About tuvis Security
Commitment to Trust
We take the protection of your personal and company data very seriously, treating it confidentially and in accordance with legal data protection regulations. We do not collect or store any of your leads, potential customers, contacts, or clients' data. We collect and store only the minimum amount of data about our users (Tuvis) necessary for the agreed-upon purpose, using secure databases hosted on Amazon AWS servers—the same servers where we perform all other operations. All third-party API integrations use standard encryption techniques (such as SSL) over HTTPS. Our Chrome extension undergoes both automated and manual security reviews by Google to ensure compliance with their security and data privacy terms. Additionally, as a certified partner of Salesforce AppExchange, we have successfully passed the ISV security review. Please refer to our Privacy Policy and Terms of Use for more information.
Covered Services
The Covered Services are designed and operated with an architecture that segregates and restricts access to Customer Data based on business needs. This architecture provides effective logical separation of data for different customers through customer-specific "organization ID" and "user ID" and allows for the use of access privileges based on the role of the customer and user. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production. This specific infrastructure used to host our Customer Data (we do not store any of your customers' data on our servers at any time) is described in the "Infrastructure and Subprocessors" documentation available here.
Processing Control
Tuvis has implemented procedures designed to ensure that Customer Data is processed securely throughout the entire chain of secure processing methods by Tuvis and its subprocessors. In particular, Tuvis and its affiliates have signed written agreements with their subprocessors containing privacy, data protection, and data security obligations that provide an appropriate level of protection for data processing. Compliance with such obligations, as well as the technical and organizational data security measures implemented by Tuvis and its subprocessors, are subject to regular audits. The "Infrastructure and Subprocessors" documentation describes the subprocessors and certain materials from other entities for the provision of the Covered Services by Tuvis.
Infraestrutura e Subprocessadores
Tuvis uses the infrastructure provided by Amazon Web Services, Inc. ("AWS") to host or process our Customer Data. Information about security and privacy audits and certifications received by AWS, including ISO 27001 certification and SOC reports, is available on the AWS Security and Compliance websites. Please refer to the full list of subprocessors in the "WHAT INFORMATION WE COLLECT, WHY WE COLLECT IT, AND HOW IT IS USED" section of our privacy policy.
Please note that some of the Personal Data mentioned above will be used for fraud detection and prevention purposes and for security purposes. We may use anonymous information and/or disclose it to third parties without restrictions (for example, to improve our services and enhance your experience with them).
Security Policies and Procedures
Tuvis uses the infrastructure provided by Amazon Web Services, Inc. ("AWS") to host or process our Custom Services. The Covered Services are operated in accordance with the following policies and procedures to enhance security:
- We do not store any passwords on our servers.
- We do not store or log any API credentials or access tokens on our servers.
- We store user access log entries, including date, time, user ID, executed URL, or entity.
- We store the operated ID, the operation performed, and the originating IP address.
- If there is suspected improper access, Tuvis can provide customers with log entries and/or analysis of these logs to assist in forensic analysis, when available.
- Incident Management
Tuvis maintains security incident management policies and procedures and notifies affected customers without undue delay about any unauthorized disclosure of their respective Customer Data by Tuvis or its agents, of which it becomes aware, to the extent permitted by law.
User Authentication
Access to the Covered Services requires authentication using Salesforce's standard remote OAuth flow. Upon successful authentication, an encrypted ID is generated and stored in the user's browser to maintain and track session state.
Disaster Recovery
The production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. The Covered Services utilize secondary facilities that are geographically different from their primary data centers.
Viruses
The Covered Services do not scan for viruses that may be included in attachments or other Customer Data uploaded to the Covered Services by a customer. However, uploaded attachments or malicious code/SQL injections are not executed within the Covered Services and therefore will not harm or compromise the Covered Services by virtue of containing a virus.
Data Encryption
The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the Covered Services, including Transport Layer Security (TLS) encryption using at least 2048-bit RSA server certificates and 128-bit symmetric encryption keys. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes via a dedicated and encrypted link utilizing AES-256 encryption.
Customer Data Return
Within 30 days after contract termination, customers may request the return of their respective Customer Data submitted to the Covered Services (to the extent that such data has not been deleted by the customer or if the customer has not yet removed the managed package in which the Customer Data was stored). Tuvis will provide this Customer Data via downloadable files in comma-separated values (.csv) format and attachments in their native format.
Customer Data Deletion
Upon termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in an inactive status within the Covered Services for 120 days, after which it is securely overwritten or deleted from production within 90 days and from backups within 180 days.
If you have any questions or need further information, please contact us at [email protected]