Published: November 12, 2019
RingLead’s Corporate Trust Commitment
RingLead is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including protection of Customer Data as defined in RingLead’s Master Subscription Agreement.
This documentation describes the architecture of, the security- and privacy-related audits and certifications received for, and the administrative, technical and physical controls applicable to RingLead SaaS (also known as DMS), Unique Entry, Capture, and Salesforce Trigger.
Architecture and Data Segregation
The Services Covered are operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific “Organization IDs” and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production. The specific infrastructure used to host Customer Data is described in the “RingLead Overview of Security Processes and IT Architecture” documentation.
Control of Processing
RingLead has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by RingLead and its sub-processors. In particular, RingLead and its affiliates have entered into written agreements with their sub-processors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by RingLead and its sub-processors are subject to regular audits.
Certain features of the Covered Services use functionality provided by third parties. The Data Enrichment feature in RingLead can be configured to use third-party company and person data, that is rendered to your users. Customers can disable this feature.
Audits and Certifications
The following security and privacy-related audits and certifications are applicable to the Covered Services.
- EU-U.S. and Swiss-U.S. Privacy Shield certification: Customer Data submitted to the Covered Services is within the scope of an annual certification to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of Commerce, as further described in our Privacy Shield Notice. The current certification is available at https://www.privacyshield.gov/list by searching under “RingLead.”
- Service Organization Control (SOC) reports: RingLead’s information security control environment applicable to the Covered Services undergoes an independent evaluation in the form of SOC 2 audits. RingLead’s most recent SOC 2 reports are available upon request from your organization’s RingLead account executive.
Additionally, the Covered Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis.
RingLead uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host Customer Data. Information about security and privacy-related audits and certifications received by AWS, including ISO 27001 certification and SOC reports, is available from the AWS Security website and the AWS Compliance website.
The Covered Services include a variety of configurable security controls that allow customers to tailor the security of the Covered Services for their own use. Please see additional information on such controls in the RingLead Help Center.
RingLead uses AWS, as described above; further information about security provided by AWS is available from the AWS Security website, including AWS’s overview of security processes.
Security Policies and Procedures
The Covered Services are operated in accordance with the following policies and procedures to enhance security:
- Customer passwords are stored using a one-way salted hash.
- User access log entries will be maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
- If there is suspicion of inappropriate access, RingLead can provide customers log entry records and/or analysis of such records to assist in forensic analysis when available. This service will be provided to customers on a time and materials basis.
- Data center physical access logs, system infrastructure logs, and application logs will be kept for a minimum of 90 days. Logs will be kept in a secure area to prevent tampering.
- Passwords are not logged.
- RingLead personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
RingLead, or an authorized third party, will monitor the Covered Services for unauthorized intrusions using network-based and/or host-based intrusion detection mechanisms. RingLead may analyze data collected by users’ web browsers for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Covered Services function properly.
All systems used in the provision of the Covered Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.
RingLead maintains security incident management policies and procedures. RingLead notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by RingLead or its agents of which RingLead becomes aware to the extent permitted by law.
RingLead typically notifies customers of significant system incidents by email, and for incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and RingLead’s response.
Access to Covered Services requires authentication via one of the supported mechanisms as described in the RingLead Help Center, including user ID/password, SAML based Federation, OpenID Connect, OAuth, Social Login, or Delegated Authentication as determined and controlled by the customer. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
Production data centers used to provide the Covered Services have access control systems that permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, utilize redundant electrical and telecommunications systems, employ environmental systems that monitor temperature, humidity and other environmental conditions, and contain strategically placed heat, smoke and fire detection and suppression systems. Facilities are secured by around-the-clock guards, interior and exterior surveillance cameras, two-factor access screening and escort-controlled access. In the event of a power failure, uninterruptible power supply and continuous power supply solutions are used to provide power while transferring systems to on-site back-up generators.
Reliability and Backup
All networking components, network accelerators, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the Covered Services is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to the Covered Services is stored on highly redundant carrier-class disk storage and multiple data paths to ensure reliability and performance. All Customer Data submitted to the Covered Services, up to the last committed transaction, is automatically replicated on a near real-time basis to the secondary site and backed up to localized data stores. Backups are verified for integrity and stored in the same data centers as their instance. The foregoing replication and backups may not be available to the extent the RingLead DMS, RingLead Triggers managed package, or RingLead Unique Entry managed package is uninstalled by a Customer’s administrator during the subscription term because doing so may delete Customer Data submitted to such services without any possibility of recovery.
Production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. The Covered Services utilize secondary facilities that are geographically diverse from their primary data centers, along with required hardware, software, and Internet connectivity, in the event RingLead production facilities at the primary data centers were to be rendered unavailable.
RingLead has disaster recovery plans in place and tests them at least once per year. The scope of the disaster recovery exercise is to validate the ability to failover a production instance from the primary data center to the secondary data center utilizing developed operational and disaster recovery procedures and documentation.
The Covered Services’ disaster recovery plans currently have the following target recovery objectives: (a) restoration of the Covered Service (recovery time objective) within 12 hours after RingLead’s declaration of a disaster; and (b) maximum Customer Data loss (recovery point objective) of 4 hours. However, these targets exclude a disaster or multiple disasters causing the compromise of multiple data centers at the same time, and exclude development and testing environments.
The Covered Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Covered Services by a customer. Uploaded attachments, however, are not executed in the Covered Services and therefore will not damage or compromise the Covered Services by virtue of containing a virus.
The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Covered Services, including through Transport Layer Encryption (TLS) leveraging at least 2048-bit RSA server certificates and 128 bit symmetric encryption keys at a minimum. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes across a dedicated, encrypted link utilizing AES-256 encryption.
Return of Customer Data
Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Covered Services (to the extent such data has not been deleted by Customer, or if Customer has not already removed the managed package in which the Customer Data was stored). RingLead shall provide such Customer Data via a downloadable file in comma separated value (.csv) format and attachments in their native format. Note that all Customer Data is typically also stored in Salesforce and only some of the Salesforce data is stored in RingLead.
Deletion of Customer Data
After termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 90 days (which can be reduced down to 1 day by the Customer), after which it is securely overwritten or deleted from production within 90 days, and from backups the next day. This process is subject to applicable legal requirements.
Without limiting the ability for customers to request return of their Customer Data submitted to the Covered Services, RingLead reserves the right to reduce the number of days it retains such data after contract termination. RingLead will update this RingLead Security, Privacy and Architecture Documentation in the event of such a change.
|Day 0, subscription terminates||Day 0 – 30||Day 30 – 90|
|Data available for return to customer||Data inactive and no longer available||Data deleted or overwritten from production|
All Customer Data submitted to AWS is retained in AWS for 90 days, after which it is securely overwritten or deleted.
The foregoing deletion of Customer Data for managed packages may not be available if the packages were removed prior to contract termination.
RingLead may track and analyze the usage of the Covered Services for purposes of security and helping RingLead improve both the Covered Services and the user experience in using the Covered Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality.
RingLead may share anonymous usage data with RingLead’s service providers for the purpose of helping RingLead in such tracking, analysis and improvements. Additionally, RingLead may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.
Interoperation with Other Services
The Covered Services may interoperate or integrate with other services provided by RingLead or third parties. Security, Privacy and Architecture documentation for services provided by RingLead is available. RingLead also provides a variety of platforms and features that allow RingLead users to learn about RingLead products, participate in communities, connect third party applications, and participate in pilots, testing and assessments, which are outside the scope of this documentation. RingLead may communicate with users that participate in such platforms and features in a manner consistent with our Privacy Statement. Additionally, RingLead may contact users to provide transactional information about the Covered Services; for instance, through system-generated messages, such as in-app notifications. RingLead offers customers and users the ability to deactivate or opt out of receiving such messages.