Spotler CRM ensures data security, confidentiality, and compliance for thousands of customers. This article outlines key aspects of our security measures, legal compliance, and data protection policies.
On this page you will find the following information:
- Cloud Data Security & Data Centres
- The Health Insurance Portability and Accountability Act (HIPAA)
- California Consumer Privacy Act (CCPA)
- Australian Privacy Principles (APP)
Related Article
Learn more about how Spotler CRM ensures GDPR Compliance.
Cloud Data Security & Data Centres
Spotler CRM guards data for thousands of customers, making sure that their data is secure, backed up and confidential. We understand that we have a high duty of care to protect customer data, and our internal policies and procedure reflect this.
In order to maintain our enviable 99.999% availability for our CRM, we use Google Cloud‘s data storage service for our production CRM systems, giving us infinite scalability, fast performance, and high data security. The data centre is based in Belgium and is fully GDPR compliant.
As an additional precaution, we also run real-time failover servers in a second data centre hosted by Amazon Web Services (AWS). Customer data is replicated from our production data centre to our failover servers hosted in their data centres in the EC, Stockholm, and Paris. Should the production datacentre fail, all customers can be switched to the failover data centres.
Our production datacentre uses Google Cloud‘s data storage service and is located in Belgium. The Google platform has advanced security features such as data encryption at rest and automatic failover. We also maintain a failover data centre with Amazon Web Services (AWS) in Stockholm and Paris, should the production servers hosted by Google fail. The replication time lag between the production and failover data centres is less than one second, so no data is lost in this process. This unique system has enabled us to achieve 99.999% uptime for our CRM over the last three years.
All communication between the servers and client (the user’s browser) is encrypted, so that data travelling over the public Internet cannot be intercepted and read. This is done using RC4 256 bit SSL, the same system that is used for Internet banking. Communications between the web servers and the database servers are also encrypted.
We take snapshot backups of the data at 23:00 GMT every day and hold it off-site at our offices, so we can rebuild a customer’s data as at any day in the past should we need to. The backups are stored in a compressed and encrypted format. After three months, the backup data is deleted off all the servers in the data centres and is archived onto portable media and stored in a locked fireproof safe. We also keep another live server with a copy of yesterday’s data, for quick access when customers inadvertently delete data. No SpotlerCRM customer has yet to suffer any data loss.
SpotlerCRM understands that customer data is completely confidential, is of high commercial value to its customers, and that its protection from leakage is paramount. We host data for thousands of users, many of them competitors of each other, and the exposure of their data could cause them severe financial pain and embarrassment.
SpotlerCRM support staff will only log on to a customer’s system after obtaining permission from them, confirmed in an email. Logins are tracked and can be monitored by customers from the Set Up/Users tab. By default, the support staff have access to all customer data once logged in but are subject to the same security system that other users are, and access can be limited (or removed completely) by the customer.
Data sent by the customer for uploading or processing is kept for one month after the upload or its return to the customer, and is then deleted. All staff employment contracts reinforce the confidentiality policy, underlining that a policy breach is grave misconduct and cause for instant dismissal. SpotlerCRM has yet to suffer any breaches of customer confidentiality. The company has been validated by many large companies, including IBM.
We explicitly state that legal ownership of the data resides with the customer. SpotlerCRM is registered and regulated under the UK Data Protection Act (registration number Z951270X).
Under European law, all personal data held on EC citizens must be physically held in the EC. All our servers are based in the EC and data is therefore held in compliance with the European Union Directive on Data Protection and the forthcoming EC GDPR Directive. No customer data ever leaves the EC.
SpotlerCRM is HIPAA compliant, the Health Insurance Portability and Accountability Act designed to protect US citizens’ health insurance and medical electronic data.
It is widely accepted that most data theft originates from within an organisation. The security of SpotlerCRM customers’ data is generally better than data held internally by the customer: backups are automated and tested for the ability to restore; customer data is not held on laptops that could be mislaid or stolen; and application continuity is assured.
By holding the data off-site within our dedicated secure environment, our customers can minimise the risk of internal data theft and know that their data is completely protected.
SpotlerCRM does not formally comply with ISO standards. However, we are working towards self-certification and compliance with the ISO/IEC 27000-series.
The Health Insurance Portability and Accountability Act (HIPAA)
Spotler CRM complies with HIPAA across all plans, ensuring the confidentiality and security of Protected Health Information (PHI). Key compliance measures include:
HIPAA Administrative Safeguards
- All PHI data is legally owned by customers.
- Employees receive data security training and sign confidentiality clauses.
- Real-time replication and nightly backups protect data.
- Customers are notified of any security breaches.
HIPAA Physical Safeguards
- Data is stored on dedicated servers in ISO-27001 compliant data centres.
- Data centres have CCTV monitoring and secure access controls.
HIPAA Technical Safeguards
- No data is stored on user workstations.
- All data transfers are encrypted using SSL.
- Unique login credentials are required for access.
Enterprise Plan customers can request a signed Business Associate Agreement (BAA) for HIPAA compliance certification.
California Consumer Privacy Act (CCPA)
The CCPA, effective from January 1, 2020, grants California residents the right to:
- Request access to the data a company holds on them.
- Request deletion of their data.
- Opt-out of the sale of their data via a mandatory website link.
CCPA applies to companies with annual revenues over $25 million, handling more than 50,000 consumer records, or generating at least 50% of revenue from selling consumer data. Fines for non-compliance range from $2,500 to $7,500.
Unlike GDPR, CCPA does not cover the safety or location of data storage, only allowing consumers to see what data is held and request for it to be deleted. As permission to collect (and sell) personal data is granted by default there is no need to collect and record individual’s consent to data collection.
It is unlikely that any of our customers will have to review their CRM usage, although if they are a large data broker they may need to set up processes to deal with requests to view and delete a consumer’s data – but for Californian residents only.
Australian Privacy Principles (APP)
The Australian Privacy Act (1988, amended 2000) governs how government agencies and businesses collect, store, and use personal information.
Spotler CRM complies with the Australian Privacy Principles (APP), which define personal information as any data that can identify an individual. Most small businesses (annual revenue under A$3 million) are exempt unless they handle health or personal data.
Clause 8.19 of the APP states that data stored under an equivalent protective law is compliant. Spotler CRM, a UK-based company, adheres to GDPR regulations, ensuring compliance with the Australian Privacy Act.