Whatagraph Security Policy

This security policy is applicable from 2021, February 1st.

Security and Trust

Keeping your data safe and secure is paramount. We adopt industry standard design-led approaches to security at all levels from the way we design our software, its deployment, maintenance, monitoring and platform architecture, and operational standards. At all times you retain control over the data Whatagraph has access to and the transactions that occur and at any time can request a deletion of all personal data.

Contact hi@whatagraph.com if you have any questions or feedback.

User processed data

Whatagraph is committed to the security of the data you process with us. To that end, we have created our systems from the ground up based on security and data protection best practices

We do not store the data that you load using our data integrations. At no time does your data ever enter a backup, except for a few access cases where third-party APIs do not provide access to historical data. We cache data for the time required for us to serve you in an efficient manner. In almost all cases, data remains in secure short-lived caches.

We do retain your user access tokens in order to be able to fetch data at your request or your schedules. We may also retain data such as custom field metadata or account names and information where that data is required for the functionality of the data source integration.

Please see our Terms and Conditions and Privacy Policy for more details.

Permissions

Whatagraph requires users to give access to read the data from data sources, e.g. Facebook Ads and Google Ads APIs. Where possible, we will make use of OAuth access tokens. By this mechanism, the user grants access to the data through the data source service and we receive a token by which we access and retrieve the data. Every user can request to revoke the tokens and remove usage data by contacting customer support.

Whatagraph only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions. Where a data source gives us more than read-only access due to the nature of the data source, Whatagraph will never make use of those permissions.

Website, account management, and purchases

All connections to any of our services, our web portal, our account management system, and any purchases you make are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).

Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).

All payment instrument processing is safely outsourced to Braintree, which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

We also use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Cloud Infrastructure

All of our services run in the cloud. We do not host or run our own routers, load balancers, DNS servers, or physical servers. Whatagraph uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services are our providers of choice and both organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.

Documents on Google Cloud Platform and Amazon Web Services certifications can be obtained directly from Google and Amazon respectively.

GDPR compliance and data sovereignty

Whatagraph is compliant under General Data Protection Regulation (GDPR). Your data is processed in the European Union. Any transfer to a third country is guaranteed under GDPR rules. However, we can go a step further and ensure that your data stays only within the EU.

Company policies

Whatagraph requires that all employees comply with security policies designed to keep any and all user information safe, and address multiple security compliance standards, rules and regulations. We ensure that all employees are immediately trained on our security policies and at the very least annually conducted thereafter.

Two-factor authentication, VPNs, and strong password controls are required for administrative access to systems. All such policies are reviewed on a regular basis.

This security policy is applicable from 2020, February 1st.