ShortStack Security, Privacy and GDPR FAQs
Data security and privacy are serious concerns to our team, and we know they’re also important to our customers. Although we can’t tell you everything about our data security and privacy practices or disclose the specifics (that, in and of itself, wouldn’t be secure), we do want to address some of the most common questions we receive.
For the purposes of this document, “data” refers to any information visitors to your campaign(s) submit into any list(s).
Data Center/Server Information and Security
- The data you collect via ShortStack is stored on our servers, which are located in Washington state and Virginia, USA.
- ShortStack uses data centers that are PCI-compliant and meet or exceed ISO 9000 standards.
- These data centers feature biometric access systems, data center cages, security cameras, entry/exit audit trails, and are managed 24/7/365 with onsite security staff.
- We use an approved scanning vendor that monitors our servers for vulnerabilities and performs regular vulnerability and web application scans — any vulnerabilities that are detected are swiftly addressed.
- Server access is restricted to authorized employees using cryptographic keys and firewall rules. We use multiple logging and notification utilities to alert us of any suspicious activity.
Data Loss and Corruption Prevention
- To keep your data safe and separate from other ShortStack users’ data, your data is hosted within a master database that separates customers’ data via access controls.
- Data is mirrored and backed up regularly.
Personal Data Breach Protocol
- If a personal data breach is detected, we will notify our customers without undo delay, at which point the data controller (our customers) have 72 hours to notify the appropriate authorities.
- Our personal data breach notice will include as information that is available at the time of the notice. To the best of our ability, we will provide:
- the date(s) and time(s) of the breach;
- the facts that underlie the discovery of the breach;
- a description of the data involved in the breach; and
- the measures planned or underway to fix the issue.
Data Privacy Measures
- ShortStack is GDPR compliant, and we work with sub-processors, contractors and partners who are GDPR compliant, too.
- We are EU-U.S. Privacy Shield compliant.
- All in-transit data is encrypted using RC4_128, with SHA1 for message authentication and RSA as the exchange mechanism. This includes in-transit data such as an entry being submitted to your list, or data being accessed when a campaign with a Voting Widget loads.
- We do not sell your data or the data you collect with our platform.
- Login pages transmit login data via SSL.
- SSL encryption is available on each campaign created with and hosted by ShortStack.
- We have appointed a Data Protection Officer, who can be reached by emailing firstname.lastname@example.org.
- We don’t support encryption at rest — learn why.
- ShortStack login pages include brute-force attack protection.
- ShortStack employees don’t have access to your password. All ShortStack passwords are salted and hashed. If you forget or otherwise lose your password, you will need to reset it via the process on our login page (https://www.shortstackapp.com/).
- Customers must log into their account with their username and password before accessing the data in their account.
- ShortStack payment systems meet the Payment Card Industry (PCI) Data Security Standard, and data is stored on PCI compliant servers.
- We store the last 4 digits of your credit card to assist you with identifying the account you’re using for your subscription. Your full credit card number is stored securely with our PCI-compliant payment provider.
- Customers are only given access to data they collect within their own account or data they have been given access on another customer’s account through the use of a team account. Customers do not have access to the underlying platform infrastructure.
Employee Education & Internal Protocols
- All of our employees sign an agreement acknowledging their knowledge of our privacy and security practices.
- We provide on-going information to our employees regarding privacy and security best practices.
- In the event of an employee termination or an employee chooses to leave our company, we have a process in place to ensure access to our platform and the data of our customers are secure.
- We hold general liability insurance coverage, along with additional umbrella liability coverage and workers compensation coverage to protect our company from a variety of losses. This ensures that even if our company experiences a loss, our customers will not be affected.
How You Access Your Data
- To view the data you collect, use ShortStack’s secure log-in process to access your account, go to Lists/Entries, and click on the View Entries button for the desired list.
- You can also export databases as a .csv file, and download photo entries as a .zip file. When you export your data, you’re emailed a notification to download the data. The link to download expires after 24 hours.
Who Can Access Your Data
- You, anyone you share your list, campaign or email with via ShortStack’s Teams or Permissions feature, and any authorized ShortStack employee can access the data you collect.
- Access to platform and customer data is assigned to ShortStack employees on a need-to-know basis. Roles with different levels of access are assigned to employees, with the intent to provide employees with enough access to do their jobs (e.g. provide customer support, conduct billing-related activities, implement new security measures, etc). Employee roles are reviewed twice yearly, or when the tasks assigned to an employee change.
- ShortStack employees will not access your data for any reason beyond your request. This usually comes in the form of a support request. For example, you might ask us to review your entries, or, if you experience problems exporting a database, you can ask us to download it and email it to you.
- If you use ShortStack’s Form Integrations feature to send data to a third-party platform like Aweber, Constant Contact, or MailChimp, ShortStack is no longer the only entity storing the data, which means we cannot verify its security.
User-Account Activity Monitoring
- Password reset requests can only be sent to the email address of the account holder.
- We monitor accounts for irregular or suspicious activity. If such activity is detected, then the account will be automatically suspended.
*A Note on Encryption at Rest*
At this time, we are not utilizing Encryption at Rest.
Encryption at Rest provides the physical storage device protection from unauthorized access. Meaning, “access that is outside of the scope of the application that normally accesses said device”. An example of access would be a physical, real person getting physical access to the storage device. In the case of database level encryption, a user would need a special key to access the database.
What Encryption at Rest does not protect against:
- application-level attacks
- malicious insiders
- brute force attackers with a lot of time as any encryption can eventually be brute-forced
- or if the master key is stolen by said malicious attackers.
Our servers are hosted at a data center that provides state-of-the-art security (https://aws.amazon.com/compliance/data-center/controls/). In addition, the value of the data we store is relatively low, making the risk/reward ratio very unattractive to any potential rogue employee.
There is also both a financial cost and a performance cost to implement encryption at rest.
Finally, while GDPR encourages the use of encryption at rest, it’s not a requirement.
After carefully considering all these factors, we have concluded that we will not move forward with encryption at rest for the foreseeable future. Should any of the foregoing change, we will reconsider our decision. In the meantime, we are fully committed to providing the tools you need to be GDPR compliant and to keep your data safe and secure.
Disclaimer: The information we disclosed on this page is meant to provide our customers with a bit of an overview of our security practices. We did not cover everything we do in the name of security.