We take security seriously at SalesLoft. We understand that in gaining your business, we are forming a trust, and intend to maintain that trust.
To keep your company’s information private, available and unaltered, we rely on some of the best providers and technology possible. So, to make everything a bit more clear, we’d like to explain how we store, process and secure that information.
In this article, we will go over SalesLoft’s security and compliance measures, including:
- ISO 27001
- SOC 2 Type 2
- GDPR Readiness
- CCPA Compliance
- Data Centers
- Network Security
- Security Operations
- System Security
- Restricted Access
- Penetration Testing
- Application Level Security
- Data Protection, Continuity, and Retention
- Internal IT Security
- About Cancellation
SalesLoft has obtained ISO 27001 certification for the information security management system supporting the SalesLoft Platform.
ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS).
The standard sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and gives confidence to interested parties. The details of our ISMS certification are publicly available here.
To ensure the security of our platform and its supporting infrastructure, SalesLoft undergoes a SOC 2 Type 2 examination on an annual basis with a third party audit firm, Schellman & Company LLC.
The SOC 2 Type 2 report provides an attestation from an independent assessor that our controls are designed, implemented, and operating effectively to align with the trust services principles and criteria defined by the AICPA. The report is fairly hefty, but it is FULL of great information about our platform and the security controls we employ.
The General Data Protection Regulation (GDPR), the new European Union privacy regulation, took effect on May 25, 2018, and SalesLoft is committed to ensuring ongoing compliance with the regulation.
The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. SalesLoft has undergone a third party assessment to determine our readiness for these regulations.
We have undergone a readiness assessment by an independent third party, as well as obtained the EU/US Privacy Shield certification. A report from this assessment is available under NDA.
We have released new features to help our customers comply with the regulation. Speak to a rep to find out more.
The California Consumer Privacy Act (CCPA), goes into effect on January 1, 2020. SalesLoft is committed to ensuring ongoing compliance with the regulation.
The CCPA extends to all residents of the State of California. This regulation establishes requirements for organizations that fall in its scope. SalesLoft has leveraged many of its current GDPR controls and processes, and in addition, implemented new controls to ensure its compliance of the CCPA regulation.
SalesLoft’s products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology.
Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards.
Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB, Comcast and Yelp. Amazon maintains security certifications with:
- SOC 1 / ISAE 3402
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 15
- PCI DSS Level 1
- ISO 9001 / ISO 27001
We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS.
Our internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function.
By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
We’ve invested in ensuring we can detect and respond to security events and incidents that impact its infrastructure. The Security Operations team at SalesLoft is responsible for ensuring that:
- Respond to Infosec and USCERT alerts within four (4) hours
- Incidents are responded to in a timely manner and communicated to relevant parties
- Corrective actions are executed
- Root cause analysis is performed. We follow the 5 Whys technique to explore the underlying problem
- Lessons learned are fed back into the Development, Operations, and Executive management team
Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency are maintained using a combination of configuration management, up-to-date images and continuous deployment.
Our systems are provisioned and updated using configuration management tools like Docker and Kubernetes. Through continuous deployment, existing systems are regularly updated with the latest images.
Production system access is limited to key members of the SalesLoft engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
In other words, only people who need access, get access.
We regularly perform security tests to identify and remediate potential vulnerabilities.
We also conduct periodic penetration tests with expert third-party vendors to help keep our applications safe and secure. These tests cover network, server, database and in-depth White Box testing for vulnerabilities inside SalesLoft applications.
Logging is a critical component to SalesLoft infrastructure. Logging is used extensively for application troubleshooting and investigating issues.
Logs are streamed in realtime and over secure channels to a centralized logging service.
This also allows our technical support and development teams to view logs without gaining access to the production systems. We collect everything from application logs to AWS CloudTrail logs which form a complete audit trail of user and employee activity.
We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure.
We physically separate the database instances from application servers and heartily believe in the mantra of single function servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well known Certificate Authorities (CAs).
All email and CRM credential-related data is encrypted while in transit, as well as at rest, using military grade encryption to ensure the security of user IDs and passwords. SalesLoft application passwords are hashed, and even our own staff can’t retrieve them. If lost the password must be reset.
Production data is mirrored to remote systems and automatically backed up to an offsite location each day. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite.
We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days and goes up to ninety (90) days.
Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
We protect our own systems to protect your data.
SalesLoft offices are protected behind network firewalls from well known security vendors and secured by keycard access. Our employee workstations and laptops are imaged and managed using JamfPro.
Collaborative tools like email, document shares, and calendars require two-factor authentication to mitigate phishing attacks. Critical infrastructure passwords are locked in a virtual vault using AES256 encryption and can only be accessed by a handful of individuals in the organization.
If we have to part ways, we’ll make sure your data isn’t at risk.
To cancel and delete your account, please contact your account manager or our Customer Success team. Canceling your account will disable all access to SalesLoft Platform and affects all data associated with your account.
Before you cancel your account, you must make sure you export or print any information you might need from SalesLoft Platform, for example leads and contacts are exportable via CSV. Activity specific data in Cadence, such as call logs, sentiments, activity, etc, are synchronized to Salesforce (SFDC) automatically.
We will respond to any appropriate request to access, correct, update, or delete personal information belonging to your customers and prospects within the time period specified by law (if applicable). Any requests to delete this personal data will be done promptly unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data).