Data Security and Privacy
We value your trust and work hard to protect your data
When you use our services you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand that there are particular concerns from companies in the EU about how we use and protect your data, so we put this page together as a guide to answer some of the most common questions you may have.
Your Customers' Data
We understand UseCSV is used within applications where data security, privacy and compliance are critical. When UseCSV is integrated using data callbacks, we guarantee that data from customer imports is not sent or stored by our servers, and all data processing and validation happens locally in the user's browser. This means you can be confidant your customer data is always safe and secure.
Security and Privacy
For detailed information about our security and privacy practices, you can view our privacy policy. Below are some highlights.
Data retention
When UseCSV is integrated using data callbacks, we guarantee that data from customer imports is not sent or stored by our servers, and all data processing and validation happens locally in the user's browser. The only data transmitted and stored in our servers is basic metadata (filename, number of rows, upload date and status). This data is only stored so that you can view the history of imports in your UseCSV account. If (and only if) you choose to integrate using the optional webhooks method, the import data will be sent to our servers. The data will only be retained for a maximum of 24 hours whilst it is sent to your backend.
Data centers and security measures
Our primary data and servers are hosted with Vercel and PlanetScale which primarily utilize Amazon Web Services (AWS). We currently do not have plans to add servers in the EU (GDPR does not require physical servers in the EU).
Vercel details
Vercel provides deployed and hosting services. The Vercel Edge Network and deployment platform primarily uses Amazon Web Services (AWS), and currently has 18 different regions and an Anycast network with global IP addresses. Vercel encrypts data at rest (when on disk) with 256 bit Advanced Encryption Standard (AES-256). While data is in transit (on route between source and destination), Vercel uses HTTPS/TLS 1.3. Even though Layercode itself has not undergone a SOC 2 Type 2 audit, Vercel has.
PlanetScale details
PlanetScale is committed to delivering a powerful and easy-to-use database platform while keeping your data secure. The security of our systems is of the utmost importance and we consistently aim to improve our security posture by building security into every layer of our products. PlanetScale databases and their client communications are AES encrypted throughout the PlanetScale platform both in transit and at rest. Data is encrypted at rest on the underlying storage media that serves database branches and also the underlying storage media that hosts your PlanetScale database backups. This helps mitigate the risk of unintentional or malicious access to user data on storage systems. Even though Layercode itself has not undergone a SOC 2 Type 2 audit, PlanetScale has.
Additional security measures
Data center security: The data centers we use demonstrate ongoing compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 2 and more.
Access control: We restrict access to personal data only to our employees, contractors, and agents who need to know this information in order to operate, develop, or improve our service. Only a select few have access to the servers where data is stored. We go to great lengths to ensure the right balance between support and secure infrastructure. Employees can only access accounts if they have explicit permission from an account owner or the account is in review for compliance with the Layercode Terms of Use
Confidentiality agreements: Employees, contractors, and agents are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution if they fail to meet these obligations.
App security: All access to the UseCSV interface is secured over SSL (HTTPS), ensuring the information is encrypted. Additionally, we enforce TLS and HTTPS connections to the UseCSV GraphQL API. Account passwords are encrypted with out provider Auth0, preventing even our own staff from viewing them. We offer a method to recycle API keys at anytime in the UseCSV interface.
Fully redundant serverless infrastructure for the API and Web interface.
Secure protocols (SSL / TLS) across the web and API endpoints.
Separately hosted Help system and Public site.
256-bit SSL encryption on the web app and payment processing.
All passwords are stored using one-way cryptographic hashing functions.
EU General Data Protection Regulation (GDPR)
What is GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It came into effect on May 25, 2018.
Why is GDPR important?
GDPR adds some new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches.
What has Layercode done to comply with GDPR?
We have implemented changes and our commitment to your privacy continues
with GDPR. In our role as the Data Processor of your customer and end user information, we have provided a Data Processing Agreement, meeting with the requirements of GDPR. You can request a copy from us at any time. We have worked hard to meet our obligations as a processor under Article 28 of GDPR. To this end:
We continue to process your customer and end user data per your instructions.
We have implemented appropriate technical and organizational measures to protect the data with which you entrust us.
We have provided a list of our sub-processors within our DPA.
We have instituted a policy informing and obligating our employees to maintain the confidentiality of your information.
We have instituted a procedure to assist you in complying with requests for access, amendment or deletion that you may get from your customers or end users. See the "How do you manage access to my information (DSR requests)?" on this page..
We are able to inform you without delay in the event of a data breach (though we, and our sub-processors are working hard so that won't be needed).
We will delete your customer/end user information at the end of our agreement with you, if you ask us.
As guidance about specific aspects of GDPR continues to be published, we will also continue our efforts to fine-tune and improve our compliance.
We have addressed cross border data transfers
We provide a standard Data Processing Addendum (DPA), which meets with GDPR requirements for agreements between Data Controllers (you) and Data Processors (us). Our DPA includes the new Standard Contractual Clauses (SCCs) for cross border transfers. It also outlines in detail our current security practices. To receive and sign a copy of our DPA, please contact support.
Does GDPR require that my information be stored in the EU?
No. Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. We offer a Data Processing Addendum (DPA) with updated Standard Contractual Clauses (SCCs) to all customers.
How do you manage access to my information (DSR requests)?
As of now, our intention is to service DSR requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting support. This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
We are here for you
We are happy to answer any questions and address any concerns regarding how we protect your personal data in general, as well as specifically under GDPR. If you have any questions, please don't hesitate to contact us.