Data Storage and Retention Policy
This is a copy of our internal policy. We share it to help customers get a better understanding how how we work. The policy will get updated or improved from time to time. You’re welcome to give us feedback by sending an e-mail to firstname.lastname@example.org.
Our customer data is highly sensitive and we spend a lot of effort to keep it safe from data loss, breach and disruption. The efforts range from careful hiring over defensive coding, automated testing, intense code reviews to a continuous penetration testing program and to careful handling of the data by staff. The following outline some of our practices and commitments
All sensitive textual content is encrypted at rest using AES256, and we hash passwords using bcrypt. Customer data is stored logically separated from each other in the databases, and only pseudonymized or anonymized data will be used for test purposes. Development and QA environments are entirely separated from the production database.
We collect only the data that we need to be able to provide the service, and we’re especially careful regarding data sharing with other providers.
We work hard at keeping the list of our subprocessors as small as possible, and we only share the absolute necessary amount of data with those processors. The core employee data is stored in the Google Cloud, and we only share as much PII employee data that’s required to be able to send email notifications with our email provider. Other than that, the other subprocessors only process data about users that interact with us – for instance during the sales process or when solving a support ticket. All of the highly confidential data does not leave the main database in the Google data center.
We employ internal role-based and user-based permissions to restrict access to the only those staff who need to be able to access a set of information (need-to-know basis). We revisit access levels regularly and choose the minimum levels possible.
Access to functionality like large-scale exports from our product is only available to special role members, and must be made available manually by our Customer Success team.
It’s our policy that customers decide when they want to either delete individual pieces of information, or when they want to close their account and delete all data. We don’t interfere with customer data at all, and don’t delete anything except if asked by customers.
We advise customers to remove any data that they don’t need anymore on a regular basis. This applies especially to former employees and old reviews. It’s easy to download PDF versions of old reviews and store them on site if needed, so that former employees can ultimately get deleted from Small Improvements if this is desired by the customer.
Please note that even after data is deleted from the active database, the data remains accessible in backups for up to 6 months. See our Replication and Data Backup policy for more information.
Deletion of a customer account by the customer does not automatically erase the data from our subprocessors. Email metadata will live on for 30 to 60 days at our email sending provider, and if you’d like to erase the remaining data also from our CRM and Support system, please notify us at email@example.com.
The only exception to data deletion is that our German entity has a legal requirement to store invoices and creditnotes for at least 10 years, so that information can’t get erased even when a customer requests it.