Updated: September, 21th 2020
The privacy of your data is very important to us. This document explains how your data is stored, where it is stored and whether it is stored securely.
CRMdesk is hosted at SteadFast Networks' 350 E Cermak, Chicago Data Center. This world-class data center provides complete 2N redundancy at Tier 3+ standards. Our software infrastructure is updated regularly with the latest security patches.
CRMdesk encrypts the data over the wire via 256-bit (SHA2) TLS certificate, TLS 1.0, 1.1 and 1.2. Data isn't encrypted while it's live in our database since it needs to be ready to send to you when you need it, but we perform all the measures needed to secure your data at rest. File attachments are encrypted at-rest via AES256. Database backups are also stored in encrypted form.
Data Backups and Disaster recovery
CRMdesk backs up the data on an hourly basis. Backup files and server logs are then copied to a secure disaster recovery facility where they are kept for 6 months before being permanently deleted. CRMdesk doesn't utilize any type of removable media for backup storage, all backup files are stored on secure servers.
A small team of operations personnel have administrative access to the infrastructure where CRMdesk is hosted. Additionally, CRMdesk developers occasionally require a read-only access to the customer's account metadata to troubleshoot problems.
All CRMdesk employees sign confidentiality agreements before gaining access to customer's account. Everyone at CRMdesk is trained and made aware of security concerns and best practices for their systems. Remote access to servers is established via company VPN and limited to workers who need access for their day to day work. All access events are logged for all accounts by IP address.
Once CRMdesk becomes aware of any suspected or confirmed data breach, CRMdesk will notify all affected customers via e-mail within 72 hours.
Personally identifiable information
CRMdesk user accounts hold user's name and e-mail address. Name helps us to personalize user's experience. E-mail address is used as a unique user identifier and for communication with the user. In addition, accout owner is associated with company website URL and a phone number. Company website URL is used by CRMdesk support to integrate account’s Customer Desk interface with user’s web site appearance when requested by marking a checkbox on initial free trial opening form. A phone number may be used to place a follow-up call, but only in case if an email appears to be invalid. Requests to delete personally identifiable information should be forwarded to appropriate account's administrators.
Sharing personally identifiable information
CRMdesk won't hand your data over to law enforcement unless requested by a court order. We will reject data requests from local and federal law enforcement without a court order. And, unless we're legally prevented from it, we'll always inform you when we receive such requests.
Customers are responsible for understanding and implementing their data retention and deletion requirements related to the data they store in CRMdesk. CRMdesk account administrators may request CRMdesk to delete historical customers’ requests that are kept in a ‘closed’ status over a certain period, as well as certain customers’ accounts, by sending an email to firstname.lastname@example.org and such requests will be handled within 48 hrs.
Deleted customer questions are moved to Recycle Bin, kept there for 30 days and then purged automatically. Administrator can purge records from Recycle Bin manually at any time. Other data types such as FAQ articles, documents, discussions, etc. are erased from production systems immediately, however, since CRMdesk backups are kept for 6 months, it may take up to 6 months for their data to be completely purged from CRMdesk backup systems.
An account is considered 'expired' when either its trial period ends, or a paid subscription is ended. CRMdesk blocks access to expired accounts. Expired paid accounts are securely kept in locked stage for 180 days. Expired trial account are deleted automatically within 90 days after expiration. Account administrators may request CRMdesk to delete their accounts by sending an email to email@example.com and such requests will be handled within 72 hrs.
All types of data deleted from CRMdesk will reside in system backups for 6 months. It will not be restored back to production systems, except for in certain rare instances such as the need to recover from a natural disaster or serious security breach. In such cases, some of deleted data instances may be restored from backups, but CRMdesk will immediately take all necessary steps to honor the initial request to delete and erase the primary instance of the data again.