SOC 2 Compliance
Paperflite regularly audits its platform against the Trust Services Criteria prescribed by The American Institute of Certified Public Accountants (AICPA) and has obtained a Service Organization Control 2 (SOC2) Type 2 report. This third-party assurance audit is performed annually to get an independent opinion on the effectiveness of the design and operating strength of the implemented controls.
Formal policies and procedures have also been established to safeguard customer data and adhere to the security standards prescribed by AICPA. These policies cover:
- Code of Business Conduct
- Change Management
- Data Retention
- Data Backup
- Information security
- Vendor management
- Risk management
- Password management
- Media disposal
- Incident management
- Endpoint security
- Disaster recovery
- Data classification
- Business continuity
- Access control
- Acceptable usage
- Vulnerability management
At Paperflite, we take a multifaceted approach to application security, ensuring everything from engineering to deployment, including architecture and quality assurance processes, complies with the highest security standards.
Beyond our commitment to protecting customers’ data, we holistically look at every other vital aspect of security, including application level, network, and operational security. Periodic internal audits of all policies, vulnerability assessments, 3rd-party penetration tests, Dynamic Application Security Tests (DAST), Static Application Security Tests (SAST), and vendor risk assessments are carried out.
To access the SOC2 audit report, please reach out to us at firstname.lastname@example.org, and we’d be happy to share the report with you.
Paperflite and GDPR
GDPR was formally approved and came into practice by EU Parliament in April 2016. It mandates higher standards for how marketers can use personal data. The new law requires companies to set up more rigorous systems for data usage.
GDPR (General Data Protection Regulation) is the most comprehensive EU data privacy law to date. Besides strengthening and standardizing user data privacy across EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
At Paperflite, we maintain the highest standards for customer and user data privacy, and we adhere to all local and regional regulations with full compliance. GDPR introduced new requirements and restrictions and we have taken appropriate actions to ensure that we continue to handle all customer data in compliance with applicable laws related to GDPR.
Paperflite’s Commitment to Data Protection
At Paperflite, the success of our customers is of the utmost priority. Paperflite relentlessly focusses on data protection as a key pillar of our values.
Paperflite’s back-end is hosted on Amazon Web Services (AWS) and MongoDB, the leading cloud infrastructure platform in the industry and the leading DB provider in the industry. AWS & MongoDB has an extensive set of industry-standard certifications with regular auditing to ensure compliance, including:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 27001
- FIPS 140-2
- ISO 27001/9001 certified
- ISO 27017/27018 certified
- Cloud Computing Compliance Controls Catalog (C5 - German Government-backed attestation scheme)
- AWS, alongside auditor T√úV TRUST IT, published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud
All Paperflite customers benefit from:
- Data encryption in transit – Data is encrypted using TLS in transit
- Data encryption at rest – Data is encrypted on servers using AES-256
- Strong authentication controls – Enforced complexity requirements, two-factor authentication, IP address restrictions, and forced resets, as well as optional single sign-on support
- Role-based access controls – End-User viewing, access & uploading permissions
- Administrative auditing – Manage users, groups, and access permissions, and audit user activity
To ensure all GDPR compliance requirements have been satisfied, we periodically conduct a comprehensive analysis of all Paperflite data practices as it relates to EU customers including data consumption, data processing, and data storage within the Paperflite platform. Through our compliance work, we have created new processes and procedures to meet GDPR requirements. Specifically, these include:
Information use that’s fully transparent
GDPR requires organizations to provide information about the way an individual’s information is used.
More visibility into processing
Under GDPR, every individual must be able to access a copy of their personal data and know where it’s being processed.
The right to be forgotten
Under GDPR, individuals have the right to ask the organizations they work with to delete their personal data Paperflite’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests when they are received.
Retention of your personal information
We keep your Personal Information for as long as we have your consent to keep the personal information that is reasonably based upon the purpose for which it was collected unless it is retained for a legitimate business purpose that does not pose a risk to your privacy rights or otherwise required by law as authorized or necessary under any applicable agreement with you. At any time if you no longer want us to keep any of your personal information, you may contact us and request us to erase it, access it, correct it, or restrict or object to further processing and sharing. If you make such a request, we will comply, unless we have a specific contractual, regulatory or legal reason to have to retain the personal information or refuse the request. For customers, whenever practicable, we provide you with the ability to administer and erase your own Personal Information in our services.
Frequently Asked Questions (FAQs):
What is GDPR?
General Data Protection Regulation (GDPR) is a new European privacy law designed to protect and secure the personal data of EU residents and grants those persons specific rights to data, such as the right to access and erase their data.
What information does GDPR apply to?
GDPR applies to ‘personal data,’ which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Does GDPR only apply to EU organizations?
GDPR applies to process carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.
What type of data are you collecting?
Paperflite is considered a Data Processor in the eyes of GDPR. Our customers are able to use our platform to add any and all fields from their Customer Relationship Management (CRM) software or Marketing Automation Platform (MAP), including fields that would collect personal data. For our customers, this typically includes personal data like names, emails, phone numbers, and company names. Depending on which features the customer enables in their Hub, we may also collect additional personal data of visitors including analytics, third-party tracking, and visitor profiles.
How do you transfer the data?
Paperflite transfers the data to the CRM or Marketing Automation Platform through the APIs. This is set up by the Client. Data is encrypted in transit using TLS. Paperflite’s Analytics data is kept under Paperflite’s control and is sent to our sub-processors via TLS.
How will GDPR impact my organization?
If your business collects, stores, or uses personal information about European residents, whether as a prospect, customer, or employee of your organization, then GDPR will apply.
How is Paperflite GDPR compliant?
Our teams have conducted a thorough analysis of how data is consumed, processed, and stored within Paperflite’s platform and have created processes to execute GDPR requests. Paperflite’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests if/when they are received.
Are employees of Paperflite GDPR certified?
Yes. Our sales and marketing team has obtained comprehensive GDPR training and certification to be an expert in the field.
What role does the Paperflite platform play in GDPR?
The Paperflite platform processes personal data on behalf of a data controller — the Paperflite customer who collects data directly from the data subject and defines how and for what purpose personal data is processed. Therefore, the Paperflite platform acts as a data processor that allows data controllers (Paperflite customers) to interact with the data subject’s data. Paperflite created processes and procedures to execute data subject’s requests to a data controller
How does MongoDB help me comply with GDPR?
MongoDB’s cloud database service is security-hardened by default. Each MongoDB project is provisioned into its own VPC, thereby isolating your data and underlying systems from other MongoDB users. Network encryption, storage volume encryption, and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers. For deployments running in AWS, VPC Peering can be used to connect your application servers deployed to another AWS VPC directly to your MongoDB cluster using private IP addresses.
MongoDB also pursues external testing and certifications regarding Security. Visit the MongoDB SOC 2 overview for more information.
Paperflite’s MongoDB infrastructure runs on top of AWS which undergoes its own series of independent third-party audits as mentioned earlier.
How Paperflite collects and uses the information?
How does Paperflite share information?
We may employ other companies and individuals to perform functions on our behalf. Examples may include providing technical assistance, customer service, and marketing assistance. These other companies will have access to the minimum amount of Personal Information about you, only as necessary to perform their functions and to the extent permitted by law. We disseminate aggregate information that does not identify you with our affiliates, agents, and business partners and disclose aggregated user statistics in order to describe our products and services to current and prospective business partners and to other third parties for other lawful purposes. In order to provide our services and administer our rewards and promotional programs, we share your Personal Information with our third-party promotional and marketing partners, including, without limitation, businesses participating in our various programs. We may share your information with any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us. As we develop our business’ structure, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, the Personal Information about customers may be part of the transferred information. To the extent permitted or required by law, we may also disclose the information when required by law, court order, national security, law enforcement authority, or regulatory authority; or whenever we believe that disclosing such Information is necessary or advisable to protect the rights, property, or safety of us or others. Your information will be processed in the United States where we are based, and it is necessary for personal data to be processed in the United States in order to provide services or publish this Website. The United States has not received an adequate decision from the European Union with regard to privacy protection, but adherence to the E.U.-U.S. Privacy Shield program is considered adequate by agreement with the E.U. We remain responsible for our sharing of Personal Information with third parties in cases of onward transfer.
You have a right to access your Personal Information. In compliance with the Privacy Shield Principles, Paperflite, Inc. commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Paperflite, Inc. at email@example.com
You may also send a letter to the Paperflite subsidiary/communication branch: Paperflite Inc. First Cross Street, OMR, Nehru Nagar, Perungudi, Kottivakkam, Chennai, Tamil Nadu 600096
Paperflite, Inc. has committed to cooperating with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.
Paperflite, Inc. has further committed to refer unresolved Privacy Shield complaints to American Arbitration Association, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, you can escalate it to our Compliant Officer Dinesh Ravindran (firstname.lastname@example.org).
What about the Updates to GDPR?
This policy may be changed at any time at our discretion. If we should update this policy, we will post the updates to this page on our Website and update the Effective Date at the top. Your use of this Website after any update indicates your agreement.
If you have additional questions, please email email@example.com