All Collections
Other
How do you keep my account and data safe?
How do you keep my account and data safe?

This page will help you learn more about our application security and how we keep your account and data safe.

Alexandra Pittman avatar
Written by Alexandra Pittman
Updated over a week ago

At ImpactMapper we strive to maintain compliance, proactively address information security, communicate and mitigate risk for our customers. Please refer to the sections below to learn about your account, data and the general application security.

Account Security and GDPR

Aside from our privacy policy being prepared to answer the GDPR requirements and questions like:

  • who owns your data?

  • which services we are using and what kind of data is exchanged with them along with their location and privacy policy page to help you learn more?

  • What are the rights of our users and the steps they can take to get their data removed from our systems or our partner systems?

ImpactMapper team has taken extra steps to secure and protect our users data. Here are some highlights:

  • We encrypt all the personal data. The access to the decryption keys is limited only to a small number of our senior employees.

  • Your passwords are hashed and can only be reset in case of the loss.

  • We require a minimum password strength to help you pick a passphrase which is effective against common attacks.

  • We offer two-factor authentication via SMS. Failure to provide the SMS token will not authenticate a user knowing just the password.

  • We encrypt all uploaded files.

  • We do not sell your data. We do not share your data without your consent.

Application Security

  • ImpactMapper application servers are hosted in Europe in the AWS data centers. 

  • Our application is composed of an HTTP API and a web-based client. The two components communicate using authentication tokens which expire every 24 hours and require authentication to renew.

  • The API and the client communicate using the HTTPS protocol. HTTPS protocol encrypts the communication between your computer and our servers.

  • The file uploads with sensitive information are encrypted and stored for asynchronous data processing. The data processing is designed to run automatically without the intervention of our staff.

  • We store user actions as anonymous usage data in a centralized logging database. We use the database for auditing purposes and for generating the activity feed inside the application.

Data Security

  • Your personal information and other sensitive data is encrypted using OpenPGP with the AES256 algorithm. The same algorithm is commonly used to secure data as part of PCI and HIPAA compliance requirements.

  • Our databases are hosted in the same data centers as the application servers and are optimized for high-availability and data resilience. The data services are part of the rest of the infrastructure we designed for a maximum of uptime and minimal risk of data loss. In this way, we can leverage the significant security investments and support of AWS, instead of handling this internally.

  • We do daily backups of our databases and have set up monitoring for critical parts of our infrastructure. Our staff gets notified in case of an error or an incident almost immediately.

  • The application runs as a multi-tenant software-as-a-service and our users share the same infrastructure, however their data is separated and inaccessible for each organization. The authorization layer is developed to isolate user access to their organization data. In case of an alert of a breach or unauthorized access, we identify and disable the user or the access to the entire organization and follow our internal policies as the next steps. Please get in touch with us if you want a dedicated instance of our application inside your organization infrastructure. 

Compliance Inheritance

ImpactMapper has signed the following agreements:

  • Amazon Web Services Business Associate Addendum

  •  Amazon Web Services Artifact Nondisclosure Agreement

  • AWS Australian Notifiable Data Breach Addendum

Some of the AWS Compliance Programs are inheritable, please contact us to clarify any compliance questions.

Internal Policies

We developed a couple of internal policies which should help our customers learn more about how their data is secured and stored.

Here is a short list of topics covered by our internal policies:

  • Compliance and data-related agreements

  • Technical overview and organization

  • Who is allowed to access your data and password management

  • How we handle data or security breaches

  • How we monitor and keep your data secure
    ​ 

As we mention in our internal policy document, we Amazon Web Services to host and run our infrastructure and services. Since Amazon is a private company based in the United States, we would like to share with you their frequently asked questions page, in case you need more answers.
There you will be able to find answers to questions like:
What happens when AWS receives a legal request for customer content? 

Did this answer your question?