Data Privacy at MoveData
Date of Last Revision: March 30th, 2020
We take the security of your data seriously.
(a) Credentials that you use to connect your accounts to MoveData are protected with bank-level encryption.
(b) The only action that MoveData takes on your accounts are those necessary to run the notifications you create, or ask MoveData to create for you.
(c) The raw requests MoveData makes to other services on your behalf are stored for 7 days for troubleshooting purposes, then purged on a rolling basis.
(d) User-facing Task History is stored for longer periods of time (approximately 3 months, never longer than 4 months) so that you can monitor MoveData activity and replay failures.
(a) MoveData login credentials are one-way PBKDF2 hashes with a workload of about 100000 iterations and HMAC-SHA256 as the underlying pseudorandom function.
(b) Account access credentials (like API keys for MailChimp, tokens for Salesforce, and passwords for developer apps like SAManage) held by MoveData are encrypted with AES-256 and stored in a database. Of course, MoveData has the decryption keys on hand so we can use the credentials but they are stored and maintained separately.
(c) All MoveData employees have access to raw HTTP logs as a part of daily support – we censor access tokens/secrets to the best of our ability. All debug logs censor account credentials (API keys, tokens, etc.) so they are not viewable in raw request logs.
(d) Raw low-level request logs are stored for 7 days, Task History is stored rolling for the previous three months, and is stored for approximately 90 days in S3 as backups.
(e) We use TLS 1.2 wherever possible (both via movedata.io and external API services).
If you have any questions on how MoveData stores or handles your information, or if you would like a copy of MoveData Security Practices, please contact us: firstname.lastname@example.org.