Data Protection & Data Security

In the digital world the importance of data security is critical, not just for our clients, but their customers as well. The vulnerabilities of data at any stage may bring about serious consequences for the entire ecosystem. 

As a business owner, when you choose a service or a platform to offer your products and services to your customers, you are essentially choosing the link between you and the customers. This is why it is important that the platform adheres to optimum security standards and has the right certification to provide protection to all that sensitive data you are collecting from your data. This data may include the email addresses, physical addresses, contact numbers, payment information, or any other such sensitive data. 

You have a responsibility towards your customers that any such data they provide during the course of business is kept safe, handled ethically and is never shared with anyone without their knowledge or consent. 

At dAtoComm™, we take stringent security measures and are dedicated to make sure that there are no vulnerabilities in our processes at any stage. dAtoComm™ helps you deliver enterprise-class security and compliance to your customers through every interaction. 

Listed below are the certifications and compliance measures taken by AppyPie.com to ensure that our clients and your customers are protected from any unscrupulous activities. 

PCI DSS Compliance

The payment gateway used by dAtoComm™ is a PCI DSS compliant. We have entered 2019 with concern and trepidation about data vulnerability, breaches, and leaks. This is why security continues to be a hot-topic and a matter of public concern. 

dAtoComm™  takes it upon themselves to make sure that their customer’s payment information is protected at all times. Stripe, dAtoComm™ PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

You can place a ‘Do not sell my data’ request by filling in this form.

SOC 2 Attestation

Our clients trust our platform enough to let us handle their critical processes like billing, invoicing, and more, and in return we assure them that their interests and their customers privacy are valued and protected. 

The SOC 2 attestation ensures that SaaS service providers like dAtoComm™ manage your data securely so that your interest and your clients’ privacy is always protected. 

dAtoComm™ SOC compliance is particularly suited for businesses that need to control their financial reporting internally, and to showcase the vendors who have deployed internal controls during audits. 

You can place a ‘Do not sell my data’ request by filling in this form.

ISO 22301:2019

Societal security – Business continuity management systems – Requirements, is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

dAtoComm™ is ISO 22301:2019 certified and are prepared to handle and recover from any disruptive incident, if one should arise.

ISO 27001:2013

ISO 27001 certification is a certification for an information security management system (ISMS) – which is essentially a framework of policies and procedures. It includes all the legal, physical, and technical controls related to an organization’s information risk management process aimed at keeping the information secure. 

dAtoComm™ is ISO 27001:2013 certified and are committed to risk identification, implications assessment, and to put in place systemized controls that inspire trust in all that we do.

Voluntary Product Accessibility Template (VPAT)

dAtoComm™ has created a Voluntary Product Accessibility Template (VPAT) which is in accordance with the Section 508 Standards. It details each aspect of the Section 508 requirements and how we support each criterion.

Our VPAT contains documentation on Section 508 (2017 Refresh), Web Content Accessibility Guidelines (WCAG) 2.0 Success Criteria & Conformance Requirements (Levels A, AA, AAA) as well as the European Accessibility standards EN 301. You can view the entire report here.

GDPR

dAtoComm™  is in compliance with GDPR and processes all personal data in accordance with the guidelines set forth by the regulation that are applicable to dAtoComm™ services and the platform.

GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

You can place a ‘Do not sell my data’ request by filling in this form.

EU data transfer mechanism

GDPR applies primarily to controllers and processors located in the European Economic Area or EEA and if the personal data is transferred out of the EEA, there is a risk of losing GDPR protection. It is for this reason that GDPR restricts the transfer of personal data outside the EEA, unless the rights of the individuals are protected in some way. Until recently there were two ways to do this – EU-US Privacy Shield and Standard Contractual Clauses.

In a recent development, however, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Framework for transfer of data. However, Standard Contractual Clauses are still valid as a tool or mechanism for data transfer to processors outside of the EU, Switzerland or the UK.

At dAtoComm™ , we have Standard Contractual Clauses (SCCs) in place for transfer of data so that all personal data is protected. We, at dAtoComm™, are committed to enable our customers to provide customer service responsibly by implementing and adhering to prescribed compliance policies, both as a data controller and processor.

CCPA

California Consumer Privacy Act is a state statute that is aimed at enhancing the privacy rights and consumer protection for California residents.

dAtoComm™  is in compliance with CCPA and is transparent about all or any personal data collected from the clients through the platform. To read dAtoComm™ CCPA policy, please click here.

You can place a ‘Do not sell my data’ request by filling in this form.

Penetration test, Vulnerability Scanning & Patching

As a practice, we, at dAtoComm™, check and apply patches for third-party software/services. In case any vulnerabilities are ever discovered we apply the fixes on the highest priority. Also, vulnerability scanning is carried out every month using the services of Amazon Inspector.

dAtoComm™ has gotten the penetration testing done by third party experts – Bishop Fox and the relevant report can be obtained by sending an email to security@datoscomm.com

Physical and Network Security

dAtoComm™  has its development center in Manhattan NY), and sales / support offices in Manhattan, NY (USA) & Guayaquil Ecuador. The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.

All the apps at dAtoComm™ are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.

The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by dAtoComm™ own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.

dAtoComm™ uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that dAtoComm™ services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.

Administrative Operations

Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.

Data Loss Protection

As a measure to provide optimum Data Loss Protection, we at dAtoComm™ use the world leader in data loss protection – Endpoint Protector by CoSoSys which prevents any inappropriate transmission of data through physical or digital means. It means that the data from the company cannot be copied to any other mass storage device, nor can it be sent out through email as attachment or any other form using their powerful Security.

Data Storage 

The protection and security of the customers’ data is a serious matter for dAtoComm™, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the dAtoComm™ platform is at the discretion of individual app owners.

The Development team at dAtoComm™ does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.

Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, dAtoComm™ PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

dAtoComm™  takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every six hours at multiple locations.

Database backups are backed up daily and maintained for a duration of 35 days. The customers’ data is backed up in two ways:

1. A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.
2. Data is backed up to persistent storage every day and retained for 15 days.

In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.

Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.

Mobile Security

As a practice, we, at dAtoComm™, use Kryptowire’s Mobile Application Security Testing (MAST) solution to make all dAtoComm™ apps secure and ensure data privacy for all our platform users.

We use Kryptowire to continuously assess the security and privacy of any mobile device against the highest internationally recognized software assurance standards published by
– The National Institute of Standards and Technologies (NIST)
– National Information Assurance Partnership (NIAP)
– Open Web Application Security Project (OWASP)

Data Deletion or Redundancy

Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, dAtoComm™ products offer data export options.

Reporting issues and threats

In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of dAtoComm™ users, please do reach out to us and write to security@datoscomm.com citing your concerns & details, so that we can get working on it at the earliest.

Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.

The company has a privacy policy, approved by an internal legal counsel, available publicly at https://www.datocomm.com/privacy-policy & the payment gateway (Stripe) used by dAtoComm™ is PCI compliant.

The following privacy policy governs dAtoComm™ website and all content, services and products available at or through the website (collectively, the “Service”). The Service is owned and operated by dAtoComm™, a company and having its principal place of business in the cloud (hereinafter referred to as the “DC”, which expression shall mean and include its heirs, successors and permitted assigns). DC currently uses third parties to accept payments (hereinafter a “Third-Party Payment Processor”). Subscribers will make all payments to DC using Third-Party Payment Processor, and which may be changed/updated by Client in writing. DC has the right to change the Third-Party Payment Processor or to cease using a Third-Party Payment Processor at any time. Despite any similarity in name, there is no affiliation between the Third-Party Payment Processor and DC, and the Third-Party Payment Processor is not a party to this Agreement. The Service is offered subject to your acceptance without modification of all of the terms and conditions contained herein and all other operating rules, policies (including, without limitation, DC’s Privacy Policy) and procedures that may be published from time to time on this Site by DC (collectively, “DC”).

DC operates several websites including dAtoComm™ (the “Websites”), as well as a number of mobile applications on behalf of our customers (collectively, the “applications”). It is DC’s policy to respect your privacy regarding any information we may collect while operating our Websites and applications.

This Policy describes how DC collects, uses, shares, and secures the personal information you provide. It also describes your choices regarding the use, access, and correction of your personal information.

Your privacy is critically important to us. At DC we have a few fundamental principles:

We don’t ask you for personal information unless we truly need it. (We can’t stand services that ask you for things like your gender or income level for no apparent reason.)

We don’t share your personal information with anyone except to comply with the law, develop our products, or protect our rights. We don’t store personal information on our servers unless required for the on-going operation of one of our services. In our social networking and mobile application products, we aim to make it as simple as possible for you to control what’s visible to the public, seen by search engines, kept private, and permanently deleted.

EU data transfer mechanism

GDPR applies primarily to controllers and processors located in the European Economic Area or EEA and if the personal data is transferred out of the EEA, there is a risk of losing GDPR protection. It is for this reason that GDPR restricts the transfer of personal data outside the EEA, unless the rights of the individuals are protected in some way. Until recently there were two ways to do this – EU-US Privacy Shield and Standard Contractual Clauses.

In a recent development, however, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Framework for transfer of data. However, Standard Contractual Clauses are still valid as a tool or mechanism for data transfer to processors outside of the EU, Switzerland or the UK.

At dAtoComm™, we have Standard Contractual Clauses (SCCs) in place for transfer of data so that all personal data is protected. We, at dAtoComm™, are committed to enable our customers to provide customer service responsibly by implementing and adhering to prescribed compliance policies, both as a data controller and processor.

Passive Collection

As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g. HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.

Gathering of Personal Information

Certain visitors to DC’s Websites and users of DC’s applications choose to interact with DC in ways that require DC to gather personal information. The amount and type of information that DC gathers depend on the nature of the interaction. For example, we ask visitors who sign up for an account at dAtoComm™ to provide their email address. Those who engage in transactions with DC – are asked to provide additional information including necessary personal and financial information such as a credit card number for processing the financial transactions. In each case, DC collects such information only when it is necessary or appropriate to fulfill the purpose of the visitor’s interaction with DC, for example your name, address and phone number where needed. DC does not disclose personal information other than as described below, and visitors can always refuse to supply personal information, with the caveat that it may prevent them from engaging in certain Website-related and application-related activities.

When you provide us with personal information about your contacts, we will only use this information for the specific reason for which it is provided.

If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please contact us at privacy@datocomm.com.

Aggregated Statistics

DC may collect statistics about the behavior of visitors on its Websites and users of its applications. For instance, DC may monitor the most popular social networks on the dAtoComm™ site & may display this information publicly or provide it to others. However, DC does not disclose personal information other than as described below.

Sharing of Certain Personal Information

DC discloses personal information only to those employees, contractors, service providers and affiliated organizations that (i) need the particular information in order to process it on DC’s behalf or to provide services available at DC’s Websites and applications, and (ii) that have agreed not to disclose it to others. They are authorized to use your personal information only as necessary to provide these services to us. These services may include: fulfilling your orders, payment processing, providing customer service, sending marketing communications, fulfilling subscription services, conducting research and analysis, providing cloud computing infrastructure. SMS integration, Cloud printing and more such services.

Some of those employees, contractors, and affiliated organizations may be located outside your home country. DC will not rent or sell personal information to anyone. Apart from its employees, contractors, and affiliated organizations, as described above, DC discloses personal information only when required to do so by law, or when DC believes in good faith that disclosure is reasonably necessary to protect the property or rights of DC, third parties or the public at large. If you are a registered user of an DC Website or application and have supplied your email address, DC may occasionally send you an email to tell you about new features, to solicit your feedback, or just to keep you updated with what’s going on with DC and our products. You may also sign up to receive newsletters or other communications from us. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link placed in the emails we send to you, or at your member profile on our website, or by contacting us at privacy@datocomm.com

We primarily use our product blogs to communicate this kind of information, so we expect to keep these kinds of emails to a minimum. If you send us a request (for example, via a support email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users. DC takes all measures reasonably necessary to protect against the unauthorized access, use, alteration, or destruction of personal information.

Retention of Personal Information

We will retain your personal information for as long as an Account is active or as needed to provide the Service(s). We will retain Your Data as necessary to comply with our legal obligations, maintain accurate financial and other records, resolve disputes, and enforce our agreements.

If you wish to terminate your Account or request that we no longer use your personal information, please contact us at privacy@datocomm.com

Correction or Removal of Personal Information

Upon request, DC will provide you with information about whether we hold any of your personal information. You may access, correct, or request deletion of your personal information by logging into your account or by contacting us at privacy@datocomm.com. We will respond to your request within a reasonable timeframe.

DC acknowledges that you have the right to access your personal information. DC collects information on behalf of our clients and has no direct relationship with the individuals with whom our clients may interact using the Service(s). If you are a customer of one of our clients (“End-Customer”) and would no longer like to be contacted by that client, please directly contact the client who you interact with. We may transfer personal information to companies that help us provide our services. Transfers to subsequent third parties are covered by service agreements with our Clients. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to DC’s client (the data controller). If requested to remove data, we will respond within a reasonable timeframe.

We will retain the personal data we process on behalf of our Clients for as long as needed to provide services to our Clients. We will retain personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Mobile Applications

When you download, install and use our Mobile Applications, we automatically collect information on the type of device you use, operating system version, and the device identifier (or “UDID”).

We send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure that you receive appropriate notifications, we will need to collect certain information about your device such as operating system and user identification information.

We collect your location-based information for the purpose of locating a place that you may be searching for, in your area. We will only share this information with our mapping provider for the sole purpose of providing you this service.

You may opt-out of location-based services at any time by changing the setting at the device level.

We use application on your mobile or handheld device. This Mobile application may record information such as how often you use the Mobile application, the events that occur within the Mobile application, aggregated usage, performance data, and where the Mobile application was downloaded from. We do not link the information we store within the analytics software to any personal information you submit within the Mobile application.

Links to Third Party Sites

Our Websites contain links to other websites that are not owned or controlled by DC. Please be aware that we are not responsible for the privacy practices of other such websites or third parties. We encourage you to be aware when you leave our Websites and to read the privacy policies of each and every website that collects personal information.

Testimonials

We post customer testimonials/comments/reviews on our Websites, which may contain personal information. Prior to posting the testimonial, we obtain the customer’s consent to post their name along with their testimonial.

Tracking Technologies

DC and its partners use cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base as a whole. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website.

Ads

We partner with a third party to deliver ads appearing on any of our Websites or applications to users. Our third-party partner may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising, click here[3] & if you are located in the European Union (EU) click here[4]. Please note that you will continue to receive generic ads.

Analytics

We collect analytics information when you use DC’s Websites to help us improve them. DC may also share data about your actions on our Websites with third-party service providers of analytics services.

Security

The security of your personal information is important to us. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and after it is received. If you have any questions about the security of your personal information, you can contact us at privacy@datocomm.com

Changes to The Privacy Policy

We may update our Privacy Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the email address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

HIPAA Privacy Disclosures

This Notice Of Privacy Practices Describes How Medical Information About You May Be Used And Disclosed And How You Can Get Access To This Information

Your Rights under HIPAA Guidelines

You have the right to:

• Get a copy of your electronic medical record as and when DC processes such electronic medical records.
  • You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
  • We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
• Correct your electronic medical record as and when DC processes such electronic medical records.
  • You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.
  • We may say “no” to your request, but we’ll tell you why in writing within 60 days.
• You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
• If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
• Get a list of those with whom we’ve shared your information
  • You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
  • We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
  • Complaints under HIPAA – File a complaint if you believe your privacy rights have been violated 
  • You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/

Social Media Features

DC’s Websites include social media features, such as the Facebook “Like” button, the “Share This” button or interactive mini-programs. After taking your consent, these features may collect your IP address, the page you are visiting on our Websites and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Websites. Your interactions with these features are governed by the privacy policy of the company providing them.

Children’s Personal Information

DC does not knowingly collect any personal information from children under the age of 16. If you are under the age of 16, please do not submit any personal information through our Websites or apps. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal information through the Websites or apps without their permission. If you have reason to believe that a child under the age of 16 has provided personal information to us through the Websites or Services, please contact us at privacy@datocomm.com, and we will use commercially reasonable efforts to delete that information.

Contact Us

If you have questions regarding this Policy or about DC’s privacy practices, please contact Mr. Michael Newberg via email at privacy@datocomm.com or write in to him at **************************************. In case of lack of response, you may send an additional email after 72 hours.

English Version Controls

Non-English translations of this Policy are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.

California Consumer Privacy Act (CCPA), United States

California Consumer Privacy Act is a state statute that is aimed at enhancing the privacy rights and consumer protection for California residents.

DC is in compliance with CCPA and is transparent about all or any personal data collected from the clients through the platform. To read dAtoComm™’s CCPA policy, please click here.

You can place a ‘Do not sell my data’ request by filling in this form.

Personal Information Protection Act (PIPA), JDCan

DC recognizes and complies with the regulations and safeguards outlined in the Personal Information Protection Act (PIPA) of JDCan. We are committed to handling and using personal information in a manner that aligns with the requirements set forth by PIPA, ensuring the privacy and security of personal data.

Personal Information Protection and Electronic Documents Act (PIPEDA), Canada

DC adheres to the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. We are dedicated to safeguarding personal information and maintaining its confidentiality and integrity. Our practices align with PIPEDA’s principles, ensuring that personal data is collected, used, and disclosed in a responsible and secure manner.

General Data Protection Regulation (GDPR), European Economic Area

Representation for data subjects in the EU or in the UK:

We value your privacy and your rights as a data subject and therefore dAtoComm™ (DC’s “Third-Party Payment Processor” in the UK) has Appointed Prighter as their privacy representative and your point of contact. Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://datocomm.com/privacy

Please add the following subject to all correspondence: PRIVACY