Security & Compliance
CRM Refresh – is a Salesforce approved Partner and takes security seriously.
We take security seriously at CRM Refresh.
In order to help you accelerate sales, CRM Refresh requires access to certain pieces of information. We’d like to explain how we store, process and secure that information. We rely on some of the best providers to ensure that we keep your information private, available and unaltered.
Salesforce – Approved Partner
CRM Refresh has taken important steps to ensure the security of our platform and its supporting infrastructure. CRM Refresh undergoes an annual audit by Salesforce.com Security and Technology teams. All CRM Refresh’s updates undergo reviews of updates to the technology that connects Salesforce before it is released to Salesforce users.
Even if our offices go dark, you’re still up and running. CRM Refresh’s products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB, Comcast and Yelp. Amazon maintains security certifications with:
- SOC 1 / ISAE 3402
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 15
- PCI DSS Level 1
- ISO 9001 / ISO 27001
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
If we see something, we’ll react quickly and remedy the issue. We’re not resting on our laurels. We’re always looking for potential system interruptions. If we do find something out of place, we’ll address the issue in a manner that it won’t be an issue in the future. We’ve invested in ensuring we can detect and respond to security events and incidents that impact its infrastructure. Security Operations at CRM Refresh is responsible for ensuring that:
- Respond to Infosec and USCERT alerts within four (4) hours
- Incidents are responded to in a timely manner and communicated to relevant parties
- Corrective actions are executed
- Root cause analysis is performed. We follow the 5 Whys technique to explore the underlying problem
- Lessons learned are fed back into the Development, Operations and Executive management team
We’re relentlessly updating our systems to protect your data. Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency are maintained using a combination of configuration management, up-to-date images and continuous deployment. Our systems are provisioned and updated using the most popular configuration management tools from PuppetLabs and Opscode Chef. Through continuous deployment, existing systems are decommissioned and replaced by up-to-date images at a regular interval.
Only people who need access, get access. Production system access is limited to key members of the CRM Refresh engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
Don’t just take our word that our systems are secure. We don’t. Even though we’ve designed secure systems and procedures, we regularly perform security tests to identify and remediate potential vulnerabilities. We also conduct periodic penetration tests with expert third-party vendors to help keep our applications safe and secure. These tests cover network, server, database and in-depth White Box testing for vulnerabilities inside CRM Refresh applications.
We’re watching to find misuse or occasional problems. Logging is a critical component to CRM Refresh infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in realtime and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems. We collect everything from application logs to AWS CloudTrail logs which form a complete audit trail of user and employee activity.
Application Level Security
We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. We physically separate the database instances from application servers and heartily believe in the mantra of single function servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well known Certificate Authorities (CAs). All email and CRM credential related data is encrypted while in transit as well as at rest using military grade encryption to ensure the security of user IDs and passwords. CRM Refresh application passwords are hashed and even our own staff can’t retrieve them. If lost the password must be reset.
Data Protection, Continuity and Retention
We backup and test our systems, just in case. Production data is mirrored to remote systems and automatically backed up daily to an offsite location. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days and goes up to ninety (90) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
If we have to part ways, we’ll make sure your data isn’t at risk. To cancel and delete your account, please contact your account manager or our Customer Success team. Canceling your account will disable all access to CRM Refresh Platform and affects all data associated with your account. Before you cancel your account, you must make sure you export or print any information you might need from CRM Refresh Platform, for example leads and contacts are exportable via CSV. Activity specific data in CRM Refresh, such as contact changes, edits and updates, are synchronized to Salesforce (SFDC) automatically. We retain your account data in our systems for a minimum period of 30 days in the event you request to reactivate your account. We cannot guarantee accounts closed longer than 30 days can be reopened. After your account has been closed for 30 days, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and will disable your access to any other services that require a CRM Refresh Platform account. We will respond to any such request, and any appropriate request to access, correct, update or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).
Don't let more contacts slip through the cracks.
Get started with CRM Refresh today!
Talking to us is risk-free.