Are laptops and external storage devices protected by full disk encryption?
Yes, we use FileVault 2 on all laptops and logically prohibit all external storage devices.
What is SalesLoft’s backup and retention policy, including practices and timelines?
Production data is mirrored to remote systems and automatically backed up daily to an offsite location. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days and goes up to ninety (90) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
Does SalesLoft have EU/US Privacy Shield?
Yes. EU-US Privacy Shield Compliant.
Do penetration tests follow an industry approved methodology?
We used a CREST certified vendor that follows the OWASP model.
Does SalesLoft require your employees to take annual security training?
All employees are required to take security awareness training when they join and annually on their anniversary.
Does SalesLoft have any self-attestations (CSA CAIQ, VSA, SIGLITE, etc)?
Yes, we have CAIQ and SigLite.
Are Controls verified and validated by independent, third party auditors or information security professionals? If so, specify which audits and certifications have been performed.
Yes – SOC2 Type2, ISO27001.
Does the system support deleting data related to a single individual from the system (e.g. “right to be forgotten”)?
Yes. If a prospect asks to be forgotten, SalesLoft has the ability to remove all data specific to that person.
Where are SalesLoft’s data centers located?
AWS Virginia, US; US-East-1 Region
What type of data does SalesLoft collect?
The SalesLoft application stores and processes certain data from your company’s CRM instance, as well as e-mails related to SalesLoft from the user’s inbox. E-mails not pertaining to SalesLoft e-mails are discarded and never ingested by our systems.
Explain SalesLoft’s patch frequency/patch schedule for critical, high, and medium vulnerabilities.
EC2 instances are launched from an Amazon AMI and run a heavily customized version of Debian 9 with a bare minimum of packages required to run Docker. If there is an issue with a node, EC2 instances are replaced with an instance running the same OS and patch levels as the cluster. At a minimum, upgrades and patching occur every quarter.
We also use a third party system to track our code dependencies and alert us if one ever becomes vulnerable. Critical vulnerabilities are prioritized above all other work efforts until resolution. High vulnerabilities discovered are resolved within 14 days or less. Medium vulnerabilities are resolved within 30 days. Low vulnerabilities are resolved as time allows.
How long does SalesLoft retain data?
We retain your account data in our systems for a minimum period of 30 days in the event you request to reactivate your account. We cannot guarantee accounts closed longer than 30 days can be reopened. After your account has been closed for 30 days, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and will disable your access to any other services that require a SalesLoft Platform account.
We will respond to any such request, and any appropriate request to access, correct, update, or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).
Are all communications of scoped data made over secure channels (https: sftp, ssh, tls)?
Is Scoped Data encrypted in storage in databases?
Yes, using AES 256 (supplied by AWS).
Does sensitive or private data ever reside on endpoint devices? How is this policy enforced?
It does not. We enforce it by limiting access to production to only those that absolutely need it, and train all engineers on acceptable data handling practices. We also log all user activity in production and regularly check for suspicious activity.
Who has access to production?
Only people who need access, get access. Production system access is limited to key members of the SalesLoft engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
How are customers notified of any incidents related to systems or data?
SalesLoft’s Account Managers will communicate any breach affecting a customer’s data as soon as possible once the extent of the breach has been assessed and understood internally.
Have you had any such security incidents or data breaches which have led to notifications in the recent 3 years? Please elaborate and provide details of each such reported incident.
Where does SalesLoft store customer UN & PW credentials associated with integrations
Passwords are never stored in SalesLoft. To integrate with SFDC and Gmail systems, SalesLoft uses Oauth tokens. Tokens are encrypted before they are stored in the database.
Does SalesLoft require access to customer credentials for SalesLoft Mail integrations?
No. SalesLoft mail never accesses your email client. Instead, you update your DNS info during implementation to route SalesLoft-related mail back through a custom domain and forward to your work email.
Does SalesLoft require access to customer credentials to integrate with email (Exchange/Active Sync integrations)?
***Caveat: they WILL need to provide credentials to Nylas, a third party provider. Nylas stores the UN and PW in an encrypted format.***
Does SalesLoft require access to customer UN & PW credentials to integrate with email (SMTP/IMAP integrations)?
Yes. Credentials are encrypted before they are stored in the database.
Does SalesLoft require access to customer CRM credentials?
No. To integrate with Salesforce, SalesLoft uses Oauth tokens. Tokens are encrypted before they are stored in the database.
Policies, processes, and procedures
Does SalesLoft perform Background Checks on employees?
Yes, all SalesLoft employees are subject to criminal, educational, and employment history checks. Credit checks are performed for senior financial positions.
Does SalesLoft permit any third parties to access, store, process, or transmit the data?
We use third party services for several services in the platform that have all been vetted through our vendor security evaluation process. Specifically we use:
- AWS – data center hosting
- Citus – database hosting
- Twilio – dialer infrastructure
- Nylas – email sync engine for Exchange customers only
- Voci – Voice transcription services for SalesLoft Meeting Intelligence (optional module)
- Google Cloud – Hosting services for SalesLoft Meeting Intelligence (optional module)
- Elastic.co – ElasticSearch hosting services for SalesLoft Meeting Intelligence (optional module)
Note: All subprocessors process and store data exclusively in the US, and have all signed DPA model clauses acknowledging regulatory and contractual obligations when supporting SalesLoft.
Do you maintain a vendor management program to evaluate the privacy and security of those third parties? If so, please elaborate on your vendor management practices.
Yes. All vendors must undergo an internal security audit and receive approval from our information security team. Vendors are re-evaluated on an annual basis.
Is there a documented subcontractor management process in place for the selection and oversight of third parties?
Yes, all subcontractors must undergo a security evaluation. Any subcontractors determined to be high-risk undergo annual reviews thereafter.
What Risk Management activities does SalesLoft complete?
Yes, we perform an internal risk assessment once a year, as well as undergo SOC 2 Type 2, and ISO 27001s audit once a year via a third-party auditor. Finally, we have a third-party pentest our application and public facing websites. All new software that has access to company data undergoes an internal vendor security evaluation before implementation.
What coding Practices does SalesLoft utilize?
Our development team follows OWASP secure coding practices.