Intrro utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Intrro also has a documented cryptography policy that outlines the requirements for encrypting data and transmissions.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. 

Key management

Amazon Web Services (AWS) stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

Data retention

Deleting data

Users can delete projects and project data within Intrro if they have the correct access rights. Deleted project data is kept in a "trash" facility within the application and can be restored for up to 30 days before it is permanently deleted. It can take up to 60 days for all data to be removed from backups.

Deleting workspaces

Users can delete their entire Intrro workspace if they have the correct access rights. This will delete all data that you have provided to Intrro. It can take up to 60 days for all data to be removed from backups.

Subscription cancellation

Following the cancellation of a Intrro subscription, you will have at least 30 days to request a  download your customer data from Intrro. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Trial workspaces

If you sign up for a trial workspace, we may keep any data you input for 30 days after your trial workspace period has ended so that the data may still be available if you later sign up for a paid workspace subscription. After these 30 days all data during your trial will be permanently deleted. It can take up to 60 days for all data to be removed from backups.

To support delivery of our Services, Intrro may engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor. Please email security@intrro.com if you have any questions.

Amazon Web Services

• Location: Seattle, United States.
• Security certifications: Privacy Shield, ISO27001, SOC3.
• Data processed: Anonymized content, email address, IP address.
• Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.

Slack

• Location: Palo Alto, United States.
• Security certifications: SOC 2, SOC 3, ISO 27001, ISO 27018, ISO 27017
• Data processed: User name, user email address, survey responses.
• Use: Customer communications.

Google Cloud

• Location: Mountain View, United States.
• Security certifications: Privacy Shield, ISO27001, SOC3.
• Data processed: User-added content.
• Use: Natural language processing.

Customer.io

• Location: San Francisco, United States.
• Security certifications: SOC 2, HIPAA, GDPR
• Data processed: User-added content (when using transcription).
• Use: Full name, job title, email address, IP address, customer communications, customer activities and analytics

Segment

• Location: San Francisco, United States.
• Security certifications: Privacy Shield, ISO 27001, ISO 27017, ISO 27018, SOC 2.
• Data processed: User name, email address, IP address, analytics.
• Use: Product analytics.

Zapier 

• Location: San Francisco, United States.
• Security certifications: SOC 2, SOC 3
• Data processed: User name, email address.
• Use: Automations of tasks 

Intercom

• Location: San Francisco, United States.
• Security certifications: Privacy Shield, ISO 27001, SOC 2, CSA, HIPAA
• Data processed: first name, last name, company name, email address, IP address, company physical address.
• Use: Business messaging

Hubspot

• Location: Cambridge, United States.
• Security certifications: SOC 2, SOC 3, GDPR,
• Data processed: User name, email address, IP address, physical address.
• Use: Sales and Marketing Automation

In light of the new Standard Contractual Clauses adopted and approved by the European Commission, Intrro has revised our Data Processing Agreement to incorporate the SCCs.

In addition to our new Data Processing Agreement, we are also updating our internal privacy compliance program to meet the requirements of the new SCCs, by the 28 December 2022 deadline.

As we approach this regulatory deadline, we will communicate with our existing customers and provide information on how they can execute new agreements with the new SCCs. Existing customers contact us to enter into a new agreement that utilizes the new EU SCCs.

If you have any questions regarding data privacy and protection, the new SCCs, or our commitment to the GDPR, you can contact us.

The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.

Intrro does not currently meet the criteria described that would have the CCPA apply to our business operations. Namely because we do not:

• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of our annual revenue from selling California resident's personal information.

However, we understand that some Intrro customers may want to ensure that their use of our services, and any California resident's personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.

This page helps to clarify how we process any personal information on behalf of our customers as it relates to the CCPA.

Processing of personal information

You do not sell personal information to us. We will not:

1. Sell any personal information,
2. Retain, use, or disclose the personal information for a commercial purpose, other than for providing the services, as further described in our Master Subscription Agreement and in our Privacy Policy; and
3. further retain, use, or disclose the personal information except for business purposes or as otherwise authorized by the CCPA.

Our obligations to you

Consumer rights requests

We will provide reasonable assistance to you in facilitating compliance with consumer rights requests.

Personal information deletion

On termination, you have the option to request the return or deletion of personal information. This request must be made within 30 days of termination. We will make the data available for download by you in a machine readable format. Thereafter we will permanently delete the personal information from the live systems in any event.

Following permanent deletion from the live systems, partial data resides on the our archival and backup systems for a period of up to 14 days.

For more information, please read our data retention documentation.

Confidentiality

We will ensure that all employees, agents, officers and contractors involved in the handling of personal information are aware of the confidential nature of the personal information and are contractually bound to keep the personal information confidential.

For more information, please read about our employee confidentiality agreements.