commissioner (ICO)We are registered as a fee payer with the United Kingdom's Information Commissioner's Office (ICO), our registration number is ZA033795.
The Relationship Between You & Us
What the ICO says
In plain English
The Controller collects and processes Personal Data in connection with its business activities.
You use Integrate Event Lead Management to collect data from your customers.
The Processor processes Personal Data on behalf of other businesses and organisations.
We manage that data for you.
Article 28(1) of the General Data Protection Regulation 2016/679 provides that, where processing of Personal Data is carried out by a processor on behalf of a Controller, the Controller must choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures;
It is your responsibility to ensure our standards are good enough to meet your legal obligations and organisation’s own standards. We are always willing to try to help you meet whatever data obligations are required in order to use our software.
Article 28(3) of the General Data Protection Regulation requires that where processing is carried out by a Processor on behalf of a Controller such processing shall be governed by a contract or legal act binding the Processor to the Controller, stipulating, in particular, that the Processor shall act only on instructions from the Controller and shall comply with the technical and organisational security measures required under the appropriate national law to protection Personal Data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing;
We will manage the data in accordance with agreements we will make with you. These are outlined in our policies and terms and conditions when you sign up or start using our products.It is our responsibility to put measures in place to secure personal data you store with us.
The Processor takes all measures to protect Personal Data processed by the Processor on behalf of the Controller against a Security Incident and against all other unlawful forms of processing, as required under applicable national law. Such Technical and Organisational Security Measures shall include, as a minimum standard of protection, the following types of security measures: organisational controls, information security management systems; physical security; physical access controls; entry controls, virtual access controls, transmission controls, assignment of responsibility controls, availability and separation of responsibility controls, security and privacy enhancing technologies; awareness, training and security checks in relation to the Processor’s Personnel; incident response management/business continuity; and audit controls/due diligence.
We are required to put in place measures to protect the data we store on your behalf at organisational, server and application levels.
Data Handling & Encryption
Data Life & Disposal
Data Life, Retention & ProtectionData associated with your Integrate Event Lead Management account (including personal information and collected record data) is retained for as long as you have an Integrate Event Lead Management account and for a longer period as may be required by law. We don’t cancel a licence or account for inactivity. If you cancel your licence, or it terminates for any reason, your data will be retained for a period of 90 days then permanently erased. You may delete your data from your dashboard and apps at any time. Given Integrate EventLead Management is intended to enable you to follow up quickly with prospects whose data you collect using our software, we strongly recommend you delete the data promptly after exporting it or after it has entered your own CRM or marketing automation software.
- Data deleted in these ways will be made inaccessible immediately - 'soft deleted'. Once deleted after 30 days from your account, you can contact us to request a permanent deletion of the soft-deleted data.
- We only retain your data to allow us to recover it should you accidentally delete it.
- We cannot guarantee that we will be able to restore any data you have deleted.
- We do not use soft-deleted data for any purpose other than to permit you an opportunity to restore it. Sometimes we may retain deleted data to comply with our legal obligations, resolve disputes, or enforce our agreements. In these cases, we ensure that access to such data is blocked except for the purposes for which we have been required to retain the information.
- It is the client’s responsibility to export, archive and delete data they collect, as well as to handle personal data stored inside Integrate Events in a manner that complies with any local laws or restrictions. For example, you may want to consider the length of time in which you hold personal data on file. Integrate Events is not a back-up or archiving service, so we always advise customers to make sufficient alternative back up arrangements.
Permanent DeletionYou can delete collected records data or event data from inside your Integrate Events dashboard which will 'soft-delete' it. Once deleted from your account, you can contact us to request a permanent deletion of the soft-deleted data.
Data on DevicesData collected via the mobile app is stored on devices, and we use username and passcode based user authentication to prevent access to viewing and managing the data. The Username / Passcode combination is then submitted via an API, and upon successful authentication a bearer token is generated which is used for authorisation. Records can be viewed or edited individually by authenticated users, however there is no way to extract or download bulk record data from inside the app. Any single user of the app will only see the data they collected in the app; not data collected by any other app user. The authorised user of the Dashboard then gets a holistic view of records collected by all app users. When collecting data offline, all this data is stored inside the application until a connection can be established. At this point, all collected data is transferred automatically to the server. Uninstalling the app erases all data from the device permanently. Users should ensure not to clear the cache or delete the app before data is synced with the dashboard to avoid data loss. Integrate Events does not have the ability to assist the customers with purging data remotely at present. We strongly suggest that our customers ensure this is covered in their corporate device policy or BYOD policy.
Backup CopiesWe maintain regular secure encrypted backups. It may take up to 12 months from the point you start record deletion to erase all traces of the data stored in our backup systems. We describe this as 'residual data', and this data is not accessible via the Integrate Event Lead Management dashboard.
Hardware Management & DisposalComputer equipment and storage media are securely reformatted and repurposed or destroyed beyond repair at their end of life. Our hosting provider decommissions end-of-life hardware using techniques detailed in NIST 800-88 (although we are unable to provide certification for individual pieces of hardware), and we securely erase or destroy any storage media we use within the organisation. All computer hardware and devices are issued and managed centrally, and are logged in our central asset management system.
Servers & Physical Location
Data Centre LocationOur data is based in AWS facilities in Oregon, US. AWS’ security certifications are referenced at https://aws.amazon.com/compliance/programs/. If you have any questions about changes to where your data is stored, please reach out to firstname.lastname@example.org.
- We store backup data and some auxiliary data in Amazon's AWS S3 & Glacier facilities in Ireland (EU). In 2020 we will be moving our back up arrangements to AWS facilities in Oregon, US.
Physical SecurityAWS data centres implement the following access controls at its premises and facilities:
- N+1 redundancy standard
- Limited employee access in line with the principle of least privilege
- Physical access is logged, monitored and retained
- 24/7 access monitoring
- CCTV, MFA, detection systems, alarms
- 24/7 Intrusion Detection with alerting
- End of life hardware is decommissioned using techniques detailed in NIST 800-88
- Physical controls including monitoring and control of climate and temperature, leakage prevention, fire detection
How Personal Data Enters Our SoftwarePersonal data enters the Integrate Events System when an individual willingly enters their details via our software (on any device), or if data is loaded into the Application via the Integrate Event Lead Management Dashboard or the documented Integrate Events API.
How Personal Data Leaves Our SoftwarePersonal data leaves the Integrate Events System when you export it as a downloadable file from the Integrate Event Lead Management Dashboard or establish an integration or webhook which sends the data to a location of your choice (CRM or marketing automation software). Please also see Data Life section above on how long data is retained for within Integrate Event Lead Management.
Third-party ServicesWe use sub-processors for some of our product features. Some of our optional premium or custom product features require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we work with companies that operate with appropriate safeguards for transfers outside of the EEA, such as the EU-US Privacy Shield, standard contractual clauses, binding corporate rules etc.
Business Card Scanning (BCS) & Transcription FeatureIn order to transcribe cards quickly but reliably we use a highly effective human element in the processing. We have contractual relationship with a UK based third-party company, who utilise their employees for the service. The employees are based outside of the EU, but work within the office location of the third party who are ISO 27001 certified. Our third-party partner carries out an accurate validation and transcription of the images taken using the feature in the app. The cards are provided to the third-party digitally and anonymously on secure, time-limited URLs, supplied to them without context and viewable only, and never leaving our servers. For instance they are unable to identify the origin of the card, who supplied the card or on whose behalf they are transcribing the data. They are aware that Integrate Events is the origin of the card, however we never provide any specific identifying information unless you provide it within the scanned image. Once transcribed the images are 'expired' automatically and no longer retrievable.
Service Failure, Backups & Disaster Recovery
- We conduct daily database backups, which are retained for a period of 35 days.
- Backups are stored and managed by internal AWS services (RDS and S3).
- Databases have have multiple layers of redundancy, leverage real-time database replication and depending on technology use a multi-node cluster.
- Given the redundancy and replication process in place, point in time restoration is possible for certain parts of the platform. This is however not guaranteed though.
- Backups older than 35 days are automatically deleted on cyclical basis.
- All backups are encrypted at rest using an AES 256 encryption algorithm.
Business Continuity, Disaster Recovery & ResilienceOur comprehensive backup schedule and redundant, versioned, distributed backup means that in the event of a major disruption, we are in a strong position to recover very recent data and return servers to an operational state. Our apps have the capacity to work in offline mode when there is poor connection to our server. If the main server hosted applications are offline, it will not affect any unsynchronised data on the apps.
- We carry out an annual scheduled review of all privacy and security practices and policy at Integrate to ensure up-to-date and appropriate practices.
Privacy Compliance Violation & Remediation PolicyIn an event of becoming or being made aware of a privacy violation or breach, we will notify our affected customers as the data controllers without undue delay. Customers should report any suspected issues with the software to email@example.com and any suspected data breaches to firstname.lastname@example.org.
Staff Roles & Privilege Auditing
- Engineering, support and account management members of staff have access to data on a need to know basis.
- We carry out an annual schedule of recorded, signed scheduled certification of user privileges to check correct permissions, and remediate any inconsistency
- We carry out a quarterly schedule of recorded investigation of user privileges for people with administrator rights to check correct permissions, and remediate any inconsistency
Data Access Joiners, Movers & Leavers (JML) PolicyStaff privileges are assigned appropriate to their specific roles by senior staff members, and reviewed when employment ceases or when they change roles. When a staff member leaves employment at Integrate, we deactivate access to staff accounts as soon as we physically can, which is usually immediately. This deactivation always occurs within 48h of the end of their employment. All role changes are logged.
Physical SecurityOur UK office is based in London. Physical measures in our office location include:
- Access by key fob only.
- Visitors are accompanied by a member of staff at all times.
- Out of hours access with a gate code and main door key in addition to the key fob.
- Manned reception during working hours.
- Locked gate outside of working hours.
Staff & Administrative Password Policy
Embedded Passwords Policy
Data retention & protection policiesHow we handle data life in our data retention and protection policies can be found here.
Network Security PolicyAny new system level components installed with vendor default settings in place are reset beforehand to remove risk of unsecure defaults. Any redundant components, protocols, services and functions are shut down and removed as soon as technically feasible. Any audit logs are established to be kept for a period of 30 days, and longer wherever possible. Examples of data that is logged includes, but is not limited to promotion of users to administrators, login attempts, password resets, mobile app device usage, interactions with public API etc. Any new service, protocol and or additional grant of port access are subject to our Change Management & Change Control Policies.
Change Management & Change Control PolicyChange Control provides an orderly way to make changes to key process at Integrate. It means notifying anyone affected by the change, and listening to the response should the change adversely affect team members or customers. It also means devising reasonable contingency plans for restoring the system if a change doesn't work. By using a series of standardized and repeatable procedures and actions, we are able to introduce changes to the Integrate Event Lead Management infrastructure in such a way that any negative impact is minimized. This policy describes the process that is to be used for requesting and managing these changes. The following are the key roles specific to the Change Control process. One individual may be responsible for several roles as well as several individuals may be fulfilling a single role.
Change Control Manager
The Change Control Manager manages the process for all requests and reviews each request for completeness. The Change Control Manager verifies that the stated objectives of the request can be met and are consistent with company best practices. The Change Control Manager has the discretion to deny requests that are not consistent with company policy or best practices.
The Change Requestor originates the request by submitting a change to the Change Control Manager.
The Change Implementer makes the necessary changes as requested and notifies any other affected parties if corresponding changes need to be made. Changes are implemented into production by the Change Implementer.
Risk Assessment & Management policyOur risk assessment & management programme is by our internal, cross-functional Risk Team.
- We conduct risk assessments quarterly. We have members of our senior leadership team attend, from Legal, Engineering and IT as permanent members, with additional stakeholders included where necessary.
- Our risk assessment covers privacy, people, processes, data and technology (threats including malicious, natural, accidental, cyber, business changes (transaction volume).
- Appropriate investigations are made into risks, and depending on the importance of the risk, then ownership of the risk challenge is assigned.
- We maintain a Vendor Management programme which tracks the list of vendors who handle personal data.
Data ClassificationAll company owned information and information entrusted to us from third parties falls into one of four classifications:
Information is not confidential and can be made public without any implications for Integrate. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
- Product marketing information widely distributed
- Information widely available in the public domain, including publicly available on the Integrate Events web site
- Trial software
- Financial reports required by regulatory authorities
- Newsletters for external marketing
Proprietary Information is restricted to management-approved internal access, and protected from external access. Unauthorized access could influence Integrate's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.
- Passwords and information on corporate security procedures
- Know-how used to process client information
- Standard Operating Procedures used in all parts of Integrate's business
- All Company-developed software code, whether used internally or sold to clients
Client Confidential Data
Information received from customers in any form for processing in production by Integrate. The original copy of such information must not be changed in any way. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
- Data collected by customers
- Electronic transmissions from customers
- Product information generated for the customer by Integrate (Europe) Ltd production activities as specified by the customer
Company Confidential Data
Information collected and used by Integrate in the conduct of its business to employ people, to log and fulfil customer requests, and to manage all aspects of company finance. Access to this information is restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
- Accounting data and internal financial reports
- Confidential customer business data and confidential contracts
- Non-disclosure agreements with customers & vendors
- Salaries and other personnel data
- Company business plan
Email, Removable Media & Customer Data Transfer PolicyIt is our policy that Customer Confidential data must not be sent via email or any publicly accessible electronic communication service without first being encrypted with a secure password that complies with our internal password policies. Data should only be transmitted this way when for whatever reason the usual encrypted data flow channels are not available or delayed. Passwords must be transmitted by an unassociated medium other than the medium the files are transmitted, such as via phone call. We also do not ordinarily permit the storage or transfer of Customer Confidential data on removable media such as USB keys and external hard drives. Should it be necessary or unavoidable, any such data transfer or storage on removable media would have to be carried out by our IT & Security department or with their approval using devices issued by them.
Company Owned Device & Operating System PolicyOur staff are issued with modern Apple or Dell devices for the conduct of their work. Laptops are centrally managed by our Corp IT team who enforce all updates in a timely manner. We enforce disk encryption for all company issued devices. We deliver security training to all new team members, with annual re-training thereafter and continuous testing (e.g.phishing testing; incorrect response from an employee-user results in additional cybersecurity training for that employee). All employees are required to complete security training as well as acknowledge the employee handbook and code of conduct, all of which address the importance of privacy, security and confidentiality and emphasizes that any violations will be subject to disciplinary action up to and including termination.
Security Incident & Breach Reporting PolicyWe have a documented Incident Response Plan. Any security incidents would be escalated in accordance with the internal P1 process and an incident manager would be assigned. We maintain a centralised, fast, secure reporting system for the communication of all security and privacy issues. If a security or privacy issue is raised, a Senior Director of IT and Security is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action. Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue. Customers should signup for https://status.integrate.com to be informed of any updates on minor bugs as well as critical incidents. We would also notify the relevant authorities in accordance with applicable laws where required.
Clean Desk PolicyWe run a Clean Desk Policy at Integrate. We do not permit the printing or creation of physical copies of customer data.
Application Software Update & Vulnerability Management PolicyApplication Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database. No changes are made outside of this peer review and QA process. The final deployment of an Application update is automated and migrating to a new version requires no humanly noticeable downtime. We update our servers with new patches on a regular schedule. We also monitor for zero-day critical vulnerabilities and where possible, implement fixes within 24 hours or sooner where a patch is available. We work on critical vulnerabilities as a matter of priority.
Customer Device Support PolicyWe support the current and immediately prior major versions of iOS and Android. We provide an up to date list of supported devices and operating systems here. We encourage customers to have a robust BYOD policy where app is to be used on their employees’ own devices.
Policy Review ScheduleWe review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.
Penetration Testing & SummariesWe carry out a scheduled three-layer penetration test conducted by trusted third-party security company each year. Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible. The scope of our penetration test consists of:
- a network level scan
- an un-authenticated application penetration test
- a fully-authenticated application test, including privilege escalation
- An abbreviated summary of our most recent penetration test (scope, results and remedial) are available upon request. For reasons of infrastructure security, we will not be able to supply the unabridged report.