Data protection and security

Introduction

We are committed to protecting your privacy and ensuring the security of your personal data. This privacy information outlines how we handle customer data for Plumsail Actions.

Note

Visit the Plumsail Trust Center to learn more about our security posture and request access to detailed documentation.

Data Collection and Use

When you sign up for Plumsail Actions, you may be asked to provide your name and email address. We collect this information during your initial registration. Please note that we do not store any documents or messages processed by Plumsail Actions. All operations are handled via our REST API, which does not retain any documents or messages. These operations are performed over a secure, encrypted HTTPS connection. We will never sell your personal information to third parties.

Data Security

We employ robust security measures to protect your data from unauthorized access, alteration, disclosure, or destruction. We enforce strict access control policies to limit access to personal data to authorized personnel only. Measures such as multifactor authentication and multiple authorization procedures are in place to prevent unauthorized third-party access. The data stored in our system is encrypted at rest. This means that the data is protected when it is stored on our servers, ensuring that even if unauthorized access were to occur, the information would be unreadable without the proper decryption keys. We utilize advanced encryption standards (AES-256) to secure your data, which is widely recognized as one of the most secure encryption algorithms available. Additionally, we take steps to ensure the confidentiality of your data and implement measures to protect against data loss, including regular backups and disaster recovery plans.

Data Hosting Options

To provide flexibility and assurance, we offer multiple data hosting options. Customers may choose to host their data in one of the following regions:

  • Australia

  • European Union

  • United States

Note

Learn more about our data center locations.

Data Processing Agreement

As part of our commitment to data protection, we have incorporated a Data Processing Agreement (DPA) into our service agreement. The DPA outlines the specific terms and conditions regarding the processing of personal data. It ensures that all processing activities are compliant with applicable data protection laws. The DPA details the roles and responsibilities of both the data controller (you) and the data processor (us), the types of personal data processed, and the security measures implemented to protect your data. Where necessary, the DPA includes Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries to ensure adequate protection in compliance with data protection laws. It also includes provisions on data retention, data subject rights, and the procedures for data breach notification.

Compliance and Certifications

Plumsail prioritizes data security and regulatory compliance. While we are not currently certified under frameworks such as SOC 2 Type 2, we adhere to industry best practices and comply with applicable data protection laws. SOC 2 Type 2 is on our roadmap, and we are actively working towards achieving this certification.

We provide a self-assessment VSA-Core document outlining our security commitments and data handling practices for customers requiring additional compliance assurances.

Contact Information

If you have any questions or concerns about our privacy practices or this Privacy Information, please contact us at support@plumsail.com.

Frequently Asked Questions

  1. What information we collect, when and how we use it?

Plumsail Actions follows strict data retention policies to ensure that customer data is not stored longer than necessary. The retention periods for different data types are as follows:

  • Customer Data: Any documents or messages handled by Actions are stored only for the duration of processing. Once the action is completed, the content data is immediately deleted from our servers.

  • Access logs: Access logs record information about who accessed what and when in the application. These logs are critical for security, compliance, auditing, and performance monitoring. We store them for 12 months.

  • User Account Data: Information associated with customer accounts, such as names and email addresses, is retained for the duration of the customer’s use of Plumsail Actions. Customers can request deletion of their accounts and associated data by contacting our support team. If a customer does not renew their subscription, we will delete their account and associated data after 90 days.

  1. How can I manage the privacy settings?

Plumsail provides users with tools to manage their privacy settings and control how their data is handled.

Customers can:

Additionally, customers using browser-based applications can control data storage preferences via browser settings, including local storage and caching controls.

  1. How do we protect your information?

As stated above, we store users’ account data and log files on our servers. Information about Actions sign-ups and log files is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. In addition, all sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology. All data transmitted between you and us is encrypted and sent using HTTPS.

  1. What happens to data when Actions has been uninstalled?

When you uninstall Actions, logs are removed permanently. Local storage data can be cleared manually in your browser. Information about Actions sign-ups is still stored on our servers and can be removed by request. You can send a request to support@plumsail.com.

  1. Is Plumsail Actions GDPR-compliant?

Plumsail prioritizes customer trust. We know that customer data is important to our customers’ values and operations. That is why we keep it private and safe.

Review the Data Processing Agreement. It describes how we process data you send to us. The Data Processing Agreement is a part of the Master Service Agreement.

heyData trusted logo
  1. What are the data security best practices?

While Plumsail Actions employs strong security measures, customers also play a role in safeguarding their data. We recommend the following best practices:

  • Enable Multi-Factor Authentication (MFA).

  • Avoid using common or easily guessable passwords.

  • Restrict API key access.

  • Use Custom user credentials API keys to avoid unnecessary use of the admin account.

  • If you need to share some details with support, remove or change sensitive information whenever possible.

  • Ensure that any integrations you enable do not expose sensitive data to unintended parties.