Privacy & Security

Last updated 6/1/2021

About ImpactProduct (“IP):

ImpactProduct is a Analytics tool designed to democratize analytics. We have created a powerful analytics product that removes the largest usage challenges - namely, requirement of developer support for instrumentation and confusing analytical dashboards.

To remove the developer support requirement for instrumentation, IP accesses site usage data using IP’s own javascript added by its customers to their sites. The IP script pulls aggregate, anonymous event data through the APIs. IP does not capture PII data of any kind. IP stores all event data on Google Cloud. Data is encrypted both at rest and in transit. IP’s data capture is also asynchronous, so it doesn’t impact page load. More on that below.

Instead of showing analytics in a confusing dashboard, IP shows event data in a Chrome Extension that overlays your product.  Individual users add IP's extension to their browser.

Security and Reliability

Your data is secure with ImpactProduct and that is why we use industry-standard best practices to provide a highly safe and secure product.

Javascript Overview:

ImpactProduct captures our customer’s users website actions via a JavaScript code that is added by our customer to its website header. This JavaScript code simply counts the number of times that an HTML element is clicked. The JavaScript does NOT capture any user Personally Identifiable Information. All click events are anonymous and aggregate. The HTML element selector path/ID that the JavaScript captures is the same information that any user of a website can attain simply by right-clicking their mouse on a website page and choosing the “Inspect” menu option. You can read more about IP’s JavaScript that captures site usage data here: https://www.impactproduct.com/jsfaq

Note: ESPN is not an ImpactProduct customer. This is an example to show that an element's selector path is publicly available information.

Notwithstanding the foregoing, in the event that a customer would like to ensure, beyond our above representation, the information that our JavaScript captures, ImpactProduct offers Enterprise plan customers the option to host our JavaScript on-premise and pass the information to our front end.

Policies

Our Security strategy involves the following components:


Acceptable Use:

ImpactProduct had defined and communicated to its employees the requirements for acceptable use of ImpactProduct's resources in order to mitigate the risk of unauthorized access to ImpactProduct equipment, as well as use and modification of information assets. These include a clear desk and clear screen rules, data handling requirements, password maintenance, equipment security, and breach reporting/incident notification.

1. User responsibilities 

a. ImpactProduct information must be handled in compliance with the 

information security policy. 

b. Actual or suspected information security incidents must be reported 

without delay in compliance with ImpactProduct information security 

incident section of this policy. 

2. Use of IT systems and equipment 

a. ImpactProduct assets (e.g., laptops, desktops, internet connection, data, and software) must only be used for approved purposes. 

b. Reasonable use of ImpactProduct systems is permitted, providing it does not interfere with the employee’s work for ImpactProduct. 

c. Personal use of ImpactProduct information of any type or classification except for Public information is prohibited. 

3. Use of Email 

a. ImpactProduct provides email to facilitate the company’s business needs and interests. Email must be used in compliance with ImpactProduct 

Information Security policy. All-Access to email messages must be 

limited to authorized personnel. 

b. ImpactProduct users must exercise caution when opening unsolicited attachments, phishing emails, and web links from both known and 

unknown sources. 

4. Use of the Internet 

a. ImpactProduct internet must not be used to visit sites that contain 

pornographic, obscene, indecent, hateful, or other offensive material, visit hacker sites or breach copyright legislation.


Access Controls

Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes.


a) Each user of ImpactProduct information resources must have a uniquely assigned user account to allow them to access information resources. This user account is not shared and directly ties to an individual to support accountability; 

b) User’s access to information resources must be requested, approved, and granted through a standard documented request and approval process. 

c) User’s account information must not be divulged to any other person without a documented reason that has been approved by management per the requirements listed in the information classification and handling section of this document. 

d) Accounts that are inactive for a maximum period of 90 consecutive days must be disabled. Any exceptions must be authorized and documented appropriately. 

e) Notifying the IT&SD Department of the transfer, resignation, or termination of any staff member under the supervisor’s supervision. A staff member’s access to ImpactProduct’s information system will be disabled on the date of the staff member’s termination or resignation, or if necessary for other reasons in the judgment of ImpactProduct’s Vice President of IT&SD.


Password Policy

ImpactProduct employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Employees have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.


Cybersecurity Governance

ImpactProduct recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration, or destruction of such data. For this purpose, ImpactProduct implements industry-standard security controls and maintains a comprehensive security program


Risk Management

ImpactProduct has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted periodically and identified risks are mitigated according to risk severity and business priorities.


Physical Security

Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to ImpactProduct's employees, premises, system, and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies, and procedures implemented are commensurate with the risks and particular legal, regulatory, or contractual requirements associated with each facility.

Third-Party Risk Managment

ImpactProduct maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process, or host ImpactProduct data or have access to ImpactProduct network and systems.


a. All third-party must adhere to the following information security requirements who have access to confidential or restricted information. 

i. A non-disclosure agreement (NDA) must be in place before 

ImpactProduct Internal, Confidential or Restricted information is disclosed to the third party. 

ii. Reasonable steps must be taken to obtain assurance that appropriate security controls are in place at the third party. These steps must be taken regularly in line with the risk associated with sharing data with the third-party. 

iii. An inventory of all third parties with access to ImpactProduct information must be maintained. 

iv. Contracts with the third party must be signed before any third party is provided access to ImpactProduct information. 

v. A reassessment of the third party’s security controls must be considered in the case of a change to the data classification or frequency of data shared with the third party. 

vi. At the termination of a contract: 

1. ImpactProduct information assets must be returned, retained, 

transferred or securely destroyed. 

2. Physical and logical access to ImpactProduct’s information assets 

and facilities must be revoked.


Incident Management

ImpactProduct has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.

a. ImpactProduct management is committed to building and maintains an incident management program in order to support the organization’s business mission, protect its customer data and services, and protect ImpactProduct proprietary information, systems, services, facilities, and people. 

i. Changing the configuration of, removing, de-activation or otherwise tampering with any malware software that has been installed on systems is only allowed for authorized users. 

ii. All incidences of malware or virus must be reported immediately to ImpactProduct management. The infected system must be isolated as soon as possible from the network infrastructure and handled. 

iii. Any actual or suspected information security incidents must be reported to ImpactProduct management as soon as they are suspected. 

iv. Information security incidents must be managed in accordance with defined Incident Management standards, comply with applicable local legal and regulatory requirements, designate specific people to be available to respond to alerts, and be supported by tools and procedures. 

v. Information security incidents must be reviewed to determine common factors, patterns, and trends, understand the costs and impact and assess the effectiveness of controls


Business Continuity

ImpactProduct utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.

a. A business continuity plan (BCP) must be documented and reviewed once a year. Components of the documented plan must include: 

i. Acceptable recovery time frames (e,g., Recovery point objective (RPO), and Recovery time objective (RTO)) 

ii. Roles and responsibilities of key team members 

iii. The BCP must be based on a Business Impact Analysis (BIA). 

b. Both fallback and resumption-related emergency procedures must be defined to allow for both temporary measures and full resumption as required. 

c. The documented plan must be tested regularly. 

i. Testing may involve, but may not be limited to, discussion, simulation, technical recovery testing, or complete rehearsals. 

d. Updates to the business continuity plan must be disseminated on a timely basis. 

e. Business Impact Analysis 

i. ImpactProduct will conduct a business impact analysis (BIA) in order to identify the criticality of its assets, facilities, and processes. The BIA will be reviewed regularly for currency and accuracy. 

f. Redundancy and Capacity Planning 

i. ImpactProduct will identify areas in which it requires redundancy in order to maintain its business objective for availability and provide adequate resources to support that level of redundancy and future capacity needs.


Want to report a security concern?

Here at ImpactProduct, we review all reports of security vulnerabilities seriously. To report a vulnerability in one of our products or solutions, please contact our Computer Security Incidents Response Team (CSIRT) at support@impactproduct.com.