Data Security

Trust and Security to help you meet all data privacy, regulatory and compliance guidelines

You are in Safe Hands

We work with clients across industries – banks and other financial institutions, media, eCommerce, CPG and a few others. We usually need access to clients’ sensitive customer and financial information. It is our responsibility to protect our clients’ confidential information and their data. We ensure that any client data is stored only on secure and reliable cloud service providers: Amazon Web Services or Google Cloud. We have necessary processes and safeguards in place to ensure the data is not downloaded by any member of the team working on client projects. Our employee onboarding process has sessions dedicated for Data & Information Security, and best practices to handle clients’ sensitive data.

We also have regular internal sessions on evolving data threats and if any new safeguards and policies need to be introduced. A summary of InvoLead security policies, processes and procedures are outlined below.

Policies & Trainings

  • InvoLead data security policies and standards reviewed quarterly
  • Any evolving threat and potential breaches incorporated and circulated to all employees
  • Dedicated session for new employees to apprise them of InvoLead data & information security policies
  • Regular internal sessions to stress on data & information security
  • Data & Information security is part of every employee KRA

Authorization & Access Control

  • Access to a client’s confidential information is restricted to employees who have a need to know. No one else is permitted to access this data.
  • Access to InvoLead computer systems is granted or revoked by network administrators in response to requests from managers
  • Client data is accessed only by restricted users, using security management features of the corresponding cloud service providers.
  • Copying of client data on personal systems is prohibited
  • All server, storage & other services’ credentials are accessible to only manager level employees
  • All connections to the servers occur over encrypted SSH, SSL, or VPN channels

Confidentiality

  • All client and respondent information is classified, confidential, and protected
  • All InvoLead employees are required to sign and adhere to Non Disclosure and Confidentiality agreements to protect clients’ data and confidential
  • information, as well InvoLead confidential information
  • All subcontractors and suppliers to InvoLead must sign and adhere to the strict Non Disclosure and Confidentiality agreements to protect clients’ data and confidential information

PII (Personally Identifying Information) Suppression Policy

  • Sensitive PII is currently defined by the Federal Communications Commission (FCC) as credit card numbers, financial account numbers, government issued ID numbers, health information, or information regarding children
  • We keep PII data only in secure encrypted format, as agreed upon the client
  • We always try to minimize use of PII data & do not store PIIs, unless specifically required for an engagement

Data Storage Servers

  • InvoLead uses Google Cloud, Amazon Web Services for all our clients. Each of these platforms provides enterprise grade security features
  • Only service account key based authentication is used to access data
  • Service accounts are limited to InvoLead employees
  • We also promote other techniques like CIDR Notation and firewall rules for VM machines

Data Disposal

  • InvoLead honours client requests to remove PII and any other sensitive information provided to us
  • We follow a well-defined process to remove PII for all client data & carry it out as the first step in a project kick-off
  • On completion of an assignment, we delete all client data from our systems, after client’s confirmation to delete these (post sign-off)

The process of data removal includes:

  • Removal of data from cloud servers
  • Data on database backup disks and archived data.
  • Audit of team laptops by the manager to verify that no client information has been stored on personal machines
  • Our policy forbids retention of paper output that includes client data.
  • In some circumstances working reports are printed for internal meetings, which are identified and disposed of using a shredder

Solution Development

  • InvoLead has an evolved development process that includes security standards, security code reviews, quality assurance testing and release controls
  • Security standards have been developed using industry best practices and are updated to include current trends and threats
  • We strive to conform to OWASP standards for our web based solutions
  • Architecture security reviews are performed when needed by the Security Team to ensure proper controls are in place and security standards are followed
  • During the development phase, InvoLead strictly follows key based authentication with defined service accounts
  • Only managers can have access to all of the production environment using key based authentication

Data Backups

  • Data backups are performed in a timely manner on secure cloud servers
  • This solution provides quick recovery from backup when required, as well as protection of data

Employee Access to Client Data

  • We have taken measures to ensure that access to both live data and reporting data is given only on a need basis
  • Access privileges are reviewed periodically and with every change of job responsibilities
  • No employee can download data from a cloud server under any circumstances

Client Data Confidentiality

  • We do not share collected data with any competitors, organizations, or individuals without express written consent of the data owner.
  • We insist on an explicit data confidentiality clause in all our contracts with our clients
  • We place a high value on the security of data, which is always treated as confidential.