Overview
This document defines the policies by which data will be protected from unauthorized use, modification, or destruction at Bound. These policies relate to the transmission, storage, access, management, auditing, and removal of data in Bound's care--whether electronic, written, or spoken.
The core principles of this policy include:
- Bound will prioritize the security and integrity of all data in our care, and will handle company and customer data in a responsible and ethical manner
- Bound will implement controls that assure adherence to the principles outlined in this policy
- Bound will periodically review controls to ensure that they effectively enforce this policy
- Bound will educate all employees on the tenets of this policy, and ensure that they have the tools and knowledge necessary to adhere to them
Scope of Data Protections
Throughout this policy, the following types of protected information will be referred to explicitly. Where the phrase "Bound data" alone is used, it is intended to encompass all types of data listed in this section.
Customer Data
"Customer data" includes information provided to Bound, directly or indirectly, by its clients. This includes but is not limited to:
- Any and all personally identifiable information, including names, phone numbers, email addresses, photographs, or any other details that may be considered personally identifiable either alone or in combination
- Any and all financial information, including credit card numbers, banking details, budget information, or other financial details
- Contracts, documents, or any other facts related to the relationship between Bound and its clients
- Marketing strategy, financial details, operational details, and any other non-public information shared with Bound by its clients
- All usernames, passwords, API keys, or other information intended for authorization purposes--either in Bound's platform, or on 3rd party platforms
- All content (images, html, videos, files, csvs, custom data sets) created in or uploaded to the Bound platform by the client Usage and reporting data related to the client
Employee Data
Employee data" includes personal information provided to Bound, directly or indirectly, by its employees. This includes but is not limited to:
- Any and all personally identifiable information, including names, phone numbers, email addresses, photographs, or any other details that may be considered personally identifiable either alone or in combination
- Any and all financial information, including banking details, compensation details, tax information, or other financial details
- Any health or medical information related to the employee
- Any personnel or HR files
- Any personal data purposely or accidentally transferred onto company systems by the employee
Internal Data
"Internal data" includes non-public information or facts related to the operation of Bound's business. This includes but is not limited to:
- Sales strategy and pipeline details
- Sales figures and performance metrics
- Marketing strategy and performance metrics
- Operational strategy and organizational details
- Financial information, projections, and budgetary details
- Partner strategy and partner relationship details
- Technical strategy and implementation details
- Source code and supporting documentation
- Internal support, knowledgebase, educational, or reference materials
- Aggregate platform usage data, and any internal analytical data
Public Data
"Public data" refers to any data made purposefully public by Bound or its clients. This includes but is not limited to:
- Marketing materials
- Press releases
- Public-facing website or application content
- Public-facing knowledge base, educational, or reference materials
- Public-facing policy documents
- Public financial or operational disclosures
- High-level employee details, when required for the performance of the employee's role, or when otherwise deemed prudent
- Customer-provided content and data that is expressly intended for use with the client's Bound implementation
3rd Party Data
"3rd party data" refers to any data imported from a 3rd party for the sake of personalization. This includes but is not limited to:
- Data imported from connections such as Terminus, Kickfire, Demandbase, etc.
- Geo IP data imported from Maxmind
Visitor Data
"Visitor data" refers to raw data collected from visitors to Bound-enabled websites. (Note that this refers to unaggregated data--aggregated visitor data is considered "internal data".) This includes but is not limited to:
- All unaggregated event data related to visitor activities on Bound-enabled websites, including impressions, clicks, action and goal tracking
- All unaggregated visitor data collected from or correlated to a visitor, including geolocation data, technical browser/device details, time of day, ip address, referrer, and unique identifiers
Data Responsibility Model
In general, Bound is responsible for ensuring the security, integrity, and durability of all data in the scope of this policy. However, customers, employees and visitors participate in the ecosystem of data sharing and storage, and may also accept some level of responsibility for the data they control or access. Responsibility should break down as follows:
Bound
Bound, as an organization, will adhere to the core principles of this policy, as outlined in the "overview" section. This includes creation of policy, implementation of controls, auditing of adherence, and education of employees, in service of protecting data integrity, privacy, and durability.
Employees
Bound Employees will respect all policies and controls defined by the Bound Organization. Employees will be diligent in adhering to these policies, and protecting all Bound data in their care. Employees will protect the physical and digital security of Bound data in their care, and will not disregard or circumvent controls intended to protect Bound data.
Customers
Bound customers will assume responsibility for any Bound data that is in their care (including but not limited to physical documents, emails, and digital files). Customers will apply the same level of data integrity, privacy, and durability as is required of the Bound organization. Customers will not transmit or receive data from Bound in insecure or irresponsible ways. Customers will accept responsibility for all data imported to or exported from the Bound platform on their behalf, and understand that Bound will store and access this data in ways compatible with this policy (including but not limited to visitor attribute data, custom data sets, all 3rd party data, and data exported to Google Analytics).
Visitors
Visitors to Bound-enabled websites accept that their behavioral data, firmographic and demographic data may be subject to storage and access by Bound. While Bound makes every effort to anonymize visitor data in its care, visitors accept responsibility for all personally identifiable data they explicitly and knowingly provide via Bound-enabled websites. For visitors protected by regional data privacy laws, Bound will make every effort to proactively anonymize their data, and to produce or destroy any personally-identifiable data on request.
Access Management
Wherever data can be accessed by a Bound client, employee, or Bound-enabled website visitor, controls will be in place to ensure the correct level and type of access. The controls will conform to the following principles:
- Access to non-public Bound data should be controlled through usernames and passwords, or other authentication mechanisms appropriate to the purpose
- Any person or application accessing Bound data should be granted the least possible privileges needed to achieve their purpose
- Administrative access to Bound data should be highly restricted, and granted to a minimal number of users, accounts, groups or applications
- User management should be restricted such that users cannot circumvent appropriate access limits by adjusting their own access level, or that of other users or groups
- All access to customer data, internal data, and visitor data will be logged and monitored for unauthorized or inappropriate access
User Accounts & Access Controls
Wherever user accounts and passwords are required, the following principles should apply to their design and use:
- Passwords should meet minimum strength requirements
- Passwords should expire, and be changed regularly
- Passwords should not be immediately reused
- Account details or passwords should never be shared in any way between users
- Accounts should be specific to a user, and should never be shared between users
- An option should be available to securely reset passwords
- Systems should protect against brute force login attempts
- Systems should not verify elements of given credentials to a user without first verifying that the credentials are valid (i.e. the system should not divulge that a username is correct, unless the given password is also correct)
Storage of Data
Data should be stored in ways that provide a maximum level of security, integrity and durability. To those ends, the following principles should be followed by all Bound employees when storing data on various devices:
Laptops
- Bound employees should use company-issued laptops at all times
- Laptop storage volumes should be encrypted
- Customer data, employee data, 3rd party data, or visitor data should never be stored on laptops, except in transitory ways necessary for the functioning of the employee's role
- Laptops should be protected by strong passwords at minimum, and by biometric login, where possible
- Laptops should be equipped with tracking software that enables their recovery in the case of loss or theft
- Laptops should never be left unlocked or unattended in public places
Phones / Tablets
- Employees may use their personal phone or tablet for Bound-related work
- Devices must be protected by passcodes at a minimum, and by biometric login when available
- Customer data, employee data, 3rd party data, or visitor data should never be stored on phones or tablets, except in transitory ways necessary for the functioning of the employee's role
- Customer data or employee data may be accessed temporarily via phone or tablet, if necessary for the functioning of the employee's role
- Device storage should be encrypted
- Phones and tablets should never be left unlocked or unattended in public places
External Drives
- Customer data, employee data, 3rd party data, or visitor data should never be stored on external disks (thumb drives, external disks, CDRs, etc), unless absolutely necessary
- If it is absolutely necessary to store data on an external disk, the data should be securely destroyed at the earliest opportunity
- External disks should never be mailed, couriered, or otherwise transported without direct supervision by the Bound employee
- It is permissible to store data in external drives when this is facilitated by an accredited and bonded 3rd party that specializes in secure data transfer
- External drives should be encrypted, and protected by a passcode where possible
Shared Drives
- It is acceptable to store employee data and internal data on a shared network drive
- Physical and electronic access to shared drives should be properly limited
- Access to information stored on shared drives should be strictly limited by user or group
- Shared drives should be encrypted
Cloud Storage
- It is acceptable to store customer data, internal data, 3rd party data, and visitor data in cloud-based storage
- Access to cloud storage drives should require strong and secure authentication
- Access to information stored on cloud storage drives should be strictly limited by user or group
- Cloud storage drives should be encrypted
Data Retention
Bound will retain data in a manner appropriate to the type of data, and the purpose for which it is intended.
Customer data
- Platform usage & reporting data should be retained (for auditing purposes) for two years from the date of the event
- Account data (usernames, passwords, API keys etc.) should be destroyed or anonymized within 90 days of the termination of the Bound/client relationship
- Personal and financial data should be retained as long as the Bound/client relationship exists, and the data suits an ongoing business purpose
- Content and campaign configuration data should be destroyed within 90 days of the end of the Bound/client relationship
- Aggregated reporting data (i.e. data that cannot be associated with an individual visitor) should be destroyed or anonymized within 90 days of the termination of the Bound/client relationship
- Correspondence between Bound and the client may be retained indefinitely, including any information that the client has opted to include in such correspondence
Visitor data
- Raw visitor data should be retained for two years from the date of the event
- Aggregated visitor data (i.e. data that cannot be associated with an individual visitor) should be retained for two years, but may be retained indefinitely
- For visitors protected by regional privacy laws, data should be pseudonymized before it is stored in any way, thereby avoiding the appearance of PII in raw visitor data
- In cases where visitors are protected by regional privacy laws, but give explicit consent to the storage of their non-anonymized data, such data should be retained for two years from the date of the event
- In cases where visitors are protected by regional privacy laws, and have consented to data tracking/storage, but later request destruction of that data, Bound will endeavor to destroy or irrevocably anonymize such data within 90 days of the request
3rd Party Data
- 3rd party data retention policy will be governed by explicit agreements with the relevant data provider
- In the absence of an explicit retention agreement between Bound and the data provider, 3rd party data may be retained for up to two years from the date the data came into Bound's care
- Aggregated 3rd party data (for example, rolled up data used for analytical, operational, or marketing purposes) may be retained indefinitely
Employee Data
- Employee data may be retained indefinitely for legal and operational purposes
Internal Data
- Internal data may be retained indefinitely for legal and operational purposes
Public Data
- Internal data may be retained indefinitely for legal and operational purpose
Development Data
During the course of platform development, it may be necessary for engineers to use production-like data in a development or test environment.
It is permissible to use a subset of production data for these purposes. This data is limited to the following:
- Client-provided content (e.x. html, js, css, images, etc.)
- Client campaign configurations, goal/action configurations, tracking pixel definitions, visitor attribute definitions, report configurations
- Generic platform configuration data (e.x. role and permission definitions, condition types/definitions, content template definitions)
- Irrevocably anonymized user data (i.e. names, email addresses, and passwords anonymized, but basic entities, IDs and relationships intact)
It is never permissible to use the following types of production data for development purposes, even if the data are hashed or encrypted:
- Usernames
- Email addresses
- Passwords, or password reminders
It is not advisable to use 3rd party API keys intended for production purposes. However, if the customer does not provide a sandbox-level key, the production key may be used for the purposes of troubleshooting a specific API issue. However, production API keys should never be wholesale copied from production, and should never exist on development environments except for the limited troubleshooting purpose described previously.
Access to development environments should be strictly limited to known Bound resources (i.e. limited by IP address, network, etc.). Bound development environments should never be publicly accessible.
Transmission of Data
At all times, Bound employees should endeavor to transmit data in the most secure and appropriate way. All electronic transmission of data should be encrypted, and (where appropriate) protected by a username and/or passphrase.
Customer data, employee data, 3rd party data, or any other sensitive data should never be transmitted over public or insecure channels.
Bound employees, customers, and vendors should avoid the use of public networks. If it is necessary to use a public network to transmit any Bound data, the person transmitting the data should use a secure VPN tunnel.
Sensitive data (including but not limited to: passwords, API keys, financial data, and cryptographic keys) should be shared with the bare minimum of persons. Such data should never be delivered in a group chat, a group email, or
Where sensitive data is being delivered or discussed verbally, Bound employees, customers, and vendors should take reasonable steps to ensure that such conversations cannot be overheard by any person who does not require access to said information.
Data Backup & Disaster Recovery
Bound will ensure the security and redundancy of all customer data, internal data, visitor data, and 3rd party data. Bound will implement a disaster recovery plan to ensure business continuity in the case of service outages, hardware malfunctions, or other unpredictable events that may impact data storage and availability.
Data Backup
- Bound will create backups of all customer data, internal data, visitor data, and 3rd party data
- Backups will be stored in physically separate locations from their main repositories
- Backups will be encrypted, and encryption key access will be strictly limited to the roles necessary to restore such data in a disaster scenario
- Access to backups will be strictly limited to the roles necessary to restore such data in a disaster scenario
- Backup retention periods vary by data type, and are outlined in the "Data Retention" section of this document
- Backups will be made automatically, and on a schedule that minimizes data loss in the event of an outage
- Backups will respect data privacy laws in their scope, implementation, and physical location
- Backup mechanisms will be verified on a quarterly basis to ensure that data is being properly copied and retained
- When data is stored on a 3rd party platform, Bound will ensure that the platform adheres to these backup requirements
Disaster Recovery
- Bound will create a disaster recovery plan that details the procedures required to restore data in case of an event that impacts the original data repository
- The disaster recovery plan will include recovery of customer data, internal data, visitor data, and 3rd party data
- The disaster recovery plan will include business continuity contingencies, with the goal of minimizing service downtime
- The disaster recovery plan will include contingencies for the continued collection of data, with the aim of minimizing data loss in the event of an outage
- The disaster recovery plan will be audited and practiced on a quarterly basis, in order to ensure its comprehensiveness and effectiveness
Hardware Management
Bound will ensure the physical security of all Bound-owned hardware, including but not limited to: laptops, desktops, servers, phones, printers, routers and switches. Bound will ensure that such hardware supports the implementation of policies outlined here. Bound will ensure that hardware is securely wiped of all Bound data before being sold, recycled, or otherwise disposed of.
- Bound will keep a detailed inventory of all Bound-owned laptops, desktops, and servers, and will ensure that all such hardware is accounted for on a quarterly basis
- Employees may use their personal phone or tablet for Bound-related work, but use of such devices must strictly conform to this policy, and employees accept their duties as part of Bound's shared responsibility model
- Bound will implement controls that allow the remote destruction of Bound data on any Bound-owned hardware that is likely to be lost or stolen (i.e. phones, tablets, and laptops)
- Bound will implement reasonable measures to track hardware in the case that it is lost or stolen
- Bound will ensure the physical security of desktops, printers, servers and other IT infrastructure which may store or transmit Bound data
Audits
Bound will conduct quarterly audits to review the appropriateness and effectiveness of this policy. Bound will review the policy itself, and assess the effectiveness of current controls in enforcing the policy's provisions.