About tuvis Security

About tuvis Security

Trust Commitment

We take the protection of your personal and your business’ data very seriously and treat it confidentially and in accordance with the statutory data protection regulations. We do not collect or store any of your leads, prospects, contacts or customers data. We do collect and store the minimum data on our (tuvis) users we need for the agreed purpose and use secured databases hosted on Amazon AWS servers. Same servers we run all other operations on. Any third-party API integrations are leveraging standard encryption techniques (such as SSL) over HTTPS. Our Chrome Extension goes through Google’s automated and manual security review to assure it is aligned with their security and data privacy terms. Also, as a certified Salesforce AppExchange partner, we have successfully passed their ISV Security Review. Please review our Privacy Policy and Terms of Use for more information.

Services Covered

The Covered Services are designed and operated with architecture to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific “Organization ID” and “User ID” and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production. This specific infrastructure used to host our Customer Data (we do not store any of your customers’ data on our servers at any time) is described in the “Infrastructure and Subprocessors” documentation available here.

Control of Processing

tuvis has implemented procedures designed to ensure that Customer Data is processed securely, throughout the entire chain of secured processing methods by tuvis and its subprocessors. In particular, tuvis and its affiliates have entered into written agreements with their subprocessors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their data processing. Compliance with such obligations as well as the technical and organizational data security measures implemented by tuvis and its sub-processors are subject to regular audits. The “Infrastructure and Sub-processors” documentation describes the subprocessors and certain other entities’ material to tuvis’ provision of the Covered Services.

Infrastructure and Subprocessors

tuvis uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host or process our Customer Data. Information about security and privacy-related audits and certifications received by AWS, including ISO 27001 certification and SOC reports, is available from the AWS Security website and the AWS Compliance website. See complete list of subprocessors in the “WHAT INFORMATION WE COLLECT, WHY WE COLLECT IT, AND HOW IT IS USED” section of our privacy policy.

Please note that some of the abovementioned Personal Data will be used for fraud detection and prevention, and for security purposes. The abovementioned. We may use Anonymous Information and/or disclose it to third parties without restrictions (for example, in order to improve our services and enhance your experience with them).

Security Policies and Procedures

tuvis uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host or process our Custom The Covered Services are operated in accordance with the following policies and procedures to enhance security:

  • We do not store any passwords on our servers
  • We do not store or log any API credentials or access tokens on our servers
  • We do store user access log entries, including date, time, user ID, URL executed, or entity
  • We do store ID operated on, the operation performed, and source IP address.
  • If there is suspicion of inappropriate access, tuvis can provide customers log entry records and/or analysis of such records to assist in forensic analysis when available.
  • Incident Management

tuvis maintains security incident management policies and procedures and notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by tuvis or its agents of which became aware to the extent permitted by law.

User Authentication

Access to Covered Services requires authentication using Salesforce’s standard remote OAuth flow. Following successful authentication, an encrypted ID is generated and stored in the user’s browser to preserve and track the session state.

Disaster Recovery

Production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. Covered Services utilize secondary facilities that are geographically diverse from their primary data centers.


The Covered Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Covered Services by a customer. Uploaded attachments or malicious code/SQL injection, however, are not executed in the Covered Services and therefore will not damage or compromise the Covered Services by virtue of containing a virus.

Data Encryption

The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Covered Services, including through Transport Layer Encryption (TLS) leveraging at least 2048-bit RSA server certificates and 128-bit symmetric encryption keys at a minimum. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes across a dedicated, encrypted link utilizing AES-256 encryption.

Return of Customer Data

Within 30 days post contract termination, customers may request the return of their respective Customer Data submitted to the Covered Services (to the extent such data has not been deleted by the Customer, or if the Customer has not already removed the managed package in which the Customer Data was stored). tuvis shall provide such Customer Data via downloadable files in comma-separated value (.csv) format and attachments in their native format.

Deletion of Customer Data

After termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 120 days, after which it is securely overwritten or deleted from production within 90 days, and from backups within 180 days.

For any questions or if you need additional information please contact us at [email protected]

Scroll to Top