SHIFTSIG Data Policy
SHIFTSIG is a privacy-first startup that’s built to comply with GDPR, CCPA and other privacy regulations that impact your business. You entrust us with your data and we take that trust to heart. We’re committed to being transparent, securing your data, eliminating systems vulnerability and ensuring continuity of access.
TL;DR
Here’s a brief summary of our data security practices:
- All data is encrypted in transit
- All visitor data is irreversibly hashed
- All data is hosted in the EU on EU-owned servers
- User passwords are hashed and salted
- Login to SHIFTSIG requires additional email verification
- Our software is updated multiple times per week
- Our changelog is accessible to all subscribers
- Regular vulnerability scans are conducted
- All data is backed up on remote backups
- Data access is firewalled and user-restricted
- Performance is monitored and uptime is disclosed
- We don’t collect nor store any personal or sensitive data
- We don’t store debit/credit card details
- We don’t store any data outside the EU
- We don’t outsource our software development
- We don’t outsource our infrastructure management
- We don’t sell, share or in any other way monetize your data
Here’s a more detailed overview of the technical and organizational security measures we use to secure Plausible and protect your data.
Data minimization
SHIFTSIG is a privacy-first tool, so we don’t collect or store personal or sensitive data. Even though the purpose of SHIFTSIG is to be implemented and used within email, this can still be done without tracking, collecting or storing any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of your users.
By using SHIFTSIG, all the measurement is carried out absolutely anonymously. We minimize data collection in general. We measure only the most essential data points and nothing else. All the metrics we do collect fit on one single page.
Personal data
We don’t use cookies, browser cache or local storage, with the exception of our payment provider Stripe, our cookie management solution Cookie-Script – that we have to use to make our payment provider Stripe’s use of cookies legal – and a login cookie to remember your current status of being logged in to SHIFTSIG. We don’t store, retrieve or extract anything from visitor’s devices. The data we process cannot be used to identify any single individual.
Every HTTP request sends the IP address and the User-Agent to the server. The raw data IP address and User-Agent are never stored in our logs, databases or anywhere on disk at all. We don’t keep access logs, nor do we keep error logs on any of our systems.
Data encryption
To protect against access, modification or theft of the data, the data is encrypted in transit and at rest. Our hashing process increases the security of your visitor data by making it irreversible.
Our hashing process provides robust security for your data. Unlike encryption, which is a reversible process using a decryption key, hashing irreversibly transforms your data into a unique string of characters. The use of salts in our hashing process adds an extra layer of protection by preventing any hashed information from being revealed in a brute force attack.
In our database, no IP addresses and no user agents are stored, and are therefore inaccessible to anyone, including us.
Server location
All the data we do collect is kept in Germany on servers owned by Hetzner and MongoDB. This ensures that all data is being covered by the European Union’s strict laws on data privacy.
Data ownership
You own all right, title, and interest to your data. We obtain no rights from you to your data. We don’t collect and analyze information from users and use these behavioural insights to sell advertisements. When using SHIFTSIG, you 100% own and control all of your data. We don’t sell or share your data to any third-parties, and we don’t abuse your user’s privacy.
Data deletion
You are fully in control of any of the stats we collect on your behalf. We claim no rights. It’s your data. You can permanently delete your SHIFTSIG account and/or permanently delete all of your site data within your settings at any time.
User identification and authorization
Account passwords are hashed and salted. As an extra security layer for your SHIFTSIG account, every log in needs to be verified by an additional code send via email.
Data shareability
We give you complete control over how you choose to use SHIFTSIG and what data your users can enter into their signatures. Only you can choose to share signature creation links, and send users notification emails to their set up signatures.
Internal access controls
Our team doesn’t have a reason to access or process customer data on a day to day basis. Processing is fully automated. It’s only if there’s a problem with an account or to help resolve a customer support question that we might need to access your data. This generally only happens after you request us doing that.
Access to our servers is strictly limited to specific individuals within our team.
Backups and disaster recovery
In the unlikely event of a loss of production data, we have a disaster recovery plan in place. Your data is not only safely stored, but also easily recoverable.
Subprocessors
We’ve tried hard to limit external services that we use and none of them have access to see or download the data. No third-party vendors are involved other than the hosting company that owns the servers where our data is stored (Hetzner and MongoDB) and our global CDN (Bunny) on infrastructure within the EU.
Payment information
All our payments are processed through Stripe. Stripe is PCI DSS SAQ A compliant. Using Stripe means we don’t need to store your payment card details and other payment information. They are sent encrypted directly to Stripe. We don’t store them anywhere.
Physical security
SHIFTSIG is hosted within data centers provided by Hetzner and MongoDB. As such, we take advantage of their physical, environmental and infrastructure controls. Hetzner and MongoDB are accredited with the ISO 27001 security certificate which covers their physical security controls.
Data privacy and other legal documents
Our legal docs including our Terms and Conditions, Privacy policy, Data policy and Data Processing Agreement (DPA) are all publicly available and include the full details on what we do and how. These docs are written to answer specific questions about our data privacy practices.
Reporting security problems
If you’ve found a security vulnerability with the SHIFTSIG codebase, you can disclose it responsibly by sending a summary to us. We’ll review the potential threat. We appreciate your patience and understanding that some reports will take time to fix and the process may involve a review of our codebase for similar problems. It’s crucial we can trust you not to disclose the vulnerability to anyone until a few days after we release the fix.
We’re incredibly thankful for people who take the time to share their findings with us. Whether it’s a tiny bug that you’ve found or a security vulnerability, all reports help us to continuously improve SHIFTSIG for everyone. Thank you!
Security questions or concerns?
If you have any questions or concerns regarding our security practices, please contact us via hello@shiftsig.com.
Last updated: February 12, 2024