Last updated: April 9, 2018
We have always put privacy and security first.
Many businesses trust in Zoomph to handle their consumers’ personal data. Since 2014, we have taken many measures to protect the way that this information is collected, stored, and used. We also respect the concerns of global consumers, including multiple social network providers, and adhere to the ever-changing requirements of various governments around the world.
Your Zoomph Account to include the Zoomph (Platform/Software), Your Visitors, and Users are safe with Zoomph. There are a number of steps we take to ensure that your Account, Organization, User Data, and first-party data are secure.
- Zoomph only collects publicly available social media data that anyone can access. We do not collect private social data under any circumstances.
- Zoomph does not scrape any social media data or third-party apps.
- Only Clients/Customers and Zoomph Team members(s) can access your (the User’s) first-party data collected via a Zoomph property or service (Campaigns, Forms, Surveys, Microsites, etc.)
- We provide processes and automation that allow Users to opt-in to gain a 360-degree view of their campaign analytics
- We WILL NEVER sell your Data from any Zoomph properties or services
- Only specific Zoomph Team Members can access the code or data of any Account based on our organization’s Data Policy
All data Zoomph collects is stored electronically on the Amazon Web Services (AWS) infrastructure, US-East-1 Datacenter. Our application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The database containing User, Visitor, and Usage Data is accessible from the application servers and approved engineers. No outside sources (third-party contractors) are allowed to connect to the database. All data stored by Zoomph is encrypted at rest.
Data Collection and Transmission
- Firewalls are in place exposing only the necessary ports through the internet and between different servers. Zoomph transmits data from the visitor’s browser to our systems using HTTPS.
- Bulk first-party data transferred to and from Zoomph will only be done via secure file transfer.
- Any first-party data sent over via API is secured via HTTPS.
- Data collected from our social platform partners complies with their standard business process and TOS. Zoomph is not collecting private data from any of these networks unless provided with consent from the account owner.
- First-party data collected through Zoomph Social OAuth services is exclusively reserved for use by our Clients/Customers. Zoomph does not make use of the data collected in any form or way unless consent and agreement are officially given by Client/Customer of the Zoomph Account, clearly outlining what the data will be used for. This aggregated and anonymized data can be used for understanding your Audience Analytics (Demographics, Interests, Affinities, Locations, etc.) and to develop personalized ads, segmentation of CRM, email lists, etc.
Zoomph Employee Server Access and Authentication
Only Zoomph approved engineers required to perform their job are given access to backend services and data. Different engineers are given different access rights on different system components as well, depending on what their job requires. Engineers who do have access have their own credentials, which are only valid when used from specific IPs. Secure authentication is used for server access as well as required to be on a secure VPN.
Full database backups are taken every day, stored on Amazon Cloud Storage (AWS S3), and kept for 30 days as an electronic copy. Backups are encrypted.
Compliance, certifications and audit reports
Zoomph Architecture & Processes related to Security
Zoomph adheres to industry best practices, applicable laws, rules and regulations, and provides a secure environment. The following standards describe our architecture and processes related to security; this is not meant to be an exhaustive listing of what can be required for a secure integrated environment between Zoomph and Customer/Client.
Zoomph maintains and implements policies and procedures for information security, privacy, business continuity, and disaster recovery, and complies with such policies.
- Zoomph performs background checks on all new hires and subcontractors.
- Zoomph employs industry best practices relevant to the type and nature of data to be stored, and protects any Company data in its custody.
- Any consumer preferences, including consumer opt-outs and privacy preferences, will be honored and adhered to.
- We rely on our social media partners to ensure that data is not collected from users under the age of 13 unless the application is in compliance with the Children’s Advertising Review Unit and with all applicable laws, rules and regulations, including without limitation the Children’s Online Privacy Protection Act.
- Zoomph implements secure coding practices no less stringent than the Open Web Application Security Project (“OWASP”) Top 10.
- Applications are tested regularly for security vulnerabilities.
- All passwords require a minimum of:
- Eight characters
- One upper case letter, one number, and one special character
- Passwords are masked during user entry.
- Passwords are salted and hashed when stored in the password database.
In addition, non-consumer (employees and administrators) passwords are required to:
- Contain alphabetic and numeric characters
- Enforce account lockouts after five failed attempts within a 24-hour period
- Enforce a session timeout of 30 minutes
- Be changed from default values
Consumer (public profiles) are required to:
- Use Social Authentication/Opt-in to submit data via Zoomph services (Forms, Surveys, Contests, Microsites, etc.)
- Input data via an online form that submits data from third-party site to Zoomph (please read all Terms and Services of all third-party sites carefully)
Zoomph’s current approved hosting providers are Microsoft Azure and Amazon Web Services (AWS). Zoomph has obtained security assurances and service level agreements from these providers, and passes those protections to its clients/customers.
- Appropriate physical access controls exist to prevent unauthorized access, damage, or interference to business premises and information (e.g., locked server cages, guarded access, video monitoring, visitor access controls, and biometric authentication)
- All electronic media (such as disks, backup tapes, etc.) and confidential hardcopy documents are appropriately protected from theft or loss. Data contained on such media are required to be securely destroyed prior to the media being discarded.
- Our hosting provider(s) review access rights to systems and data periodically.
- A firewall protects the application environment and associated data from the Internet and other internal networks.
- Inbound and outbound connections through the firewall are denied unless specifically required and defined by a documented firewall rule.
- Operating systems are securely configured according to a security baseline. This baseline must include removing unnecessary services and changing default, vendor-supplied, or otherwise weak user accounts and passwords.
- All system components are maintaining current security patch levels.
- Administration of systems are performed using secure protocols such as SSH.
- Web servers are hardened according to a secure baseline.
- Web servers are configured to accept requests for only authorized and published directories. Default sites, sample or test files, and executable or directory listings are disabled.
As a United States data company, we respect all consumer data to include global consumer protection and transparency. Our technology and processes thereby adhere to the strictest legal privacy requirements.
Need more details or have any questions?
Contact us at firstname.lastname@example.org.