As a business or data controller, Lytics adheres to the California Consumer Privacy Act ("CCPA") and other state privacy laws, including the Virginia Consumer Data Protection Act. As a service provider or data processor for our customers, we provide information and service features that helps our customers meet their respective state law obligations. Below we discuss our role as a service provider under the CCPA and some of our platform's compliance-enabling features.
The California Consumer Privacy Act of 2018 (“CCPA”) imposes a number of significant obligations on businesses that are subject to the CCPA and collect the personal information of California consumers and households (collectively “PI”), disclose it to service providers, or sale it to third parties.
Lytics qualifies under the CCPA as a "service provider" with which you, as a Lytics customer or "business", can share CA consumer PI to the extent “reasonably necessary and proportionate” to achieve your marketing goals. You choose which PI we process on your behalf, and the sources and destinations for that PI. As stated in our services agreement, Lytics does not retain, use, or disclose PI for any purpose other than to provide the services specified in our services agreement or as otherwise permitted by the CCPA (such as disclosure in response to a court order).
The Lytics CDP enables your company to understand and operationalize marketing choices made by a consumer once the data reflecting these choices is ingested from a customer data source and stored as preferences in the Lytics platform. For example, your company can establish audiences in the Lytics CDP to enforce consumer PI suppression and “do not market” choices and prioritize those choices when establishing marketing journeys for the consumer. In addition, your company can synchronize these audiences to the marketing destinations to which your company exports data from the Lytics CDP.
As further described in our FAQs (searchable on the Trust page), you may use the Lytics CDP UI to obtain information responsive to a consumer information request and to gather and record consumer consents.
Like other privacy laws, the CCPA gives consumers the right to receive a copy of their PI collected by businesses and if the copy is delivered electronically it should be provided in a “readily useable format” that allows the consumer to transmit it to another entity without difficulty. Lytics supports the export of consumer record or profile information via the Lytics UI or API. An individual’s profile data from Lytics may be downloaded in a common, machine-readable file format.
With some exceptions, the CCPA gives consumers the right to have a business that collected their PI delete it. Lytics supports your business's fulfillment of a consumer deletion request by providing the Delete User option in the Lytics UI. Our API also may be used for this purpose. This will send a deletion request to the Lytics CDP, which will process the request for the consumer identifier provided.
A Lytics customer may correct PI hosted by Lytics by correcting the PI at the appropriate customer PI source as the PI will be subsequently updated with the correction in the Lytics CDP.
We will forward to our customer a consumer requests related to the PI we process for that customer so the customer can substantively respond to the request.
To facilitate compliance with the Children’s Online Privacy Protection Act (COPPA) and other laws prohibiting marketing to underage individuals, Lytics will not ingest any user data of individuals who have not declared themselves to be over the age of 13 via a customer website’s age gate.
- EU-US Privacy Shield
Lytics has certified to the EU-U.S. Privacy Shield since November 9, 2016. No action is required on our customers' part to benefit from the protection of this framework.
- Swiss-US Privacy Shield
Lytics has certified to the Swiss-U.S. Privacy Shield since September 13, 2017. No action is required on our customers' part to benefit from the protection of this framework.
As a data controller, Lytics adheres to the EU General Data Protection Regulation and other applicable data protection laws. As a data processor for our customers, we comply with the GDPR as applicable to our services and provide our customers with information and CDP service features to facilitate their respective compliance efforts.
As a service provider, Lytics provides appropriate data protection safeguards for the personal data we process on behalf of our customers. Lytics and its data hosting partner, Google, have implemented appropriate administrative, physical, and logical safeguards designed to protect the security, availability, confidentiality, and integrity of Lytics customers' data. These safeguards include the technical measures specified by GDPR Article 32 and are audited by external auditors on an annual basis.
The GDPR recognizes informed consent along with the pursuit of legitimate interests as legal bases for the processing of personal data. Lytics integrates with consent management tools, and also enables companies to leverage Google Tag Manager to manage consent. Lytics personalized campaigns can be configured to ask for data subject consent. The consent flag(s) available from the browser cookie will be read by your Tag Manager, and either allow the Lytics JS Tag to process data from customer websites or not. In addition, Lytics personalization features support the creation and delivery of different consent forms and the storage/tracking of such consent. Consent is a user-level attribute that can be used as a custom rule in the creation of an audience.
Our CDP features help you, our customer, respond to data subject requests. The GDPR gives data subjects the right to receive a copy of their personal data in a common commercial format. Lytics supports the export of a data subject record or profile information via the Lytics UI or API. A data subject's profile data from Lytics may be downloaded in a common, machine-readable file format.
Lytics supports your organization's fulfillment of a data subject deletion request by providing the Delete User option in the Lytics UI. Our API also may be used for this purpose. This will send a deletion request to the Lytics CDP, which will process the request for the consumer identifier provided.
A Lytics customer may correct personal data hosted by Lytics by correcting it at the appropriate customer data source as the data will be subsequently updated with the correction in the Lytics CDP.
We will forward to our customer a data subject's request related to the PI we process for that customer so that our customer can substantively respond to the request.
The GDPR specifies protections for data transfers. We transfer data via our secure APIs and by sFTP with data encrypted in transit and in storage. For customers whose data includes personal data within the scope of the GDPR, Lytics will enter into the controller-processor standard data protection clauses pursuant to GDPR Article 46.
- ISO 27001
As a key component of our security efforts, we have implemented an information security management system (ISMS) based on the ISO 27001:2013 framework. Our ISMS policies, and related written procedures, have been adopted to provide guidance for our implementation of good security practices and help ensure that our organizational risk is appropriately mitigated.
Lytics subscription services are out of scope for PCI-DSS because we do not process card data on behalf of our customers.
- SOC 2 Type II
An independent auditor has examined Lytics platform controls and confirmed they are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principles for Security, Availability, Confidentiality and Privacy. Lytics undergoes a SOC 2 Type II audit on an annual basis.
- Audit Logs
Lytics maintains administrative logs as well as logs for account establishment and modifications (including adding or removing users, segments, sources, destinations).
Lytics customers may obtain logs of internal Lytics system events related to internal changes to the state of their Lytics account. Common changes are CRUD Operations (Create, Update, Delete) of Account, Admin User, etc. See https://learn.lytics.com/documentation/developer/api-docs/system-events.
- Multi-Factor AuthenticationView Instructions
Lytics makes it easy for you to add multi-factor authentication to your Lytics account user login process to enhance account security.
- Role-Based Access Control (RBAC)View Instructions
Customer account administrators can easily add and remove account users. Lytics has various, defined user roles with respective permissions.
The platform also has two factor authentication, SO integration, API tokens for short term access, and APIs for role-based access as well as custom roles.
Specific profile fields can be shown/hidden based on role or outbound system. Different roles can be given different visuals, permissions, access.
System events around user access can also be subscribed to via API: https://learn.lytics.com/documentation/developer/api-docs/system-events.
- SSOView Instructions
Consider adding single sign on (SSO) to your account user login process to enhance account security. Lytics supports a SAML SSO integration with Google Identity Platform as a Service Provider.
- Data Encrypted At-Rest
Data is encrypted at storage using either AES256 or AES128 and applied to chunks of data, so that if any key were compromised, the “blast radius” would be limited to only the data chunk encrypted with the compromised key.
- Data Encrypted In-Transit
- Passwords Encrypted
Account user passwords are encrypted and hashed with a SHA 256 algorithm.
- Data Retention Policy
Lytics retains customer data in accordance with customer instructions contained in their respective services agreement. Following termination of a service agreement with a customer, the customer data is effectively deleted with logical deletion and cryptographic erasure. When media that hosted customer data is no longer useful, it is destroyed in compliance with NIST SP 800-88 Revision 1 Guidelines for Media Sanitation and DoD security guidelines.
- Incident Response Plan (IRP)
Lytics operates a formal Security Incident management process under its Security Event Management Policy and related procedures. Escalation procedures exist to ensure the timely communication of any Security Incident through the management chain and to any affected customers without undue delay.
- Confidentiality Agreements
Our service agreements provide for the confidential treatment of confidential customer information, including customer data. And we require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the protection of confidential information.
- Employee Background Checks
Lytics employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired.
- Employee Security Training
Lytics trains all new employees about their confidentiality, privacy and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access. In addition, Lytics communicates with all personnel about privacy and information security matters through regular newsletters.
- Limited Employee Access (Principle of Least Privilege)
Lytics follows the principle of "least privilege" in governing employee access to our systems. Access to our customers' data is limited to legitimate business needs, including activities needed to support customer’s use of our services. We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically reviews employee access to internal systems to ensure that employees access rights and patterns are commensurate with their current positions. A formal employee termination notification process exists, which is initiated by the Human Resources department. Upon notification by HR, all physical and system accesses are immediately revoked.
- Disaster Recovery Plan
Lytics maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, redundancy throughout our customer data platform (CDP) architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans and test them on a regular basis.
- Multi-Tenant Architecture
We use the Google Cloud Platform infrastructure because it has been architected to be one of the most flexible, reliable, and secure cloud environments available today, allowing our customers to benefit from this data infrastructure.
Lytics provides its subscription services using multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at rest using AES 256.
Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all accesses are logged.
We have designed our subscription service data collection environment for high availability - no less than 99.95%.
- ISO 27001 - Data Center
Google Cloud Platform - GCP is certified as compliant with the following ISO standards: ISO 27001:2013, ISO 27017:2015, ISO 27018:2019
- SOC 2 Type II - Data Center
Google Cloud Platform - The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. Google is assessed annually for SOC 2 Type II criteria compliance.
- SOC 3 - Data Center
Google Cloud Platform - The SOC 3 is a public report of Google's internal controls for the GCP over security, availability, processing integrity, and confidentiality.
- Zero-Trust Architecture
We have implemented a zero-trust architecture security framework with separate corporate and production networks. We restrict access to our networks and services based on information about a device, its state, and its associated user seeking access so that only devices and users authenticated, authorized, and regularly validated can gain access.
- NamePurposeLocationSecure FTP service for bulk transfers of data from Lytics customers to LyticsPrincipal offices: 410 Terry Avenue North Seattle, WA 98109 USAData delivery from the online properties of Lytics customers to LyticsPrincipal offices: 101 Townsend St, San Francisco, CA 94107 USAGoogle Cloud Platform data hosting and processing servicesPrincipal offices: 1600 Amphitheater Parkway, Mountain View, CA 94043 USA