who owns your data?

which services we are using and what kind of data is exchanged with them along with their location and privacy policy page to help you learn more?

What are the rights of our users and the steps they can take to get their data removed from our systems or our partner systems?

We encrypt all the personal data. The access to the decryption keys is limited only to a small number of our senior employees.

Your passwords are hashed and can only be reset in case of the loss.

We require a minimum password strength to help you pick a passphrase which is effective against common attacks.

We offer two-factor authentication via SMS. Failure to provide the SMS token will not authenticate a user knowing just the password.

We encrypt all uploaded files.

We do not sell your data. We do not share your data without your consent.

ImpactMapper application servers are hosted in Europe in the AWS data centers. 

Our application is composed of an HTTP API and a web-based client. The two components communicate using authentication tokens which expire every 24 hours and require authentication to renew.

The API and the client communicate using the HTTPS protocol. HTTPS protocol encrypts the communication between your computer and our servers.

The file uploads with sensitive information are encrypted and stored for asynchronous data processing. The data processing is designed to run automatically without the intervention of our staff.

We store user actions as anonymous usage data in a centralized logging database. We use the database for auditing purposes and for generating the activity feed inside the application.

Your personal information and other sensitive data is encrypted using OpenPGP with the AES256 algorithm. The same algorithm is commonly used to secure data as part of PCI and HIPAA compliance requirements.

Our databases are hosted in the same data centers as the application servers and are optimized for high-availability and data resilience. The data services are part of the rest of the infrastructure we designed for a maximum of uptime and minimal risk of data loss. In this way, we can leverage the significant security investments and support of AWS, instead of handling this internally.

We do daily backups of our databases and have set up monitoring for critical parts of our infrastructure. Our staff gets notified in case of an error or an incident almost immediately.

The application runs as a multi-tenant software-as-a-service and our users share the same infrastructure, however their data is separated and inaccessible for each organization. The authorization layer is developed to isolate user access to their organization data. In case of an alert of a breach or unauthorized access, we identify and disable the user or the access to the entire organization and follow our internal policies as the next steps. Please get in touch with us if you want a dedicated instance of our application inside your organization infrastructure. 

Amazon Web Services Business Associate Addendum

 Amazon Web Services Artifact Nondisclosure Agreement

AWS Australian Notifiable Data Breach Addendum

Compliance and data-related agreements

Technical overview and organization

Who is allowed to access your data and password management

How we handle data or security breaches

How we monitor and keep your data secure
​