This document outlines the data retention policy used by Certain, Inc. in its suite of applications. All elements of the Certain Information Technology Operations and Security Program are structured to minimize or prevent damage that could result from accidental or intentional events. This includes actions that might lead to breach of confidentiality, result in fraud or abuse, or delay the execution of operations.
The scope of this policy includes all Certain services that store customer and corporate data. In particular, the Certain services at our third party hosted facilities.
This document will be updated and revised as part of efforts by Certain to continuously improve its services to customers. Changes will be communicated broadly and directly with customers to ensure service delivery remains aligned with both compliance and regulatory requirements, as well as customer-specific needs.
1. Data Environments
Certain operates multiple operational data environments. These environments utilize Microsoft SQL 2017 Enterprise edition data replication to provide data integrity and availability. They are built on the Windows Server 2016 operating system and use its clustering capabilities to ensure high availability and fault tolerance. The primary operational environment is located in multiple datacenters in North Virginia, with additional environment in Oregon and Ohio.
Certain has highly refined backup policy that governs its backup procedures. It defines the frequency of back ups and how backups are maintained and migrated throughout the data lifecycle. Certain systems also leverage several tiers of storage as part of its data backup policy. The policy also defines the duration data is retained in each tier. All data is encrypted using Microsoft SQL 2017 Enterprise Transparent Data Encryption (TDE). The respective keys are managed via a dedicated Hardware Security Module (HSM).
2.1 Certain Platform
Certain operating environments are backed up to ensure data is protected throughout all stages of the data lifecycle. These systems and the data are located within the United States. The backup procedures include full, differential, and log backups that occur at a high frequency. Data backups are stored on high speed media for a period of three days. They are also migrated to secondary archival disk-based storage for a period of 30 days. Lastly, this data is also placed on a tertiary location. This data is generally retained for a period of 3 years.
2.2 Marketing Automation
Marketing Automation integrations connect Certain to Marketing engines like Marketo or Eloqua. The registrations created in the Certain applications are stored in the events database. They are then transferred through the integration as “leads” to enrich marketing campaigns. These integrations store logs pertaining to audit and telemetry data for 21 days.
2.3 Single Sign On
Single Sign On (SSO) Manager stores identity provider connection information. It stores logs pertaining to audit and telemetry data and processed connections for 21 days.
2.4 Bulk API
Bulk API uses Elasticsearch for providing search & bulk data access. Data is retained for thirteen months only. Any data older than thirteen months is automatically deleted via a job that runs daily.
3. Data Protection
Data Encryption — At Rest
All data stored within the Certain system is encrypted in databases using Microsoft SQL Enterprise 2017 server Transparent Data Encryption (TDE) technology. The encryption mechanisms utilize keys that are managed via a dedicated Host Security Module (HSM) service layer.
Data Encryption — In Archive
High grade encryption using AES-256 encryption is used for all backups. This level of encryption is maintained throughout the data archival process including when full backups are initially created, and when backups are moved to secondary and tertiary archival locations.
Data Encryption — Key Management
The effectiveness of encryption depends on managing the security of encryption keys throughout their life cycle. Therefore, encryption keys are maintained in such a manner to prevent disclosure to unauthorized persons and limited to a group of custodians that require this access. At Certain, keys are managed in compliance with PCI DSS requirements leveraging an HSM device for all key management activities, including creation, usage, storage, and destruction of key encryption and data encryption keys.
Data Encryption — In Transit
High grade encryption is utilized to protect all communications between customers and the Certain services. They are secured via transport layer authentication and transmission encryption mechanisms based on HTTPS (TLS-based encryption). Any non-secure HTTP request is redirected to HTTPS. Currently enforced cipher suites include TLS 1.2, AES-256, and either SHA256 or SHA384.
4. Data Purge
4.1 Profile and Registration record deletion
Event profiles contain personally identifiable information (PII) including a person’s name, email address and similar information depending our customer needs. Additionally, associated registration information is used for event level information and may also be used to gather personally identifiable information, behavior and interest data. So, in general, to delete a profile (a person’s record), all of this data and associated data is deleted. This includes:
- Profile standard and custom profile questions
- Registration fields include attendee type & registration status records
- Custom registration and travel question responses
- Agenda & Session assignment records
- Travel & Accommodation assignment records
- Appointment & Preferences records
- Groups & Promo-code assignment records
- Fees & discounts records
- Transaction records
- Registration history
4.1.1 Profiles Deletion – data older than 3 years
The process looks for profiles that have not been modified and do not have registrations that were created or updated in more than 3 years. These profiles are marked as candidates for deletion. All inactive profiles (soft deletes by customers) are also candidates for deletion. The purge script scheduled to execute once in every 6 months will permanently delete these records.
4.1.2 Profile Deletion – on demand deletion
Certain application has a data privacy feature which enables customers to anonymize PII data for registrants of their events. The feature will be extended to search for a specific profile record and permanently delete it.
4.2 Event record deletion
The Certain application provides event managers and marketing departments with a wide range of data objects to engage with attendees and collect valuable behavioral and intent data. Event data that is created includes fields like custom registration and travel questions, agenda, sessions, forms, emails and reports.
4.2.1 Events Deletion – data older than 3 years
The process looks for events (excluding templates) that have an event end date that is 3 years old or greater. Such events will be deleted, including all their setup, configuration and other related data. This includes, for example, their:
- Event Details
- Registration & Travel custom questions
- Agenda & Sessions
- Forms, Websites & Logic rules
- Email Templates with schedules
5. Data Destruction
All Confidential data that has been stored on electronic media and has reached its maximum retention, or no longer needed for business purposes, is eliminated. Data destruction is in line with Department of Defense DoD 5220.22-M which ensures that data is effectively destroyed and irrecoverable.
6. Data Recovery
Data recovery is possible through several approaches. It can be restored from data backups stored in primary, secondary or tertiary storage. In case of a major disaster event, Certain would enact its disaster recovery and business continuity plan. This plan restores services and data to Certain’s failover site in Ohio.
7. Data Breach or Loss
Incidents involving suspected or confirmed loss of data or data breach are handled as part of Certain’s incident and security response policy. This policy includes handling, documentation, escalation, notification, and issue resolution. Additionally, ongoing communication with impacted customers is provided by the assigned customer success manager and the primary customer point of contact.
8. GDPR Compliance
Certain, Inc. adheres to the GDPR and has created the functionality necessary to meet its stringent requirements. This functionality is available across Certain’s platform of services. Customers can, for example, respond to Data Subject Rights (DSR) requests “to be forgotten”. Customers can select one or more profile records, anonymize the personally identifiable information (PII), and mark them for deletion. Data that has been marked for deletion can then be purged by Certain when requested by customers.
9. Data Archiving
If a customer is interested in retrieving data before its purged, any of the following approaches may be used.
9.1 Certain Application APIs
Certain platform offers a rich set of Open APIs (https://developer.certain.com/api2docs/) which enable users to pull-push data for most data objects. Customers who have an internal data warehouse or system of record are recommended to build an integration that pulls data from Certain application at regular intervals via APIs. All APIs offer delta pull feature (pull only data that has changed since last time) to facilitate optimal data flow between systems.
Certain platform offers a rich set of data sets to use for reporting. Users can customize the content of a report – fields of information to include, apply data filters and extract the information in different file formats (HTML, XLS, CSV, PDF etc). We recommend customers coordinate with Certain support when such a data extraction is planned to ensure reliable system performance when huge reports are executed for data extraction.