Data retention policy
Customer data is retained for as long as the account is in an active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 33 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data via a request to ScoopCare prior to closing their account.
If a customer account is involuntarily suspended, then there is a grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any related terms of service violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 7 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 33 thereafter (except when required by law to retain).
Data archiving and removal policy
Customer data is retained for as long as the account is in an active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 33 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data via a request to ScoopCare prior to closing their account.
If a customer account is involuntarily suspended, then there is a grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any related terms of service violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 7 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 33 thereafter (except when required by law to retain).
Data storage policy
Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.
Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.
Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.
All Production Systems must disable services that are not required to achieve the - business purpose or function of the system.
All access to Production Systems must be logged.
All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.
*Data Protection Implementation and Processes Customer Data Protection*
Scoop Technologies, Inc. hosts on Amazon Web Services (AWS), and Google Cloud Platform (GCP) in the AWS US-West2 region by default. Data is replicated across multiple physical availability zones for redundancy and disaster recovery.
All Scoop Technologies, Inc. employees adhere to the following processes to reduce the risk of compromising Production Data:
-- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
-- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
-- Ensure Scoop Technologies, Inc. Customer Production Data is segmented and only accessible to Customer authorized to access data.
-- All Production Data at rest is stored on encrypted volumes using encryption keys managed by Scoop Technologies, Inc..
-- Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
*Access*
Scoop Technologies, Inc. employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case-by-case basis.
*Separation*
Customer data is logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the customer's unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include the account identifier.
Data center location(s)
United States
Data hosting details
Cloud-hosted on AWS
App/service has sub-processors
no