Thunderhead is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of relevant Data Protection Laws and Regulations.
We recognize the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection & Security Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data and use of Confidential Information and our commitment to safeguard one of the most valuable assets which belong to our Customers.
This Policy supplements the Thunderhead data processing addendum and describes Thunderhead’s approach to ensuring the privacy and security of the Customer Data, including the technical and organizational measures adopted by Thunderhead which are applicable to the Thunderhead products and Services.
Any questions about this Policy should be raised with the Data Protection Officer whose details are at the end of this Policy.
The following key words and phrases are used within this Policy:
|“Confidential Information”||means all confidential information disclosed by the Customer to Thunderhead whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information (including Personal Data);|
“Customer Data” or
|means all electronic data or information submitted by or on behalf of the Customer including data submitted through an API and, where the context so admits, the content and or form/appearance of any document templates created by Customer in the course of using the Services;|
|“Data Controller”||means the entity which determines the purposes and means of the Processing of Personal Data;|
|“Data Processor”||means the entity which Processes Personal Data on behalf of the Controller;|
“Data Protection Laws and Regulations”
means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom, applicable to the Processing of Personal Data as part of the Services;
|“Data Subject”||means the identified or identifiable person to whom Personal Data relates;|
means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
|“Personal Data”||means any information relating to an identified or identifiable natural person where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;|
|“Processing”||means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;|
|“Services”||means: (i) access to the relevant Thunderhead solutions provided via Customer’s login link at the Thunderhead website or another designated web site or IP address; and/or (ii) ancillary online or offline products and services provided or licensed to Customer by Thunderhead.|
3. Data Protection and Security
Under the Data Protection Laws and Regulations, Personal Data must be processed in accordance with certain data protection principles, under which Personal Data must:
- be processed fairly and lawfully and in a transparent manner;
- be obtained and processed only for one or more specified, explicit, and lawful purposes;
- be adequate, relevant and not excessive in relation to the purpose;
- be accurate and, where necessary, kept up to date;
- be kept for no longer than is necessary for the purpose;
- be processed in accordance with the rights of Data Subjects and in a manner, that ensures appropriate security, integrity and confidentiality of the Personal
Thunderhead ensures it employs appropriate technical and organizational measures to adhere to these principles.
3.1 Nature and Purpose of Processing:
Thunderhead will Process Personal Data as necessary to perform the Thunderhead services and as further instructed by the Customer in its use of the Services, as a Data Controller. This shall include automated processing of Personal Data to evaluate and analyze certain personal aspects relating to the Data Subject, in particular to analyze or predict aspects concerning that Data Subject’s personal preference, interests, behavior and location.
3.2 Categories of Data Subjects:
Customer may submit Personal Data to the Thunderhead services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Customer (who are natural persons);
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors;
- Employees, agents, advisors, freelancers of Customer (who are natural persons);
- Customer’s users authorized by Customer to use the Services
3.3 Type of Personal Data:
Customer may submit, or allow collection of, Personal Data in the use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name;
- Contact information (company, email, phone, physical business address);
- ID data;
- Behavioral and profile data;
- Personal preferences;
- Connection data;
- Location data.
3.4 Data Segregation:
The Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data storage and access based on business needs. The architecture provides an effective logical data separation for different Customers via Customer-specific unique IDs and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
3.5 Security Controls:
Thunderhead has implemented procedures designed to ensure that Customer Data is processed only as instructed by the Customer, throughout the entire chain of processing activities by Thunderhead and its sub-processors. Additionally, the Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments.
Thunderhead adopts a number of security controls, which include:
- Unique user identifiers to allow Customers to assign unique credentials for their users and assign and manage associated permissions and entitlements;
- Controls to ensure initial passwords must be reset on first use;
- Controls to limit password re-use;
- Password length and complexity requirements;
- Customers have the option to integrate Single Sign-On technologies to directly control the authentication and credential complexity, expiration, account lockout, IP white/black listing ;
- Customers have the option to manage their application users, define roles, and apply permissions and rights within their implementation of the Services;
- User passwords are stored using a salted hash format and are not transmitted unencrypted;
- User access log entries will be maintained, containing date, time, User ID, URL executed or identity ID operated on, operation performed (accessed, created, edited, deleted, );
- If there is suspicion of inappropriate access to the Services, Thunderhead can provide Customer log entry records to assist in forensic analysis. This service will be provided to Customers on a time and materials basis;
- User access logs will be stored in a secure centralized host to prevent tampering;
- User access logs will be kept for a minimum of 90 days;
- Thunderhead personnel will not set a defined password for for a user.
3.6 Intrusion Detection:
Thunderhead, or an authorized independent third party, will monitor the Services for unauthorized intrusions using network-based intrusion detection mechanisms.
3.7 Security Logs:
All Thunderhead systems used in the provision of the Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to facilitate security reviews and analysis.
3.8 Incident Management:
Thunderhead maintains security incident management policies and procedures. Thunderhead notifies impacted Customers without undue delay of any unauthorized disclosure of their respective Customer Data by Thunderhead or its agents of which Thunderhead becomes aware to the extent required by Data Protection Laws and Regulations.
3.9 User Authentication:
Access to the Services requires a valid user ID and password combination (or via integrated Single Sign-On mechanism), which are encrypted via TLS while in transmission, as well as machine specific information for identity validation as described under “Security Controls,” above. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
3.10 Physical Security:
Production data centers used to provide the Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
3.11 Reliability and Backup:
All infrastructure components are configured in a high availability mode or in a redundant fashion. All Customer Data submitted to the Services is stored on infrastructure that supports high availability and is backed up on a regular basis. This backup data is retained for at least 24 weeks. Backups are transmitted and stored in encrypted form and held in a secondary data center region at least 100 miles from the primary region.
3.12 Disaster Recovery:
The Services’ production systems are protected by disaster recovery plans which provide for backup of critical data and services. A comprehensive system of recovery processes exists to bring business-critical systems back online within the briefest possible period of time. Recovery processes for database security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after an outage. The Services’ disaster recovery plans currently have at least the following standard target recovery objectives: (a) restoration of the Services (RTO) within 132 hours after Thunderhead’s declaration of a disaster; and (b) maximum Customer Data loss (RPO) of 72 hours; excluding, however, a disaster or multiple disasters causing the compromise of multiple data centers at the same time, and excluding development and test bed environments, such as the sandbox service.
The Services have controls in place that are designed to prevent and detect the introduction of viruses to the Services’ respective platforms.
3.14 Data Encryption:
The Services use, or enable Customers to use, industry-accepted encryption products to protect Customer Data and communications during transmissions between a Customer’s network and the Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum.
3.15 Return of Customer Data:
During the contract term, Customers may export a copy of Customer Data processed by the Services. Within 30 days of termination of the applicable Service, Customers may: 1) request return of Customer Data submitted to the Services; or 2) access their account to export or download Customer Data submitted to Services.
3.16 Deletion of Customer Data:
After termination of the Service, following the 30-day period for return of Customer Data, Customer Data submitted to the Services is retained in inactive status for up to 90 days, after which it is securely overwritten or deleted.
Thunderhead may track and analyze the usage of the Services for purposes of security and helping Thunderhead improve both the Services and the user experience in using the Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality.
Thunderhead may share anonymous usage data with Thunderhead’s service providers for the purpose of helping Thunderhead in such tracking, analysis and improvements. Additionally, Thunderhead may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our Services.
Additionally, Thunderhead uses Customer Data consisting of data and metrics derived from Customer’s websites and social accounts with third party social platforms, such as geographic location, time of day of use, greatest period of use by industry, and other metrics including spend rates or click rates by geographic location and by industry to create an aggregated and anonymized data set (“Anonymized Data”). No Customer Data consisting of personally identifiable information is contained in the Anonymized Data, nor any data that would identify Customers, their users, Customers’ clients, or any individual, company or organization. Thunderhead combines the Anonymized Data with that of other customers to create marketing reports and to provide product features. By using the Services, Customers consent to the use and disclosure of their Customer Data to create reports from the Anonymized Data.
Thunderhead and its affiliates have entered into written agreements with their sub- processors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities.
Thunderhead utilizes the services of the following sub-processors to provide part of the Thunderhead infrastructure to host Customer Data and provide the Services:
- Microsoft Azure – Thunderhead operates its Services from Microsoft Azure. Data stored in Azure is held within Thunderhead’s Azure subscriptions across multiple geographic regions (limited to the EEA where the Customer entity and Thunderhead entity are based inside the EEA) – https://azure.microsoft.com/en- us/overview/trusted-cloud/.
3.19 European specific provisions – Overseas Transfers
The GDPR requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Subject to paragraph 3.20, where the Customer entity and the Thunderhead entity are based inside the EEA, Thunderhead shall not transfer Personal Data to any country outside of the EEA without prior written consent from the Customer, except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission; or (ii) any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Laws and Regulations.
3.20 SFDC Services Specific Provisions
Where the Customer has entered into an agreement with salesforce.com, inc. (“SFDC”) or its affiliates or outbound resellers for the purchase of both Salesforce services and Thunderhead Services, Personal Data may be shared with SFDC and its affiliates in relation to the provision of the Thunderhead Services and the relevant SFDC service which the Customer has purchased in the relevant agreement. The Processing of any Personal Data by SFDC or its affiliates (including the right to Process such Personal Data) shall be governed by the agreement entered into between Customer and SFDC or its affiliates. Thunderhead shall not be responsible for any loss, corruption, unauthorized use or disclosure of Personal Data to the extent caused by SFDC or its affiliates.
4. Confidential Information
Thunderhead will keep Confidential Information (which of course extends beyond Personal Data) it receives confidential in accordance with the relevant agreement between the Customer and Thunderhead and, except with the prior written consent of the Customer or as permitted in the relevant agreement, will:
- Not use or exploit the Confidential Information in any way except for the purposes for which it has been disclosed;
- Not disclose or make available the Confidential Information in whole or in part to any third party; and
- Apply the technical and organizational measures as detailed in to this Policy to Confidential Information.
5. Contacts and Responsibilities
I n each of Thunderhead’s offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Data types and ensure that the right levels of protection are in place.
Thunderhead has appointed an overall Data Protection Officer who is responsible for:
- Acting as a key point of contact for data protection queries and the reporting of breaches for all Data Owners, employees, customers and Data Subjects;
- Monitoring and ensuring the compliance with this Policy across the whole of the Thunderhead group worldwide and dealing with any disputes which may arise concerning data protection issues;
- Conducting reviews of internal procedures to ensure that they continue to provide adequate protection of Customer Data and Confidential Information;
- Liaising with Data Owners to deliver training, improve security awareness and communicate information relating to this Policy to employees;
- Updating this Policy to reflect any changes in data protection laws;
- Registering with government agencies (such as the UK Information Commissioner’s Office).
If you have any queries regarding this Policy, please contact our Data Protection Officer by email at firstname.lastname@example.org.
6. Amendments to this Policy
This Policy will be updated from time to time by the Data Protection Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at Thunderhead.com or from our Data Protection Officer.
Date of issue: April 2018
7. Document Control
|AUTHOR||DA TE||V ERSION||DESCRI PTI ON|
10th August 2016
Initial revision for Thunderhead ONE
4th April 2017
Added with change of name of data protection officer.
6th April 2018
Amended to reflect GDPR changes
|REVIEWED AND APPROVED FOR USE BY|
|Senior Management||August 2016||1. 0||Approved By Email|
|Senior Management||April 2018||3.0||Approved By Email|