1. Data Security Overview

• What specific security protocols and encryption methods does Visual Visitor use to protect data in transit (e.g., HTTPS, TLS)?

• HTTPS (Hypertext Transfer Protocol Secure): All data transmitted between our users and our platform is encrypted using HTTPS. This ensures that the communication between browsers and our servers is secure from potential eavesdropping or man-in-the-middle attacks.

• TLS (Transport Layer Security): We use the latest version of TLS (TLS 1.2/1.3) to encrypt data in transit. TLS is the successor to SSL and provides robust encryption to protect sensitive information as it travels across the network.

• How is data stored securely? Are there encryption standards (e.g., AES-256) used for data at rest?

• Encryption Standards: All sensitive data at rest is encrypted using AES-256 (Advanced Encryption Standard), widely regarded as one of the strongest encryption algorithms. This ensures that even if unauthorized access were to occur, the data would remain protected and unreadable without the appropriate decryption keys.

• Access Control: Access to stored data is tightly controlled and limited to authorized personnel only, using role-based access controls (RBAC). This minimizes the risk of unauthorized access to sensitive information.

2. Data Collection and Handling Practices

• What data types are collected from website visitors (e.g., IP addresses, cookies, visit activity)?

• IP Address: This helps identify the visitor's location and origin and is used for security, analytics, and customization purposes.

• User Agent: Information about the visitor's browser and operating system, allowing for content optimization across different devices and browsers.

• Current URL: Tracks the specific web page the visitor is accessing, providing insights into navigation patterns and popular pages.

• Display Resolution: Collects screen resolution data to optimize website layout and responsiveness for different devices.

• Date and Time: Records the time of the visitor’s session, helping analyze traffic patterns and tailor content based on peak visit times.

• Cookies: Small text files stored on the user's device, which track preferences, session information, and provide personalized content or advertising.

• Referrer: Identifies the previous web page that directed the visitor to the current site, helping optimize marketing and content strategies.

• Page Title: The title of the web page viewed and used for analytics and SEO to improve content organization and search engine visibility.

• How does Visual Visitor ensure that only necessary data is collected in accordance with data minimization principles?

• Targeted Data Collection: Our script collects only the essential information, such as IP addresses, user agents, and visit activity, required for our service to function properly.

• What is the process for handling visitor consent, especially regarding cookies and personal data?

• Visual Visitor follows a process for handling visitor consent, particularly regarding cookies and personal data. Visitors who land on a website using Visual Visitor's services are typically presented with a cookie consent banner. This banner informs visitors about the use of cookies and seeks their consent to proceed. Visitors have the option to accept or decline the use of cookies. This functionality is built into our platform; alternatively, we integrate it with all major cookie consent vendors.

• Regarding personal data, Visual Visitor handles it in accordance with applicable data protection laws and regulations. They obtain visitor consent for the collection and processing of personal data, typically through a privacy policy or consent form. Visitors are provided with clear information about the purpose of data collection, how it will be used, and any third parties involved. Visual Visitor ensures that visitor consent is obtained before processing personal data, respecting the privacy and preferences of the individuals visiting the website.

3. Encryption and Storage Policies

• How are data encryption keys managed, and who has access to them?

• At Visual Visitor, data encryption keys are managed with strict adherence to our Cryptographic Key Management Policy. Key management involves the following practices:

• Key Generation: Encryption keys are generated within cryptographic modules that comply with FIPS 140-2 standards, ensuring the use of secure and certified cryptographic systems. We prioritize the use of hardware cryptographic modules for added security.

• Key Storage: Keys are never stored in plaintext and are protected within secure cryptographic vaults, such as hardware security modules (HSMs) or isolated cryptographic services. When stored offline, keys are encrypted using Key Encryption Keys (KEKs).

• Access Control: Access to encryption keys is highly restricted. The policy enforces the principle that humans should not view plaintext cryptographic keys. However, if necessary, accountability is maintained by logging any access to or control of cryptographic keys throughout their lifecycle.

• Key Escrow and Backup: Keys are securely backed up to ensure recovery in case of loss or corruption, using encrypted databases that meet FIPS 140-2 validation standards.

• By following these practices, Visual Visitor ensures that only authorized personnel have access to encryption keys and are handled securely throughout their lifecycle.

• Is there a policy for rotating encryption keys periodically to enhance data security?

• Yes, Visual Visitor follows a defined policy for rotating encryption keys as part of our cryptographic key management practices. According to our Cryptographic Key Management Policy:

• Key Lifespan: The policy mandates limiting the amount of time a symmetric or private key is kept in plaintext form, ensuring that keys are not in use for extended periods without being replaced.

• Periodic Review: The cryptographic systems and protective mechanisms employed are periodically reassessed to ensure they meet security standards and comply with the Key Management Policy, aligning with industry best practices.

• Re-keying Operations: Re-keying is a standard practice, and the system monitors all key re-generation operations to ensure that they are performed for all required keys. In the event of any compromise, the re-keying method is part of a well-documented recovery plan.

• This proactive approach helps ensure that encryption keys are consistently rotated and replaced in accordance with security standards, mitigating the risks of key compromise.

• Are sensitive data elements (like IP addresses or SHA-256 email hashes) encrypted in both transit and storage?

Yes, sensitive data elements, such as IP addresses and SHA-256 email hashes, are encrypted both in transit and at rest.

• Encryption in Transit: Data transmitted over networks is encrypted using TLS (Transport Layer Security) to ensure that any data, including sensitive information, is protected from interception or tampering during transmission.

• Encryption at Rest: Sensitive data is encrypted using strong encryption algorithms such as AES-256 while stored. This ensures that data at rest, including IP addresses and hashed email data, remains secure and inaccessible to unauthorized parties.

This encryption process aligns with our comprehensive Cryptographic Key Management Policy, which outlines secure practices for key management and ensures that all sensitive data is protected throughout its lifecycle.

4. Regulatory Compliance (e.g., GDPR, CCPA)

• How does Visual Visitor ensure compliance with GDPR, CCPA, and other relevant data privacy regulations?

• GDPR:  WebID +Person and WebID +Employee are U.S. only.  Because we are U.S. only, GDPR does not apply.

• WebID +Company does work internationally.  It is GDPR aligned.

• Visual Visitor implements various measures to ensure compliance with the CCPA (California Consumer Privacy Act) and other relevant data privacy regulations.

• Data Protection Policies: Visual Visitor likely has comprehensive data protection policies that outline how personal data is collected, processed, stored, and shared in compliance with applicable regulations.

• Consent Management: Visual Visitor obtains explicit consent from individuals before collecting and processing their personal data. They provide clear information about the purpose of data collection and offer options for individuals to manage their consent preferences.

• Data Subject Rights: Visual Visitor respects the rights of data subjects, such as the right to access, rectify, and delete personal data. They likely have processes to handle data subject requests and ensure timely responses.

• Data Security Measures: Visual Visitor implements robust security measures to protect personal data from unauthorized access, loss, or disclosure. This includes encryption, access controls, and regular security assessments.

• Data Processing Agreements: Visual Visitor may have data processing agreements in place with their customers, outlining the responsibilities and obligations of both parties regarding data processing activities.

• Privacy by Design: Visual Visitor likely incorporates privacy-by-design principles into its product development and data processing practices. This involves considering privacy and data protection from the early stages of system design and throughout the product life cycle.

By implementing these and other measures, Visual Visitor aims to ensure compliance with CCPA and other relevant data privacy regulations, safeguard individuals' privacy rights, and promote responsible data handling practices.

• What are the processes for obtaining and managing consent from website visitors?

Visual Visitor follows processes for obtaining and managing consent from website visitors.

• Consent Collection: Visual Visitor may use cookie consent banners or pop-ups to inform visitors about the use of cookies and seek their consent. They provide clear information about the purpose of data collection and offer options for visitors to accept or decline the use of cookies.

• Consent Management: Visual Visitor has mechanisms in place to manage visitor consent preferences. This may include providing options for visitors to modify their consent settings or withdraw their consent at any time.

• Privacy Policy: Visual Visitor maintains a privacy policy that outlines how personal data is collected, processed, and shared. The privacy policy provides transparent information about the purposes of data processing and the rights of individuals.

• Data Subject Requests: Visual Visitor has processes in place to handle data subject requests, such as requests to access, rectify, or delete personal data. They ensure timely responses and take appropriate actions based on the requests.

By following these processes, Visual Visitor aims to obtain and manage consent from website visitors in a transparent and compliant manner, respecting the privacy preferences and rights of individuals.

• How is data handling documented to ensure compliance with these regulations?

• Privacy Policy: A clear and accessible privacy policy must be provided to consumers, explaining how personal data is collected, used, and shared.

• Data Inventory and Mapping: We maintain a detailed record of the personal data your business collects, processes, and shares.

• Data Subject Request (DSR) Handling Procedures: We establish processes for handling consumer requests under CCPA.

• Opt-Out Mechanisms: We provide consumers with an opt-out option.

• Training and Awareness Documentation: Our employees are involved in handling consumer data and are trained on CCPA requirements.

• Incident Response and Breach Notification: We have a plan for responding to data breaches, which aligns with CCPA’s notification requirements.

• Security Measures Documentation: We document the technical and organizational security measures you have in place to protect personal data.

5. Incident Response and Breach Management

• Does Visual Visitor have an incident response plan in place for data breaches?

• Yes, Visual Visitor has an incident response plan in place for data breaches as outlined in our Significant Incident Policy and Collection of Evidence. The policy includes detailed procedures for managing significant incidents, including data breaches, and ensures a structured approach to handling such events. Key aspects of the plan include:

• Incident Identification and Containment: Immediate actions are taken to stop access to affected systems and data, ensuring that the breach is contained to prevent further damage.

• Engagement of Experts: We engage specialist third-party resources, including legal counsel and computer forensic investigators, to assist in managing the breach and collecting evidence.

• Notification: Authorities, including law enforcement and relevant regulatory bodies, are notified as required by law to ensure compliance with data protection regulations.

• Evidence Collection: Proper steps are taken to preserve evidence related to the breach, following best practices for forensic analysis.

This structured approach helps us manage data breaches effectively and ensures that the necessary steps are followed to protect data and meet legal obligations.

• What is the protocol for notifying clients and affected individuals in case of a data breach?

Yes, Visual Visitor has a defined protocol for notifying clients and affected individuals in the event of a data breach.

• Immediate Contact with Legal Counsel and Authorities: Upon detecting a data breach, legal representation is contacted, and if necessary, regulatory authorities such as law enforcement and data protection regulators are promptly notified.

• Customer Notification: In accordance with relevant data protection laws and regulations, customers and affected individuals are informed of the breach. The notification includes details on the breach, potentially affected data, and steps to mitigate the situation.

• Follow-up Actions: After notification, clients are provided with further guidance on any additional steps they may need to take to secure their data or respond to the breach.

• This structured approach ensures compliance with legal obligations and maintains transparency with all parties involved.

• How frequently are security measures and response plans reviewed and updated?

• Visual Visitor has a clear protocol for reviewing and updating its security measures and response plans. According to our policy:

• Continual Improvement: The security policies and incident response plans are regularly reviewed as part of our continual improvement process. This ensures that our protocols stay up-to-date with the latest industry standards and evolving security threats.

• Compliance Measurement: The information security management team verifies compliance through various methods, including business tool reports and audits. This helps ensure that all security practices, including incident response plans, are effectively implemented and remain relevant.

By conducting regular reviews and updates, we ensure that our security measures and response plans are well-maintained and aligned with best practices.

6. Access Controls and User Permissions

• What access control measures are in place to ensure that only authorized personnel can access sensitive data?

• Access control at Visual Visitor is based on the principle of least privilege, where users are granted access only to the information necessary for their specific roles. Key measures include:

• Role-Based Access Control (RBAC): Access to systems and data is based on a user's role, and access is formally approved by the business, system, or data owner.

• Unique Identifiers: Each user is assigned a unique identifier, ensuring accountability and preventing shared access.

• Access Rights Review: Access rights are reviewed regularly to ensure they remain appropriate and relevant, with dormant accounts investigated and updated as necessary.

• Is multi-factor authentication (MFA) implemented for all users accessing sensitive information?

• Yes, as outlined in the policy, multi-factor authentication (MFA) is implemented where available for remote access to company networks and cloud-based services. This ensures an additional layer of security beyond just passwords for sensitive systems.

• How are user roles and permissions managed, and how often are access rights reviewed?

• User Roles and Permissions: Roles and permissions are granted based on role-based access control (RBAC), with business, system, or data owners approving access. This ensures that access is specific to each user's role and responsibilities.

• Access Rights Review: Access rights are reviewed at least annually, and the main user access system is reviewed every 90 days to ensure that permissions remain appropriate. This helps to prevent unauthorized access and ensure that users only have access to what they need for their role.

7. Visitor and Customer Data Management

• How does Visual Visitor handle the upload and storage of customer-provided data, such as SHA-256 hashed emails and suppression lists?

• Visual Visitor handles the upload and storage of customer-provided data, such as SHA-256 hashed emails and suppression lists, with utmost care and security. While specific details about the process are not provided in the given context, Visual Visitor follows industry best practices to ensure the confidentiality and integrity of customer-provided data.

• When customer data is uploaded, Visual Visitor employs encryption techniques to protect the data during transmission and storage. SHA-256 hashing is a secure method to transform email addresses into irreversible, unique identifiers. Suppression lists, which contain email addresses that should not be contacted, are stored securely and used to ensure compliance with customer preferences and regulatory requirements.

• By implementing robust security measures, Visual Visitor safeguards customer-provided data, maintaining its confidentiality and protecting it from unauthorized access or misuse.

• Are there any additional security measures for handling customer-uploaded data?

• Access Controls: Visual Visitor employs strict access controls to limit access to customer-uploaded data to authorized personnel only. This helps prevent unauthorized access or misuse of the data.

• Encryption: Customer-uploaded data may be encrypted during transmission and storage to protect it from unauthorized interception or access. Encryption adds an extra layer of security to ensure the confidentiality and integrity of the data.

• Data Segregation: Visual Visitor employs techniques to segregate customer-uploaded data from other data sets, ensuring that it is stored separately and protected from unauthorized access or accidental mixing with other data.

• How does Visual Visitor handle data deduplication or cross-referencing with existing data?

At Visual Visitor, data deduplication and cross-referencing are handled through a set of secure, internal systems that are protected by our comprehensive security services and monitored by our Security Operations Center (SOC). These systems include:

• Automated Processes: Our data processing systems automatically identify and eliminate duplicate records to ensure data accuracy and integrity. Cross-referencing is conducted using secure algorithms to match incoming data with existing datasets, ensuring consistency and completeness.

• Data Security: All systems involved in deduplication and cross-referencing are secured with encryption and access control measures. These systems are continuously monitored by our SOC for any anomalies or potential security threats.

• Real-Time Monitoring: Our SOC provides real-time monitoring and incident response to safeguard the integrity of the data during the deduplication and cross-referencing processes, ensuring compliance with internal security policies and industry standards.

By leveraging these secure internal systems and SOC oversight, Visual Visitor ensures that data deduplication and cross-referencing are performed securely and efficiently.

8. Retention and Deletion Policies

• What is Visual Visitor’s policy on data retention? How long is visitor and customer data stored?

At Visual Visitor, our data retention policy ensures that visitor and customer data is stored for a period of two years.

• Online Storage: Data is stored in an active, accessible state for one year to support ongoing business and analytical needs.

• Backup Storage: After the initial year, the data is archived and retained in a secure backup state for an additional year before it is permanently deleted.

This policy ensures that data is retained for the necessary period while complying with data protection regulations and minimizing unnecessary storage.

• What procedures are in place for data deletion upon client or user request?

At Visual Visitor, we have a well-defined procedure for data deletion upon client or user request:

• Request Logging: Once a data deletion request is received, it is immediately logged in our system to ensure accountability and proper tracking throughout the process.

• Automated Deletion: Our automated systems are triggered to search and identify the requested data across all our data repositories. These systems ensure that the data is removed efficiently and thoroughly from active databases.

• Confirmation: Once the deletion process is complete, we provide confirmation to the client or user that the data has been successfully removed.

This automated and structured approach ensures timely and accurate data deletion while adhering to our privacy and data protection obligations.

• How does Visual Visitor ensure that deleted data is completely removed from all storage locations, including backups?

• At Visual Visitor, we ensure that deleted data is completely removed from all storage locations, including backups, through a structured and secure process:

• Primary Deletion: When a deletion request is processed, the data is immediately removed from active systems and flagged for removal from backup storage.

• Backup Management: While backups are retained for a specified period, any data deletion request is logged and associated with the relevant data. In the event of a backup restoration, our automated systems reprocess all historical removal requests to ensure that previously deleted data is not restored.

• Data Reprocessing: Upon restoring a backup, our systems automatically search for and remove any data that had been flagged for deletion prior to the restoration. This system is used as a production support system, ensuring that deleted data remains permanently removed from all systems.

This approach guarantees that even in the event of a backup restoration, all prior deletions are respected, and the data is securely removed from all storage locations.

9. Certifications and Compliance Standards

• Does Visual Visitor hold any certifications related to data security and privacy, such as ISO 27001, SOC 2, or others?

• At Visual Visitor, we are deeply committed to ensuring the highest level of security for our customers. We are actively working towards obtaining our ISO 27001 certification—a globally recognized standard for information security management.

While we are currently in the process of certification, we already adhere to many of the stringent security protocols and best practices outlined in the ISO 27001 framework. This certification will further demonstrate our dedication to maintaining robust security measures.

• Are there third-party audits or assessments that validate Visual Visitor’s security practices and compliance?

At this time, Visual Visitor does not undergo third-party audits or assessments to validate our security practices and compliance. However, we are committed to following industry best practices and continuously improving our security measures to protect client data. As part of our ongoing efforts, we are exploring options for future external validation to enhance our security framework further.

• Can Visual Visitor provide documentation or certification details that demonstrate adherence to these standards?

Visual Visitor is actively working on ISO 27001 implementation, which is a globally recognized standard for information security management. While we are in the process of obtaining certification, we do have significant documentation on our current security implementation that demonstrates our adherence to many of the ISO 27001 requirements.