Trust is built on transparency and earned with experience. Since our founding in 2012 we have provided digital marketing solutions based on the thoughtful use of first party data. We also have focused on securing customer data while providing service features to help our customers better meet consumer privacy expectations and comply with applicable law. Here we highlight some of our data protection safeguards and compliance-enabling service features.
As a business or data controller, Lytics adheres to the California Consumer Privacy Act ("CCPA") and other state privacy laws, including the Virginia Consumer Data Protection Act. As a service provider or data processor for our customers, we provide information and service features that helps our customers meet their respective state law obligations. Below we discuss our role as a service provider under the CCPA and some of our platform's compliance-enabling features.
The California Consumer Privacy Act of 2018 (“CCPA”) imposes a number of significant obligations on businesses that are subject to the CCPA and collect the personal information of California consumers and households (collectively “PI”), disclose it to service providers, or sale it to third parties.
Lytics qualifies under the CCPA as a "service provider" with which you, as a Lytics customer or "business", can share CA consumer PI to the extent “reasonably necessary and proportionate” to achieve your marketing goals. You choose which PI we process on your behalf, and the sources and destinations for that PI. As stated in our services agreement, Lytics does not retain, use, or disclose PI for any purpose other than to provide the services specified in our services agreement or as otherwise permitted by the CCPA (such as disclosure in response to a court order).
The Lytics CDP enables your company to understand and operationalize marketing choices made by a consumer once the data reflecting these choices is ingested from a customer data source and stored as preferences in the Lytics platform. For example, your company can establish audiences in the Lytics CDP to enforce consumer PI suppression and “do not market” choices and prioritize those choices when establishing marketing journeys for the consumer. In addition, your company can synchronize these audiences to the marketing destinations to which your company exports data from the Lytics CDP.
As further described in our FAQs (searchable on the Trust page), you may use the Lytics CDP UI to obtain information responsive to a consumer information request and to gather and record consumer consents.
Like other privacy laws, the CCPA gives consumers the right to receive a copy of their PI collected by businesses and if the copy is delivered electronically it should be provided in a “readily useable format” that allows the consumer to transmit it to another entity without difficulty. Lytics supports the export of consumer record or profile information via the Lytics UI or API. An individual’s profile data from Lytics may be downloaded in a common, machine-readable file format.
With some exceptions, the CCPA gives consumers the right to have a business that collected their PI delete it. Lytics supports your business's fulfillment of a consumer deletion request by providing the Delete User option in the Lytics UI. Our API also may be used for this purpose. This will send a deletion request to the Lytics CDP, which will process the request for the consumer identifier provided.
A Lytics customer may correct PI hosted by Lytics by correcting the PI at the appropriate customer PI source as the PI will be subsequently updated with the correction in the Lytics CDP.
We will forward to our customer a consumer requests related to the PI we process for that customer so the customer can substantively respond to the request.
To facilitate compliance with the Children’s Online Privacy Protection Act (COPPA) and other laws prohibiting marketing to underage individuals, Lytics will not ingest any user data of individuals who have not declared themselves to be over the age of 13 via a customer website’s age gate.
We are EU-U.S. Privacy Shield certified for non-HR data. Nonetheless, in accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020.
We are Swiss-U.S. Privacy Shield certified for non-HR data. Nonetheless, in accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020.
As a data controller, Lytics adheres to the EU General Data Protection Regulation and other applicable data protection laws. As a data processor for our customers, we comply with the GDPR as applicable to our services and provide our customers with information and CDP service features to facilitate their respective compliance efforts.
As a service provider, Lytics provides appropriate data protection safeguards for the personal data we process on behalf of our customers. Lytics and its data hosting partner, Google, have implemented appropriate administrative, physical, and logical safeguards designed to protect the security, availability, confidentiality, and integrity of Lytics customers' data. These safeguards include the technical measures specified by GDPR Article 32 and are audited by external auditors on an annual basis.
The GDPR recognizes informed consent along with the pursuit of legitimate interests as legal bases for the processing of personal data. Lytics integrates with consent management tools, and also enables companies to leverage Google Tag Manager to manage consent. Lytics personalized campaigns can be configured to ask for data subject consent. The consent flag(s) available from the browser cookie will be read by your Tag Manager, and either allow the Lytics JS Tag to process data from customer websites or not. In addition, Lytics personalization features support the creation and delivery of different consent forms and the storage/tracking of such consent. Consent is a user-level attribute that can be used as a custom rule in the creation of an audience.
Our CDP features help you, our customer, respond to data subject requests. The GDPR gives data subjects the right to receive a copy of their personal data in a common commercial format. Lytics supports the export of a data subject record or profile information via the Lytics UI or API. A data subject's profile data from Lytics may be downloaded in a common, machine-readable file format.
Lytics supports your organization's fulfillment of a data subject deletion request by providing the Delete User option in the Lytics UI. Our API also may be used for this purpose. This will send a deletion request to the Lytics CDP, which will process the request for the consumer identifier provided.
A Lytics customer may correct personal data hosted by Lytics by correcting it at the appropriate customer data source as the data will be subsequently updated with the correction in the Lytics CDP.
We will forward to our customer a data subject's request related to the PI we process for that customer so that our customer can substantively respond to the request.
The GDPR specifies protections for data transfers. We transfer data via our secure APIs and by sFTP with data encrypted in transit and in storage.
For customers whose data includes personal data within the scope of the GDPR, Lytics's DPA includes the Standard Contractual Clauses updated in June 2021 with the appropriate modules for data transfers to third countries (the U.S.) from an exporter controller (Lytics's customer) and importer processor (Lytics).
As a key component of our security efforts, we have implemented an information security management system (ISMS) based on the ISO 27001:2013 framework. Our ISMS policies, and related written procedures, have been adopted to provide guidance for our implementation of good security practices and help ensure that our organizational risk is appropriately mitigated.
Lytics subscription services are out of scope for PCI-DSS because we do not process card data on behalf of our customers.
An independent auditor has examined Lytics platform controls and confirmed they are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principles for Security, Availability, Confidentiality and Privacy. Lytics undergoes a SOC 2 Type II audit on an annual basis.
Lytics maintains administrative logs as well as logs for account establishment and modifications (including adding or removing users, segments, sources, destinations).
Lytics customers may obtain logs of internal Lytics system events related to internal changes to the state of their Lytics account. Common changes are CRUD Operations (Create, Update, Delete) of Account, Admin User, etc. See https://learn.lytics.com/documentation/developer/api-docs/system-events.
Lytics makes it easy for you to add multi-factor authentication to your Lytics account user login process to enhance account security.
Customer account administrators can easily add and remove account users. Lytics has various, defined user roles with respective permissions.
The platform also has two factor authentication, SO integration, API tokens for short term access, and APIs for role-based access as well as custom roles.
Specific profile fields can be shown/hidden based on role or outbound system. Different roles can be given different visuals, permissions, access.
System events around user access can also be subscribed to via API: https://learn.lytics.com/documentation/developer/api-docs/system-events.
Consider adding single sign on (SSO) to your account user login process to enhance account security. Lytics supports a SAML SSO integration with Google Identity Platform as a Service Provider.
Lytics supports SAML SSO. See documentation for more information on this topic.
Data is encrypted at storage using either AES256 or AES128 and applied to chunks of data, so that if any key were compromised, the “blast radius” would be limited to only the data chunk encrypted with the compromised key.
Account user passwords are encrypted and hashed with a SHA 256 algorithm.
Lytics retains customer data in accordance with customer instructions contained in their respective services agreement. Following termination of a service agreement with a customer, the customer data is effectively deleted with logical deletion and cryptographic erasure. When media that hosted customer data is no longer useful, it is destroyed in compliance with NIST SP 800-88 Revision 1 Guidelines for Media Sanitation and DoD security guidelines.
We provide a Data Processing Addendum as part of our Terms of Service and also offer a standalone version of the same DPA. This DPA addresses compliance with applicable privacy laws, which may include the GDPR and CCPA as well as other state laws. Compliance topics addressed include how Lytics helps its customers respond to data subject requests and agency requests as well as the data protection safeguards Lytics has implemented and maintains.
Lytics operates a formal Security Incident management process under its Security Event Management Policy and related procedures. Escalation procedures exist to ensure the timely communication of any Security Incident through the management chain and to any affected customers without undue delay.
We use the Google Cloud Platform infrastructure because it has been architected to be one of the most flexible, reliable, and secure cloud environments available today, allowing our customers to benefit from this data infrastructure.
Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all accesses are logged.
We have designed our subscription service data collection environment for high availability - no less than 99.95%.
Lytics has deployed Google Cloud resources for Denial of Service protection.
Lytics services are deployed to benefit from the infrastructure redundancy of the Google Cloud platform.
Here you can check on the operational status of key components of our Customer Data Platform.
Our service agreements provide for the confidential treatment of confidential customer information, including customer data. And we require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the protection of confidential information.
Lytics employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired.
Lytics trains all new employees about their confidentiality, privacy and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access. In addition, Lytics communicates with all personnel about privacy and information security matters through regular newsletters.
Our employee workstations are automatically locked after a pre-determined period of non-use via the MDM system we have implemented.
Lytics follows the principle of "least privilege" in governing employee access to our systems. Access to our customers' data is limited to legitimate business needs, including activities needed to support customer’s use of our services. We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically reviews employee access to internal systems to ensure that employees access rights and patterns are commensurate with their current positions. A formal employee termination notification process exists, which is initiated by the Human Resources department. Upon notification by HR, all physical and system accesses are immediately revoked.
Lytics has implemented appropriate controls to restrict physical access to its offices. Lytics's cloud service providers have implemented robust security measures to control physical access to the data processing facilities used by Lytics.
Lytics has implemented an integrated Disaster Recovery and Business Continuity Policy and maintains related plans under the policy. Please see the text under Disaster Recover Plan for more information on this topic.
Lytics maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, redundancy throughout our customer data platform (CDP) architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans and test them on a regular basis.
Lytics stores all customer data on fully redundant storage systems, utilizing hot backups stored in secure Google Cloud platform facilities offsite from production facilities. Access to backup media is highly restricted.
Lytics provides its subscription services using multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at rest using AES 256.
Google Cloud Platform - GCP is certified as compliant with the following ISO standards: ISO 27001:2013, ISO 27017:2015, ISO 27018:2019
Google Cloud Platform - The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. Google is assessed annually for SOC 2 Type II criteria compliance.
Google Cloud Platform - The SOC 3 is a public report of Google's internal controls for the GCP over security, availability, processing integrity, and confidentiality.
We have implemented a zero-trust architecture security framework with separate corporate and production networks. We restrict access to our networks and services based on information about a device, its state, and its associated user seeking access so that only devices and users authenticated, authorized, and regularly validated can gain access.
We have an independent, third party security vendor conduct manual penetration testing of our internal and external infrastructure and services on an annual basis. This manual testing is complimented by automated testing on a more frequent regular basis using a variety of commercially available testing tools.
Lytics uses a number of automated scanning tools to scan for application security vulnerabilities on a frequent basis. Scans are applied to every code build and prior to code merger.