We take security seriously at SalesLoft. In order to help you accelerate sales, SalesLoft has access to your most valuable information. We’d like to explain how we store, process and secure that information. We rely on some of the best providers to ensure that we keep your information private, available and unaltered.
Even if our offices go dark, you’re still up and running. SalesLoft’s products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB, Comcast and Yelp. Amazon maintains security certifications with:
- SOC1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 15
- PCI DSS Level 1
- ISO 9001 / ISO 27001
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
If we see something, we’ll react quickly and remedy the issue. We’re not resting on our laurels. We’re looking for breaches and system interruptions all the time. If we do find something out of place, we’ll spring into action to fix the problem and prevent it the next time. We’ve invested in ensuring we can detect and respond to security events and incidents that impact its infrastructure. Security Operations at SalesLoft is responsible for ensuring that:
- Respond to Infosec and USCERT alerts within four (4) hours
- Incidents are responded to in a timely manner and communicated to relevant parties
- Corrective actions are executed
- Root cause analysis is performed. We follow the 5 Whys technique to explore the underlying problem
- Lessons learned are fed back into the Development, Operations and Executive management team
We’re relentlessly updating our systems to protect your data. Even if a system is breached, we don’t let attackers stick around for long. Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency is maintained using a combination of configuration management, up-to-date images and continuous deployment. Our systems are provisioned and updated using the most popular configuration management tools from PuppetLabs and Opscode Chef. Through continuous deployment, existing systems are decommissioned and replaced by up-to-date images at a regular interval.
Only people who need access, get access. Production system access is limited to key members of the SalesLoft engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
Don’t just take our word that our systems are secure. We don’t. Even though we’ve designed secure systems and procedures, we regularly perform security tests to identify and remediate potential vulnerabilities. We also conduct periodic penetration tests with expert third party vendors to help keep our applications safe and secure. These tests cover network, server, database and in-depth White Box testing for vulnerabilities inside SalesLoft applications.
We’re watching to find misuse or occasional problems. Logging is a critical component to SalesLoft infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in realtime and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems. We collect everything from application logs to AWS CloudTrail logs which form a complete audit trail of user and employee activity.
Application Level Security
We prevent single points of failure. Even if one system goes down or is breached, the rest of our services stay up and secure. We physically separate the database instances from application servers and heartily believe in the mantra of single function servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well known Certificate Authorities (CAs). All email and CRM credential related data is encrypted while in transit as well as at rest using military grade encryption to ensure the security of user IDs and passwords. SalesLoft application passwords are hashed and even our own staff can’t retrieve them, if lost the password must be reset.
Data Protection, Continuity and Retention
We backup and test our systems, just in case. Production data is mirrored to remote systems and automatically backed up daily to an offsite location. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days and goes up to ninety (90) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
Internal IT Security
We protect our own systems to protect your data. SalesLoft offices are protected behind network firewalls from well known security vendors and secured by keycard access. Our employee workstations and laptops are imaged and managed using Puppet. Collaborative tools like email, document shares and calendars require twofactor authentication to mitigate phishing attacks. Critical infrastructure passwords are locked in a virtual vault using AES256 encryption and can only be accessed by a handful of individuals in the organization.
Service Organization Controls (SOC) 2
We protect our own systems to protect your data. In addition to the security measures taken around our platform infrastructure, SalesLoft has taken important steps to ensure the integrity of our internal operation is also addressed. SalesLoft has completed the examination for Service Organization Controls (SOC) 2 with a third party independent audit firm, Schellman & Company LLC, and obtained the SOC 2 Type 1 Report for its sales engagement and lead generation services. Completion of this is a very important step for not only SalesLoft as a company, but also for our customers. This attests to our commitment as a service provider to our users that we have implemented formal documented procedures and controls across our organization.
If we have to part ways, we’ll make sure your data isn’t at risk. To cancel and delete your account, please contact your account manager or our Customer Success team. Canceling your account will disable all access to SalesLoft Platform and affects all data associated with your account. Before you cancel your account, you must make sure you export or print any information you might need from SalesLoft Platform, for example leads and contacts are exportable via CSV. Activity specific data in Cadence, such as call logs, sentiments, activity, etc, are synchronized to Salesforce (SFDC) automatically. We retain your account data in our systems for a minimum period of 30 days in the event you request to reactivate your account. We cannot guarantee accounts closed longer than 30 days can be reopened. After your account has been closed for 30 days, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and will disable your access to any other services that require a SalesLoft Platform account. We will respond to any such request, and any appropriate request to access, correct, update or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).