Constant Contact

United States

The backup policy at Lead Gen & CRM requires full backups of customer data daily, with incremental backups being performed each hour. Lead Gen & CRM's data retention period for backups of customer data is seven days. Lead Gen & CRM replicates these backups to an off-site location in compliance with its own disaster recovery policy. Lead Gen & CRM cares about its customers' data, and has placed high availability (HA) mechanisms in place to reduce the need for recovery. Lead Gen & CRM makes a best effort attempt to retain customer data. However, Lead Gen & CRM does not provide any direct guarantee against loss of customer data. Lead Gen & CRM's backup procedures follow the basic rules of the CIA triad: confidentiality, integrity and availability. They are verified for integrity, are encrypted, are securely transferred, and are stored both at on-site and off-site locations. These backups are then verified through reanimation testing. Lead Gen & CRM utilizes open source technologies, such as Zabbix and OpenVAS, to monitor the availability of its services, obtain web application performance metrics, and perform regular vulnerability scans against its critical infrastructure. Lead Gen & CRM also reinforces these processes by regularly performing penetration tests against its own architecture. Lead Gen & CRM's monitoring and associated alerting processes are regularly tested to ensure that Lead Gen & CRM Network Operations Center (NOC) staff is notified immediately upon the occurrence of any operations anomaly or service interruption.

Customer Data When the relationship between SharpSpring and a Customer ends, data belonging to the Customer becomes subject to a retention period, after which the Customer’s data is deleted, or otherwise anonymized, such that it no longer contains any proprietary Customer information. Deletion of Data by a Customer When a Customer deletes data in their SharpSpring account, in most cases, the data is deleted immediately. This behavior is referred to as a “hard” delete, which is in contrast to a “soft” delete, in which the data continues to exist but is simply marked as unavailable. When a Customer deletes a contact in their SharpSpring account, this is performed as a hard delete, and the data is removed immediately Document Disposal Routine Disposal Schedule Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows: Announcements and notices of day-to-day meetings and other events including acceptances and apologies; Requests for ordinary information such as travel directions; Reservations for internal meetings without charges / external costs; Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value; Message slips; Superseded address list, distribution lists etc.; Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files; Stock in-house publications which are obsolete or superseded; and Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations. In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation. Destruction Levels & Method Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction. Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion. Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail. Managing Records Kept on the Basis of this Document Record name Storage location Person responsible for storage Controls for record protection Retention time

We retain your personal information to provide Services to you and as otherwise necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We will retain your personal information for no more than seven years following the later of (i) the date on which you terminate your use of the Services or (ii) May 25, 2018, unless we are otherwise required by law or regulation to retain your personal information for longer.

United States

Cloud Hosted

GCP & AWS

yes

no

Requests come in via support. User PII ownership is validated. Ticket is opened internally for tracking. Required teams are then assigned for removal of data.

no

2019-12-01

yes

no

yes

crm-partnersupport@constantcontact.com

yes

no

no

no

no