Privacy and Non-Technical Security
Last updated: March 4th, 2021
In the last article we talked about what we do on the technical side to ensure security, but that's only half the story. It's also important that we have well-crafted policies and rigorous oversight. Here's what we do on the non-technical side to keep your data private:
- Ownership of your data - Unfortunately, the technology industry has a habit of betraying users' trust when it comes to what they do with your data. At Less Annoying CRM, this is very cut and dry: you own your data, not us. We do not sell or share your data with any third parties (aside from if you choose to sync with a different service like Google or Mailchimp), and we do not use your data for any purpose other than to serve you.
- Data retention after you cancel - If you decide to cancel your LACRM account, by default, we will retain your data for one year so that if you decide to come back and restart your account (this is pretty common), you can pick up where you left off. After a year, we will permanently lock down your old account, and then delete all of your data. If you'd prefer for us to delete all your data immediately, we're happy to do that, just let us know.
- LACRM accessing your data - Many of our customers love our hands-on support, and sometimes providing great support requires one of our CRM Coaches to view your account. We will never do this unless you reach out to us for help or we're fixing a technical bug. We have extensive logging and notifications set up so that if an employee disobeys this policy we can take immediate action. If you'd rather prevent LACRM employees from ever logging into your account even if you ask, contact us and we can set that up for you (this places a technical lock on your account which our CRM Coaches cannot override).
- Employee training - Having a policy doesn't mean anything if no one follows it. Every new employee at Less Annoying CRM regardless of their role at the company goes through extensive training on privacy, security, and our internal policies. Employees only have limited access to our internal tools until they've completed this training, and we have ongoing training sessions about topics such as password security, common types of hacking, etc.
- Social Engineering - Speaking of employee training, one of the most common forms of hacking isn't actually technical, it's social. Often when a company gets "hacked" it's because the hacker called up the support line and convinced them to do something they shouldn't. This is one of the primary focuses of our training with employees, and we have a number of protections set up in our internal tools to prevent social engineering. Sometimes this annoys our customers (like we can't always answer questions over the phone because it's impossible to verify identity on the phone) but it's a critical part of our security plan.
- Data Breach Notification Plan - Of course we never intend on having a data breach, but if we do, we have a clearly laid out plan for how we would deal with it. You can read the full plan here which outlines exactly who and how we notify in the event of a data breach.