Security, Privacy, and GDPR Compliance


We take security and customer privacy seriously at DataFox and are committed to protecting your data.

Our engineering leadership helped construct the security and compliance controls for leading enterprise software companies, and have built DataFox from the ground up with those controls in mind. We perform criminal background checks on all potential hires, and employees undergo ongoing security training. We follow the “principle of least privilege” and grant access to sensitive data only as required.

This document outlines our security and compliance policies.

Legal Compliance

We comply with EU GDPR privacy protections

We protect the privacy of personal information for EU citizens, in compliance with EU law effective May 25, 2018. Contact us at for additional GDPR policy documents..

At DataFox we take security and privacy seriously, and welcome GDPR protections. Our compliance is built on two pillars:

First, we collect data on companies rather than individuals, and so do not store or process personal information. This means we do not store “personally identifiable information” (PII) as part of our integrations, and do not pose a compliance risk of transferring PII into your system that violates GDPR protections.

Second, we have built security and privacy into the core of our platform. Our engineers and leadership come from enterprise software companies, and our customers work in highly-regulated industries like finance and government. We follow industry security best practices to protect your data, as outlined in this document.

Updated Privacy Policy

Furthermore, to comply with GDPR requirements, we have updated our privacy policy to reflect the new privacy protections.

Data Processing Agreements

GDPR requires that all processors and sub-processors of personal data also be compliant with privacy protections, so we are putting in place data processing agreements with our vendors.

We also have created a GDPR-compliant data processing agreement for our customers, so please contact your customer success manager or email to request a version to sign.


GDPR compliance can be intimidating and we’re here to help. Please send any general questions to and send security questions to

We prevent access from countries on the OFAC list

We bar access to the current set of countries which are embargoed by the U.S. by blocking all web traffic from those countries and refusing to do business with any such parties.

Handling Sensitive Customer Data

We have a formalized Data Classification Policy to define how we handle different data. In this context, “Sensitive Customer Data” refers to anything customers provide to us that is not public information and they reasonable don’t want shared. Some categories include:

  • personally identifiable information (PII) such as user email, name and phone number
  • proprietary data imported as “custom fields” on a company
  • lists created in the application
  • user activity, such as searches and company profiles viewed
  • data imported from Salesforce, a spreadsheet or an API integration

Our systems are designed to protect sensitive customer data from inappropriate access. Here are some of the protections:

We never transfer customer information to external media

We will never transfer customer data in spreadsheets or other files onto usb drives, CDs or external discs. Furthermore, we never transfer customer data to personal computers or devices.

Data lifecycle management

We will securely destroy old storage media that contains customer data. This means we will first wipe or remote wipe the the hard drive(s) to ensure any sensitive keys, passwords, etc. are not retrievable. Then we will pay a third party to securely dispose of the physical device.

We follow the principle of least privilege in granting access to sensitive data

The principle of least privilege means we grant only the access that an employee needs to complete their job and default to denying access.

Access rules are defined by our User Roles Definition document, which also defines the access granted by role.

Protecting Employee Computers

All official work must be completed on company-provided computers

As already covered, transferring any customer data to personal computers is strictly prohibited.

All company computers must have full disk encryption enabled

To protect against the risk of theft, all DataFox computers must enable full-disk encryption.

All company computers and servers must have antivirus software installed and running

To mitigate the risk of malware or other attacks, all DataFox computers and servers must run antivirus software at all times.

Hiring and Training Employees

Criminal background checks on all hires

As a token of our commitment to security and protecting customer data we perform criminal background checks on all new hires.

Credit background checks on all finance hires

We additionally check credit histories for any new hires that will handle finances, billing, or otherwise have access to company finances.

Security and compliance training

As part of our new hire training, all hires must review our security and compliance policies. They also receive ongoing training and review the policies at least annually. Employees with access to sensitive data and/or production environments further receive ongoing technical security training.

Disciplinary action for violating security procedures.

We take our customer’s privacy and confidentiality seriously, and failure to comply with these policies is grounds for discipline or termination.

Access to sensitive data is immediately revoked upon leaving employment

In keeping with the principle of least privilege and security best-practice, access to sensitive data, tools and environments is immediately revoked when an employee leaves the company.

Protecting Our Production Environment

We follow best practices to secure our production environment far beyond this list, but we’d like to highlight these protections:

All traffic containing sensitive customer data is encrypted

All traffic between the customer and our application, API, and integrations must be transferred using modern TLS protocols.

All sensitive customer data is encrypted at rest

Databases containing sensitive customer data must stored in an encrypted form using industry best-practice encryption.

Third-party penetration tests are completed annually

Third-party penetration tests are completed on a regular basis, at least once per year, to uncover and address any possible areas of vulnerability.

Production access requires multi-factor authentication and VPN

To prevent unauthorized access to sensitive systems such as web servers and databases, access to these systems is limited to employees that strictly need access to complete their jobs. Furthermore that access is confirmed using a VPN connection with multi-factor authentication enabled.

Access to production is limited to only employees that require it

Access to production servers, databases, and cloud tools (i.e. VPN access mentioned above) is limited to employees that require it to complete their jobs of deploying and maintaining production code.

Separation of development, testing, and production environments

We maintain logically-separated development, testing (“staging”), and production environments. Production data must be sanitized of sensitive data before being used in testing environments.

We require secure passwords in our application

We require all user-created passwords to follow industry best practices: they must be at least 8 characters in length, include a number or special character, and avoid easily-guessable phrases.

We are SOC 2 Type I certified

We have undergone an independent SOC 2 security audit to independently validate our controls.


99.5% uptime SLA

24/7/365 on-call

Deployed redundantly with backups for high availability and disaster-resilience

Incident Response

We have a defined Incident Response Policy for handling issues which is reviewed with the incident response team and periodically updated. We promise:

Informing affected users

In case of an incident we will promptly inform any users that may have been impacted either by the application being significantly unavailable or inappropriate access of their sensitive data.

Support for affected users in the wake of an incident

After an incident we will fully cooperate with all reasonable requests by any affected parties to perform forensic analysis to the extent possible while protecting the privacy and confidentiality of other customers.

Revision Record

VersionRevision Effective DateApproved ByDescription of Change
0April 24, 2018Ben Trombley, CTOInitial public version of our security & compliance policy.