The security and integrity of customer data is paramount to our customers’ values and operations. That’s why we’ve made Customer Trust our number 1 value at Qualified. The landscape of Information security and data privacy law, standards, and compliance requirements are constantly changing. It’s important that companies are transparent about how they are addressing this ever-changing landscape. Qualified helps customers maintain control of their privacy and data security in a myriad of ways:
Data Security: We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, auditing standards (SOC 2), Distributed Denial of Service (“DDoS”) mitigations, and dedicated support and success services. We do not access or use customer content for any purpose other than providing, maintaining and improving the Qualified services and as otherwise required by law.
Disclosure of Customer Data: Qualified only discloses data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
Trust: Qualified has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed Qualified’s adherence to high industry standards.
Access Management: Qualified adheres to the concept of least privilege, performs regular access reviews, and we leverage SSO and MFA.
Qualified is fully committed to compliance with the GDPR. Our dedicated GDPR page provides a high level summary of our commitment. Please contact us at [email protected] directly with any questions as it relates to our commitment to data privacy and protection relating to the Qualified service.
Qualified was previously certified for its compliance with the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. However, on July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law.
Qualified now leverages Standard Contractual Clauses (SCCs) for data transfers of personal data into the U.S. This includes a Data Processing Agreement for Qualified and all of our sub-processors.
Qualified customers that collect and store personal information in Qualified Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Qualified acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Qualified collects, accesses, maintains, uses, processes and transfers the personal information of our customers and our customer’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our customers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.
We do not “sell” our customer’s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered personal information under the CCPA.
If you would like to review how the CCPA applies to Qualified’s Processing of Personal Data in detail, please click here and see Annex 2 (California Annex)
Qualified undergoes a SOC 2 Type II audit annually. Contact your Qualified Representative to request access to the current report.
Qualified’s policies are managed and updated on an ongoing basis. These policies are reviewed at least annually and compliance with them is considered in each third party audit. The policies include:
A highlight of these policies is detailed below. All additional policies are available to Qualified prospective and existing customers under a signed non-disclosure agreement through our Trust Center.
The Qualified service infrastructure has been designed to handle outages or failures gracefully. This infrastructure is monitored continually and managed to handle times of increased loads. Any planned outages are communicated to impacted customers well in advance and done so at times of least-impact.
Qualified availability may be found and tracked at status.qualified.com
Qualified is proactive in its approach to risk management, balances the cost of managing risk with anticipated benefits, and undertakes contingency planning in the event that critical risks are realized. Risk assessments are completed as issues arise and things change. Qualified’s management team reviews the entire risk register annually, at a minimum.
Qualified has the primary duty to ensure the Confidentiality, Security, and Availability of critical systems and customer data. A duty to ensure a secure, available infrastructure requires Qualified to identify and manage risks.
Qualified conducts background checks for all new hires including verification on the following:
Qualified employees are required to attend security and privacy training at onboarding that covers relevant security topics. Employees are required to take annual security training thereafter. Engineers are required to attend an additional technical security workshop. Changes affecting the product or policies are communicated to Qualified employees and incorporated to onboarding and reassessment training.
If you believe you’ve discovered a potential vulnerability, please let us know by submitting the issue here: https://qualified.vulnerability-disclosure.com/. We will acknowledge your submission within five business days.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within seven business days of disclosure.
Qualified hosts a Bug Bounty Program through a third party. If you would like to participate in our program, please email [email protected]
Qualified follows all industry best practices to transmit and store data used in Qualified Service Delivery. Below is an outline of these practices.
At a high level Qualified collects information about your website visitors to help your sales and marketing team; this is business contact and firmographic information. Standard Qualified usage includes collecting some personally identifiable information for your website visitors, at a minimum, the visitor’s IP address. In many cases, it also includes the visitor's name and business email address. The email address is the identifying data point that allows Qualified to retrieve visitor information from your Salesforce CRM Instance and other connected systems (e.g. Marketing Automation). Any additional PII collected is configurable and may extend insofar as it allows your representative to communicate with your website visitors (i.e. visitor region and firmographic data).
Qualified does not store credit card information, Social Security Numbers, or any other highly sensitive PII. More information about what data Qualified collects and processes to provide its service can be found in the Qualified Privacy Policy.
Qualified Customers control what data is synchronized between their systems and Qualified. Examples of these systems can include Salesforce CRM, Marketing Automation, Sales Engagement, CDPs and more. In the instance of Salesforce CRM, a Qualified Customer has complete control over what data is shared with Qualified, what data is available to be updated by Qualified. Data shared from Salesforce to Qualified is dictated by the permissions of the Integration User used to connect Qualified to Salesforce. The objects and fields accessible to the Integration User will determine what Qualified can access for Create, Read, and Update (where applicable). Additional information on Connecting to Salesforce can be found here. Similar access controls are provided by other tools integrated to Qualified. Qualified will synchronize data back to these connected systems as defined by the configuration in their Qualified Instance; again, this is under control of the Qualified Customer.
If you have more questions about what data is passed to and from Qualified, contact your Qualified Success Architect or Account Executive.
All data stored by Qualified is securely encrypted and logically segregated. This ensures that our Customers’ visitor data is protected from exploitation and is accessible for customer support related inquiries. Qualified does not engage in “roll-your-own” encryption, algorithms, or practices and does not use “security through obscurity” within production infrastructure or applications.
Qualified leverages best-in-class, cloud-based storage facilities via Third Party Service Providers to ensure that they have secure physical controls as well as redundant backups to fulfill Business Continuity and Disaster Recovery Plans.
Qualified data resides in the US-East region of AWS, located in Northern Virginia, USA. Qualified does not have any data storage options in the EU at this time.
By default all communications from your end users and your visitors with the Qualified Service are encrypted using industry-standard communication encryption technology. Qualified currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.
All Qualified data is encrypted at rest with AES-256, block-level storage encryption.
We retain Customer Data for as long as necessary to fulfill the purposes set forth in the Qualified Privacy Policy or as long as we are legally required or permitted to do so. Customers may, at their discretion, change their data retention settings within the Qualified application to align with their company policies.
If you are an end user of one of our Customer’s websites, applications, or services, you should review that Customer’s privacy policy to learn more about that Customer’s privacy practices, including its collection and use of your data, its legal bases for processing your data, and its data retention policies.
Qualified provides the option to delete data for individual visitors in compliance with GDPR. This request must be made by the visitor or the Qualified customer. Qualified may require additional ID verification before processing such a request. Qualified will hard delete all information from currently-running production systems within one quarter of the deletion request.
Only the authorized employees can delete customer data in the event that Qualified is requested or required to do so.
Qualified is hosted Amazon Web Service (AWS). AWS undergoes recurring assessments to ensure compliance with industry standards. AWS’s data center operations have been accredited under:
Qualified employees do not have physical access to AWS data centers, servers, network equipment, or storage.
Only authorized Qualified operations team members have access to configure the infrastructure.
Each Qualified employee, contractor, and associate has limited access to Qualified systems and applications. Access is always provisioned on a minimum-necessary (least-privilege) basis.
Qualified undergoes black box penetration testing conducted by an independent, third-party agency, annually at minimum. For black-box testing, Qualified provides the agency with an isolated clone of Qualified.com and a high-level diagram of application architecture.
Information about any security vulnerabilities successfully exploited during penetration testing is tracked, assigned to the appropriate internal team for remediation, and then retested. A summary of Qualified's most recent penetration test is available in our trust center.
Qualified uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the corporate headquarters network. Amazon Web Services also employs sophisticated intrusion detection and deterrent systems. The production servers hosting the Qualified application use a variety of security monitoring tools. Notifications from these tools are sent to the Qualified Security Team so that they can take appropriate action.
To facilitate user authentication through the web browser and improve identity management, Qualified offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability.
Qualified integrates with multiple Identity Providers (IdP)—including Okta, Azure, and OneLogin. Using a different IDP? Contact us to find out how we might work with yours.
Qualified practices continuous delivery to deliver updates to the Qualified application and infrastructure. All code changes are committed, tested, shipped, and iterated on by Qualified engineers on a high frequency cadence, up to multiple times a day. This allows Qualified to deploy new features, make improvements to existing functionality, and address fixes rapidly.
All of Qualified software is version controlled and synced between contributors (developers) to a single origin repository. Access to the central repository is restricted based on an employee’s role. Using a decentralized version control system allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. In addition, any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.
At Qualified, we are committed to developing and using artificial intelligence (AI) in a responsible and ethical manner. We aim to use AI to achieve our goals while minimizing potential risks.
Our AI development and use is guided by the following principles:
We protect the privacy of individuals and ensure that personal data is collected and used in a lawful and ethical manner.
Our AI development and use is guided by the following principles:
We are committed to collecting and using data in a transparent and ethical manner. This includes:
See how the #1 conversational sales and marketing platform for Salesforce can help you grow pipeline.
.svg)
