Paperflite - Security and Compliance

 
 

SOC 2 Compliance

Paperflite regularly audits its platform against the Trust Services Criteria prescribed by The American Institute of Certified Public Accountants (AICPA) and has obtained a Service Organization Control 2 (SOC2) Type 2 report. This third-party assurance audit is performed annually to get an independent opinion on the effectiveness of the design and operating strength of the implemented controls.

Formal policies and procedures have also been established to safeguard customer data and adhere to the security standards prescribed by AICPA. These policies cover:

  • Code of Business Conduct
  • Change Management
  • Data Retention
  • Data Backup
  • Information security
  • Vendor management
  • Risk management
  • Password management
  • Media disposal
  • Incident management
  • Endpoint security
  • Disaster recovery
  • Data classification
  • Business continuity
  • Access control
  • Acceptable usage
  • Vulnerability management

At Paperflite, we take a multifaceted approach to application security, ensuring everything from engineering to deployment, including architecture and quality assurance processes, complies with the highest security standards.

Beyond our commitment to protecting customers’ data, we holistically look at every other vital aspect of security, including application level, network, and operational security. Periodic internal audits of all policies, vulnerability assessments, 3rd-party penetration tests, Dynamic Application Security Tests (DAST), Static Application Security Tests (SAST), and vendor risk assessments are carried out.

To access the SOC2 audit report, please reach out to us at support@paperflite.com, and we’d be happy to share the report with you.

 

Paperflite and GDPR

GDPR was formally approved and came into practice by EU Parliament in April 2016. It mandates higher standards for how marketers can use personal data. The new law requires companies to set up more rigorous systems for data usage.

GDPR (General Data Protection Regulation) is the most comprehensive EU data privacy law to date. Besides strengthening and standardizing user data privacy across EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

At Paperflite, we maintain the highest standards for customer and user data privacy, and we adhere to all local and regional regulations with full compliance. GDPR introduced new requirements and restrictions and we have taken appropriate actions to ensure that we continue to handle all customer data in compliance with applicable laws related to GDPR.

 

Paperflite’s Commitment to Data Protection

At Paperflite, the success of our customers is of the utmost priority. Paperflite relentlessly focusses on data protection as a key pillar of our values.

Paperflite’s back-end is hosted on Amazon Web Services (AWS) and MongoDB, the leading cloud infrastructure platform in the industry and the leading DB provider in the industry. AWS & MongoDB has an extensive set of industry-standard certifications with regular auditing to ensure compliance, including:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
  • SOC2
  • SOC3
  • FISMA, DIACAP, and FedRAMP
  • PCI DSS Level 1
  • ISO 27001
  • ITAR
  • FIPS 140-2
  • ISO 27001/9001 certified
  • ISO 27017/27018 certified
  • Cloud Computing Compliance Controls Catalog (C5 - German Government-backed attestation scheme)
  • AWS, alongside auditor T√úV TRUST IT, published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud

All Paperflite customers benefit from:

  • Data encryption in transit – Data is encrypted using TLS in transit
  • Data encryption at rest – Data is encrypted on servers using AES-256
  • Strong authentication controls – Enforced complexity requirements, two-factor authentication, IP address restrictions, and forced resets, as well as optional single sign-on support
  • Role-based access controls – End-User viewing, access & uploading permissions
  • Administrative auditing – Manage users, groups, and access permissions, and audit user activity

 

GDPR Compliance

To ensure all GDPR compliance requirements have been satisfied, we periodically conduct a comprehensive analysis of all Paperflite data practices as it relates to EU customers including data consumption, data processing, and data storage within the Paperflite platform. Through our compliance work, we have created new processes and procedures to meet GDPR requirements. Specifically, these include:

 

Information use that’s fully transparent

GDPR requires organizations to provide information about the way an individual’s information is used.

 

More visibility into processing

Under GDPR, every individual must be able to access a copy of their personal data and know where it’s being processed.

 

The right to be forgotten

Under GDPR, individuals have the right to ask the organizations they work with to delete their personal data Paperflite’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests when they are received.

 

Retention of your personal information

We keep your Personal Information for as long as we have your consent to keep the personal information that is reasonably based upon the purpose for which it was collected unless it is retained for a legitimate business purpose that does not pose a risk to your privacy rights or otherwise required by law as authorized or necessary under any applicable agreement with you.  At any time if you no longer want us to keep any of your personal information, you may contact us and request us to erase it, access it, correct it, or restrict or object to further processing and sharing.  If you make such a request, we will comply, unless we have a specific contractual, regulatory or legal reason to have to retain the personal information or refuse the request. For customers, whenever practicable, we provide you with the ability to administer and erase your own Personal Information in our services.

 

External Websites

The links that are shared via Paperflite (as a platform) through its customers or users may contain links to third-party websites. Paperflite has no control over the privacy practices or the content of these websites. As such, we are not responsible for the content or the privacy policies of those third-party websites. You should check the applicable third-party privacy policy and terms of use when visiting any other websites.

 

Frequently Asked Questions (FAQs):

 

What is GDPR?
General Data Protection Regulation (GDPR) is a new European privacy law designed to protect and secure the personal data of EU residents and grants those persons specific rights to data, such as the right to access and erase their data.

 

What information does GDPR apply to?
GDPR applies to ‘personal data,’ which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

 

Does GDPR only apply to EU organizations?
GDPR applies to process carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.

 

What type of data are you collecting?

Paperflite is considered a Data Processor in the eyes of GDPR. Our customers are able to use our platform to add any and all fields from their Customer Relationship Management (CRM) software or Marketing Automation Platform (MAP), including fields that would collect personal data. For our customers, this typically includes personal data like names, emails, phone numbers, and company names. Depending on which features the customer enables in their Hub, we may also collect additional personal data of visitors including analytics, third-party tracking, and visitor profiles.

 

How do you transfer the data?

Paperflite transfers the data to the CRM or Marketing Automation Platform through the APIs. This is set up by the Client. Data is encrypted in transit using TLS. Paperflite’s Analytics data is kept under Paperflite’s control and is sent to our sub-processors via TLS.

 

How will GDPR impact my organization?
If your business collects, stores, or uses personal information about European residents, whether as a prospect, customer, or employee of your organization, then GDPR will apply.

 

How is Paperflite GDPR compliant?
Our teams have conducted a thorough analysis of how data is consumed, processed, and stored within Paperflite’s platform and have created processes to execute GDPR requests. Paperflite’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests if/when they are received.

 

Are employees of Paperflite GDPR certified?
Yes. Our sales and marketing team has obtained comprehensive GDPR training and certification to be an expert in the field.

 

What role does the Paperflite platform play in GDPR?
The Paperflite platform processes personal data on behalf of a data controller — the Paperflite customer who collects data directly from the data subject and defines how and for what purpose personal data is processed. Therefore, the Paperflite platform acts as a data processor that allows data controllers (Paperflite customers) to interact with the data subject’s data. Paperflite created processes and procedures to execute data subject’s requests to a data controller

 

How does MongoDB help me comply with GDPR?

MongoDB’s cloud database service is security-hardened by default. Each MongoDB project is provisioned into its own VPC, thereby isolating your data and underlying systems from other MongoDB users. Network encryption, storage volume encryption, and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers. For deployments running in AWS, VPC Peering can be used to connect your application servers deployed to another AWS VPC directly to your MongoDB cluster using private IP addresses.

MongoDB also pursues external testing and certifications regarding Security. Visit the MongoDB SOC 2 overview for more information.

Paperflite’s MongoDB infrastructure runs on top of AWS which undergoes its own series of independent third-party audits as mentioned earlier.

 

How Paperflite collects and uses the information?

There are two kinds of information that we collect as discussed in this Privacy Policy, information that can be used to identify you (“Personal Information”) and information that does not identify you (“Other Information”). When you request information about our products and services or sign up to receive information from us, you may enter your email address, name, or contact information, in which case your information will be used in order to contact you about our products and services.  We will honour any requests that we no longer contact you and will provide you with a convenient means to unsubscribe or opt out of any communication. When you purchase services from us, we will collect the Personal Information that you submitted in order to administer or improve our services to you, to administer our rewards and promotional programs; to improve our Website and services to you; to solicit your feedback, and to inform you about our products and services.

You may opt-out of unnecessary communications, but please understand that if and while you are a customer, we have legitimate reasons to contact you to administer the services that we provide to you, respond to issues, and manage or discuss our agreement. When you otherwise send your personal information to us by email, by submitting an online form on our Website or contact us using other means and we use that Personal Information in order to respond to you. We collect Other Information from Website visitors that is publicly transmitted by devices and web browsers in order to understand basic information about the categories and frequency of visitors that come to our Website.  Website visitor information includes IP address, your location, your browser type, the fonts you have installed, basic information about your device, and other information that is automatically transmitted from all browsers.   Although we do not use it for the purpose of identifying you personally, the combination of Other Information from your browser is sufficiently unique that it can be used to identify you as a repeat visitor. If you do not wish to have such information shared with us (or anyone else while browsing), you should consult your browser’s manual or identify a browser plug-in that will prevent the sharing of this information, but it may prevent your browser from functioning appropriately on the web. We also collect Other Information using “cookie” technology and JavaScript tags. Cookies are small packets of data that a website stores on your laptop/desktop’s hard drive so that your computer will “remember” information about your visit. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them) as well as JavaScript tags to enhance your experience using the Website and to display relevant and interesting advertisements to you on other websites through third parties.  This Other Information is not linked to you personally but allows the delivery of relevant information to you elsewhere on the web because of your browser information. If you do not want us to place a cookie on your hard drive, please consult your browser’s documentation for information on how. Understand that if you decide not to accept cookies from us, the Website may not function properly. We use JavaScript tags to trigger a sequence of events that includes viewing a first-party cookie (or setting that cookie if it does not already exist) and to help us tailor and optimize our Website and provide you relevant advertisements from us outside of our Website. We will obtain your consent for additional uses of your Personal Information for purposes that are not disclosed in this privacy policy.

 

How does Paperflite share information?

We may employ other companies and individuals to perform functions on our behalf. Examples may include providing technical assistance, customer service, and marketing assistance. These other companies will have access to the minimum amount of Personal Information about you, only as necessary to perform their functions and to the extent permitted by law. We disseminate aggregate information that does not identify you with our affiliates, agents, and business partners and disclose aggregated user statistics in order to describe our products and services to current and prospective business partners and to other third parties for other lawful purposes. In order to provide our services and administer our rewards and promotional programs, we share your Personal Information with our third-party promotional and marketing partners, including, without limitation, businesses participating in our various programs. We may share your information with any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us. As we develop our business’ structure, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, the Personal Information about customers may be part of the transferred information. To the extent permitted or required by law, we may also disclose the information when required by law, court order, national security, law enforcement authority, or regulatory authority; or whenever we believe that disclosing such Information is necessary or advisable to protect the rights, property, or safety of us or others. Your information will be processed in the United States where we are based, and it is necessary for personal data to be processed in the United States in order to provide services or publish this Website.  The United States has not received an adequate decision from the European Union with regard to privacy protection, but adherence to the E.U.-U.S. Privacy Shield program is considered adequate by agreement with the E.U. We remain responsible for our sharing of Personal Information with third parties in cases of onward transfer.

 

How to contact Paperflite regarding our/your Privacy Policy?

You have a right to access your Personal Information. In compliance with the Privacy Shield Principles, Paperflite, Inc. commits to resolve complaints about our collection or use of your personal information.  EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Paperflite, Inc. at support@paperflite.com

You may also send a letter to the Paperflite subsidiary/communication branch: Paperflite Inc. First Cross Street, OMR, Nehru Nagar, Perungudi, Kottivakkam, Chennai, Tamil Nadu 600096

Paperflite, Inc. has committed to cooperating with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

Paperflite, Inc. has further committed to refer unresolved Privacy Shield complaints to American Arbitration Association, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, you can escalate it to our Compliant Officer Dinesh Ravindran (dinesh@paperflite.com).

 

What about the Updates to GDPR?

This policy may be changed at any time at our discretion. If we should update this policy, we will post the updates to this page on our Website and update the Effective Date at the top.  Your use of this Website after any update indicates your agreement.

 

If you have additional questions, please email support@paperflite.com