CRM Data Security, Confidentiality & Compliance

SpotlerCRM guards data for thousands of customers, making sure that their data is secure, backed up and confidential. We understand that we have a high duty of care to protect customer data, and our internal policies and procedure reflect this.

Data Storage and Failover

Our production datacentre uses Google Cloud‘s data storage service and is located in Belgium. The Google platform has advanced security features such as data encryption at rest and automatic failover. We also maintain a failover data centre with Amazon Web Services (AWS) in Stockholm and Paris, should the production servers hosted by Google fail. The replication time lag between the production and failover data centres is less than one second, so no data is lost in this process. This unique system has enabled us to achieve 99.999% uptime for our CRM over the last three years.

Communications

All communication between the servers and client (the user’s browser) is encrypted, so that data travelling over the public Internet cannot be intercepted and read. This is done using RC4 256 bit SSL, the same system that is used for Internet banking. Communications between the web servers and the database servers are also encrypted.

Backup

We take snapshot backups of the data at 23:00 GMT every day and hold it off-site at our offices, so we can rebuild a customer’s data as at any day in the past should we need to. The backups are stored in a compressed and encrypted format. After three months the backup data is deleted off all the servers in the data centres and is archived onto portable media and stored in a locked fireproof safe. We also keep another live server with a copy of yesterday’s data, for quick access when customers inadvertently delete data. No Really Simple Systems customer has yet to suffer any data loss.

Confidentiality & Data Access

SpotlerCRM understands that customer data is completely confidential, is of high commercial value to its customers, and that its protection from leakage is paramount. We host data for thousands of users, many of them competitors of each other, and the exposure of their data could cause them severe financial pain and embarrassment. SpotlerCRM support staff will only log on to a customer’s system after obtaining permission from them, confirmed in an email. Logins are tracked and can be monitored by customers from the Set Up/Users tab. By default the support staff have access to all customer data once logged in, but are subject to the same security system that others users are and access can be limited (or removed completely) by the customer. Data that is sent by the customer for uploading or processing is kept for one month after the upload or its return to the customer, and is then deleted. All staff employment contracts reinforce the confidentiality policy, underlining that a policy breach is grave misconduct and cause for instant dismissal. SpotlerCRM has yet to suffer any breaches of customer confidentiality. The company has been validated by many large companies, including IBM.

Ownership

We explicitly state that legal ownership of the data resides with the customer. SpotlerCRM is registered and regulated under the UK Data Protection Act (registration number Z951270X).

European Data Protection

Under European law, all personal data held on EC citizens must be physically held in the EC. All our servers are based in the EC and data is therefore held in compliance with the European Union Directive on Data Protection and the forthcoming EC GDPR Directive. No customer data ever leaves the EC.

SpotlerCRM is HIPAA compliant, the Health Insurance Portability and Accountability Act designed to protect US citizens’ health insurance and medical electronic data.

Comparison to in-house CRM data security

It is widely accepted that most data theft originates from within an organisation. The security of SpotlerCRM customers’ data is generally better than data held internally by the customer: backups are automated and tested for the ability to restore; customer data is not held on laptops that could be mislaid or stolen; and application continuity is assured. By holding the data off-site within our dedicated secure environment, our customers can minimise the risk of internal data theft and know that their data is completely protected.

ISO Standards

SpotlerCRM does not formally comply with ISO standards. However, we are working towards self-certification and compliance with the ISO/IEC 27000-series.