General Data Protection Regulation (GDPR) is a regulation within the European Union (EU) that protects the data and privacy of all individuals in the EU and European Economic Area (EEA).
Catalyst is a “data processor” as defined in GDPR Article 4 Section 8 and our customers are the “data controllers” as defined in GDPR Article 4 Section 7. Catalyst will comply to all Data Processing Agreement (DPA) requests from customers when legally advised to do so.
The following sub-processors have access to the customer data Catalyst is processing on behalf of data controllers:
|Catalyst Sub-Processors||Why & How Data is Used|
|Google Cloud||Servers and network infrastructure|
|Amazon Web Services||Servers and network infrastructure|
|FullStory||Product usage reporting|
|Segment||Product usage reporting|
|Mixpanel||Product usage reporting|
|Drift||Customer support and sales|
Catalyst is fully committed to protecting the data and privacy of our customers and the users they service. Please read our security whitepaper to learn about how Catalyst protects customer data.
If you have any questions or concerns please send us an email at firstname.lastname@example.org.
Catalyst is a B2B SaaS company building a software platform for customer success organizations. Catalyst is based out of NYC and funded by Accel, True Ventures, Ludlow Ventures, Compound, Work-Bench.
Not at the moment. We will be implementing a formal service in the coming months
All data assets are encrypted in transit and at rest. All data assets in transit are encrypted via HTTPS SSL at 256-bit encryption strength via Heroku and AWS. All data assets at rest are stored using AWS RDS which uses AES-256 encryption.
Yes. This is a feature of Heroku SSL.
At the load balancer, and from there inbound requests are passed directly to a set of routers.
We use ActiveRecord in Rails as our ORM, which has SQL injection sanitizing cleaning included.
OpenID Connect / OAuth2 Login in the form of Google Apps OAuth.
The built-in methods and filters of the Rails framework protects us from SQL injection. With the use of ActiveRecord, we do not apply manually constructed queries.
Yes, we only load third party data from GoogleAPIs and NewRelic.
Yes, and if the user reaches our site in HTTP, we redirect to HTTPS
Yes, the authentication cookies are marked with the secure attribute.
Rails framework has a built-in XSS protection mechanism which automatically HTML escapes all the data being transferred from Rails to HTML.
Yes, we take great care to set this, knowing that otherwise we might be introducing XSS vulnerabilities.
To connect to the systems holding the data(databases), the user is required to use SSL connections with username and password. The password must be:
Yes, both SAML and Google Apps.
We have daily automated backups of our databases and retain it for 35 days.
Yes, backups are encrypted using AES-256 with a 256 bits key that rotates yearly. AWS RDS stores the backups.
Once the contract is cancelled we purge the client’s data from production in the following 30 days. Once the data is gone from production the data is still in backups for an additional 30 days. After 30 days the data is gone from our system.
All database tables with user data includes an customer_id column and all the data that belongs to the same customer is marked with the same customer_id.
All changes are first tested in a local environment. Then it must pass a code review from a different engineer. We use continuous integration to ensure that every commit triggers automated unit and functional tests before it is merged into the `staging` branch. Once the code is merged into the `staging` branch, it is deployed onto a staging environment for further automated and manual testing. Finally, the `staging` branch is merged into the `master` branch, deployed to the production environment, and then another set of automated tests are executed.
Only our engineering team has access to the client data.
Yes. The mock data is in the development database and the code acts as if this mock data is production data. We don't share the mock data with the production database.
Heroku and Amazon Web Services
Yes. https://aws.amazon.com/compliance/ (Heroku is hosted on AWS)
All API queries are made with HTTPS so data in transit is encrypted.
AWS RDS US-EAST-1 North Virginia
We use the Automated Certificate Management provided by Heroku and it uses TLS version 1.2.
Yes, SSLv3 is disabled
Yes. Rails framework does this for us.
The session ID is generated using SecureRandom.hex which generates a random hex string using platform specific methods (such as OpenSSL, /dev/urandom or Win32 CryptoAPI) for generating cryptographically secure random numbers. It is not possible to brute-force Rails' session IDs.
Sessions (cookies) expire after 7 days of inactivity.
Yes. Rails framework adds a header called X-CSRF-Token with the security token on every non-GET Ajax call. Without this header, non-GET Ajax requests won't be accepted by Rails. The application verifies the X-CSRF-Token header, and requires all state-changing actions to be POST requests.
We protect against clickjacking using X-Frame-Options: SAMEORIGIN
We use SSH to login into the publicly accessible servers. We use SSH with certificate only and we have disabled SSH with user and password.
Version: OpenSSH_7.6p1, LibreSSL 2.6.2
We try to delete or disable users as soon as possible.
Yes. Each user has a unique user ID and uses his or her ssh keys.
Yes, we have a set process for revoking access to customer data from PEL employees. Once the administrator is notified, they will remove the employee from all servers that are relevant.
Our internal procedures for data spills follow the Report, Analyze & Assess, Clean & Rectify,Document & Learn stepwise process.
First, engineering identifies the owner(s) of the spilled data, and reports the level of the spill. Second, engineering analyzes the nature of the spilled data and potential access to determine impact. Based on this analysis, the engineering organization moves to remedy the spill using the relevant sanitization technologies. Also when necessary, engineering will notify the account management team so that impacted customers will be notified as soon as possible. Lastly a post-mortem is performed, and all prior findings are documented to then be embedded in ongoing security training and education program.
All engineering staff are put through a security education program as part of onboarding, specifically around key management, endpoint security, and other topics.
All staff who have access to customer data are subject to NDAs.
Customers may subscribe to Catalyst’s newsletters or other offers by opting-in on the Platform and providing their name, company name and job title (as applicable), email address, and phone number. Users can opt-out of marketing communications through the unsubscribe link in emails received.
Log file information is automatically reported by your browser each time you access a web page. Server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, domain names, landing pages, pages viewed, and other such information. Log-File data will be used for debugging purposes and to improve our products and services.
Catalyst may utilize various services that place relevant and targeted ads on its Platform, such as Google. For Google-based services, you can use Ads Settings to manage the Google ads you see and opt out of Ads Personalization. Even if you opt out of Ads Personalization, you may still see ads based on factors such as your general location derived from your IP address, your browser type, and your search terms. You can also manage cookies for any online advertising service via the consumer choice tools created under self-regulation programs, such as the US-based aboutads.info choices page or the European Union (“EU”)-based Your Online Choices.
Catalyst does not sell Personal Data collected through your use of the Platform with any third party. Information is collected to facilitate the Services offered or for internal analysis relating to product improvements. Personal Data collected is shared with the following third parties to facilitate provision of the Services on the Platform as follows:
Personal Data may also be disclosed to third parties (1) as required by law, such as to comply with a subpoena, or similar legal process; (2) when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, or (3) if Catalyst is involved in a merger, acquisition, or sale of all or a portion of its assets.
We will use commercially reasonable efforts to notify users about law enforcement or court ordered requests for Personal Data unless otherwise prohibited by law.
Only persons age 18 or older are authorized to create a Catalyst account. We do not knowingly collect Personal Data from anyone under the age of 18. If a parent or guardian becomes aware that his or her child (a) under the age of 16 in applicable EU Member Countries, or (b) under the age of 13 in the U.S. and applicable EU Member Countries, has provided us with Personal Data without their consent, he or she should contact Catalyst at . We will delete such Personal Data from our files within a commercially reasonable time, but no later than required under the applicable law relating the child’s country of residence.
Unless erasure is otherwise requested by a Customer, Catalyst will retain Personal Data as long as it is necessary to provide the Services. When a user’s account is terminated or expires, Personal Data collected through the Platform will be deleted in accordance with applicable law.
IF YOU WOULD LIKE TO:
PLEASE EMAIL Catalyst AT email@example.com. WE WILL RESPOND AS REQUIRED UNDER APPLICABLE LAW.
In addition, California law permits California-resident Customers to request and obtain from Catalyst once a year, free of charge, certain information about their Personally Identifiable Information (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. All of our Customers, regardless of their U.S. residency or country of domicile shall have the right to request and obtain a copy of such information in accordance with applicable law.
Catalyst shall provide a copy of requested Personal Data in a structured, commonly used and machine-readable format. Customers shall have the right to transmit such Personal Data to another service provider without restriction in accordance with applicable law.
We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration.
All data is securely encrypted utilizing AES-256-bit encryption. Please review the AWS Cloud Security Policy for more information on AWS’ security practices. Catalyst utilizes only PCI-DSS compliant third party payment processors to ensure the security of your personal information. Users should review Stripe’s Security Policy for more information on their security practices.
“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a web application disable its tracking or cross-Platform user tracking. At present, Catalyst does not respond to or alter its practices when a Do Not Track signal is received.
If you have any additional questions about our practices, please contact Catalyst as follows:
154 W 14th St
New York City, NY 10014
Attention: Catalyst Privacy Department
By Email: firstname.lastname@example.org