As a company that takes data security and privacy very seriously, we recognize that DataPair’s information security practices are important to you. While we don’t like to expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.
Data Center Security
DataPair delivers billions of emails a month for millions of users. We use multiple MTAs, placed in different world-class data centers around the United States.
Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about.
We have DDOS mitigation in place at all of our data centers.
We have a documented "in case of nuclear attack on a data center" infrastructure continuity plan.
Protection from Data Loss, Corruption
All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other.
Account data is mirrored and regularly backed up off site.
Application Level Security
DataPair account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
All login pages (from our website and mobile website) pass data via TLS 1.2 or higher.
The entire DataPair application is encrypted with TLS 1.2 or higher.
Login pages and logins via the DataPair API have brute force protection.
We perform regular external security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
Internal IT Security
DataPair offices are secured by keycard access and biometrics, and they are monitored with infrared cameras throughout.
Our office network is heavily segmented and centrally monitored.
We have a dedicated internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes OSCP and CISSP certified members.
Internal Protocol and Education
We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
In order to protect our company from a variety of different losses, DataPair has established a comprehensive insurance program. Coverage includes, but is not exclusive to: coverage for cyber incidents, data privacy incidents (including regulatory expenses), general error and omission liability coverage, excess cyber liability coverage, property and business interruption coverage, as well as international commercial general liability coverage.
SOC II Compliant PCI DSS Certification DataPair's credit card processing vendor uses security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives, including the Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC). We also perform annual SOC II audits. We provide our SOC II Report upon request. Please click the ‘Request Report’, and include any additional questions you may have.
ISO 27001 Certification The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touchpoint audits (surveillance audits). Protecting Ourselves Against You Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your DataPair account, that's not good for either of us.
We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
We monitor accounts and campaign activity for signs of abuse.
In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
We make 2-Factor Authentication available to our customers and offer a discount on accounts that engage this feature.
We provide the ability to establish tiered-levels of access within accounts.
Investing in Your Privacy
Our Legal team partners with our developers and engineers to make sure our products and features comply with applicable international spam and privacy laws.
We retain a law firm in the UK to consult on EU privacy issues.
Responsible disclosure program DataPair is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving DataPair services. Responsible disclosure guidelines Security Researchers will disclose potential weaknesses in compliance with the following guidelines: Do
Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't
Don’t cause harm to DataPair, Intuit, its customers, shareholders, partners or employees.
Don’t engage in any act that may cause an outage or stop any of DataPair’s services.
Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
Don’t store, share, compromise or destroy any DataPair data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify DataPair.
Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Out-of-scope vulnerabilities The following types of vulnerabilities are out of scope for this program: