We take security seriously at SalesLoft. In order to help you accelerate sales, SalesLoft requires access to certain pieces of information. We’d like to explain how we store, process and secure that information. We rely on some of the best providers to ensure that we keep your information private, available and unaltered.
SalesLoft has obtained ISO 27001 certification for the information security management system supporting the SalesLoft Platform. ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. The details of our ISMS certification are publicly available here.
SOC 2 Type 2
SalesLoft has taken important steps to ensure the security of our platform and its supporting infrastructure. SalesLoft undergoes a SOC 2 Type 2 examination on an annual basis with a third party audit firm, Schellman & Company LLC. The SOC 2 Type 2 report provides an attestation from an independent assessor that our controls are designed, implemented and operating effectively to align with the trust services principles and criteria defined by the AICPA. The report is fairly hefty, but it is FULL of great information about our platform and the security controls we employ.
The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018, and we’ve already made great strides to become compliant. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. SalesLoft has already obtained a SOC 2 Type 2 report, are currently in compliance with the EU/US Privacy Shield framework, and have undergone an ISO 27001 Stage 1 review. Our privacy team is well ahead of this deadline to meet and exceed these new requirements.
Even if our offices go dark, you’re still up and running. SalesLoft’s products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB, Comcast and Yelp. Amazon maintains security certifications with:
- SOC 1 / ISAE 3402
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 15
- PCI DSS Level 1
- ISO 9001 / ISO 27001
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
If we see something, we’ll react quickly and remedy the issue. We’re not resting on our laurels. We’re always looking for potential system interruptions. If we do find something out of place, we’ll address the issue in a manner that it won’t be an issue in the future. We’ve invested in ensuring we can detect and respond to security events and incidents that impact its infrastructure. Security Operations at SalesLoft is responsible for ensuring that:
- Respond to Infosec and USCERT alerts within four (4) hours
- Incidents are responded to in a timely manner and communicated to relevant parties
- Corrective actions are executed
- Root cause analysis is performed. We follow the 5 Whys technique to explore the underlying problem
- Lessons learned are fed back into the Development, Operations and Executive management team
We’re relentlessly updating our systems to protect your data. Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency are maintained using a combination of configuration management, up-to-date images and continuous deployment. Our systems are provisioned and updated using the most popular configuration management tools from PuppetLabs and Opscode Chef. Through continuous deployment, existing systems are decommissioned and replaced by up-to-date images at a regular interval.
Only people who need access, get access. Production system access is limited to key members of the SalesLoft engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
Don’t just take our word that our systems are secure. We don’t. Even though we’ve designed secure systems and procedures, we regularly perform security tests to identify and remediate potential vulnerabilities. We also conduct periodic penetration tests with expert third-party vendors to help keep our applications safe and secure. These tests cover network, server, database and in-depth White Box testing for vulnerabilities inside SalesLoft applications.
We’re watching to find misuse or occasional problems. Logging is a critical component to SalesLoft infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in realtime and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems. We collect everything from application logs to AWS CloudTrail logs which form a complete audit trail of user and employee activity.
Application Level Security
We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. We physically separate the database instances from application servers and heartily believe in the mantra of single function servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well known Certificate Authorities (CAs). All email and CRM credential related data is encrypted while in transit as well as at rest using military grade encryption to ensure the security of user IDs and passwords. SalesLoft application passwords are hashed and even our own staff can’t retrieve them. If lost the password must be reset.
Data Protection, Continuity and Retention
We backup and test our systems, just in case. Production data is mirrored to remote systems and automatically backed up daily to an offsite location. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days and goes up to ninety (90) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
Internal IT Security
We protect our own systems to protect your data. SalesLoft offices are protected behind network firewalls from well known security vendors and secured by keycard access. Our employee workstations and laptops are imaged and managed using Puppet. Collaborative tools like email, document shares and calendars require twofactor authentication to mitigate phishing attacks. Critical infrastructure passwords are locked in a virtual vault using AES256 encryption and can only be accessed by a handful of individuals in the organization.
If we have to part ways, we’ll make sure your data isn’t at risk. To cancel and delete your account, please contact your account manager or our Customer Success team. Canceling your account will disable all access to SalesLoft Platform and affects all data associated with your account. Before you cancel your account, you must make sure you export or print any information you might need from SalesLoft Platform, for example leads and contacts are exportable via CSV. Activity specific data in Cadence, such as call logs, sentiments, activity, etc, are synchronized to Salesforce (SFDC) automatically. We retain your account data in our systems for a minimum period of 30 days in the event you request to reactivate your account. We cannot guarantee accounts closed longer than 30 days can be reopened. After your account has been closed for 30 days, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and will disable your access to any other services that require a SalesLoft Platform account. We will respond to any such request, and any appropriate request to access, correct, update or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).