Each customer (“Customer”) using the Retail Zipline service (the “Service”) expects their data to be secure, confidential, and private. We understand how important this is to our customers and work to the best of our abilities to ensure all three expectations are met. The information below sets forth Zipline’s policy regarding data protection, along with our Privacy Policy and Terms and Conditions. This is a living document and we will update it as our service evolves and industry practices change.
Ensuring that the Service remains secure is vital to protecting our Customers and their data. The security of Customer’s information is required for our success as a business. Below are some details on our security practices.
Retail Zipline uses 256-bit AES, supports TLS 1.2 for all of your messages, and uses the ECDHE_RSA Key Exchange Algorithm. We monitor the security community’s output closely and work promptly to upgrade the service to respond to new vulnerabilities as they are discovered.
Our servers are located in Amazon’s AWS data centers and also on Heroku’s managed systems. Each have devoted security measure information on their websites, which you can find here: http://aws.amazon.com/compliance/ and https://www.heroku.com/policy/security.
Even before Retail Zipline, we’ve been putting services on the internet for a long time. We’re good at it. Our engineering, quality assurance and technical operations team members are experienced and keep their skills up to date as industry best practices evolve. We’ve coded, tested and administered services running on thousands of physical servers in data centers around the world and we bring the collective wisdom that comes with many decades of secure practice to the operation of the Retail Zipline service.
The highest security risk to any system is usually the behavior of its users. We want to provide you with the tools you need to protect your own data. For example, we log every time your account is signed in to, noting the device used and location of the connection, and make these access logs available to you.
We will continue to roll out additional features which afford you more control over the security of your own Retail Zipline organization. We will also be adding more options for organization administrators to set internal security policies, such as establishing password strength requirements or requiring use of PIN-lock functionality for Retail Zipline’s mobile apps.
In the course of performing Services for Customers, Customers may provide Zipline with information relating to an identified or identifiable individual (“Customer Personal Data”). Other than as required to perform the Services, Zipline agrees that it will not disclose or transfer Customer Personal Data to any third party. Zipline agrees to use the Customer Personal Data only for the purposes of performance of this Agreement and to make no copies except as necessary for performance of this Agreement If Zipline is requested or required by law to disclose any of the Customer Personal Data, Zipline will not (if legally permitted to not) disclose the Customer Personal Data without providing Customer notice so that Customer may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Zipline will exercise reasonable efforts to limit any such disclosure by cooperating with Customer to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to the Customer Personal Data. If Zipline discloses Customer Personal Data to any third party, Zipline will have in place written agreements with any such third party to whom Zipline or any Zipline agent discloses Customer Personal Data ensuring that such third party is under a duty to protect such Customer Personal Data. Zipline will remain accountable and responsible for any actions by such third parties.
All Customer Personal Data will be stored in a physically and logically secure environment that is designed to protect it from unauthorized access, modification, theft, misuse and destruction. Zipline will notify Customer promptly following discovery of any unauthorized access, disclosure and/or theft of Customer’s Personal Data that is considered material and harmful to Customer (each a “Data Breach”), and will cooperate with Customer as necessary to address and remedy such Data Breach and prevent further unauthorized access, disclosure or theft.
At termination or expiration of this Agreement, or upon Customer’s earlier request, Zipline shall (a) promptly return to Customer, in the format and on the media reasonably requested by Customer, all Customer Data, and or (b) erase or destroy all Customer Data in Zipline’s possession Notwithstanding the foregoing, Customer acknowledges that Zipline shall not be required to return or destroy those copies of Customer Data that (1) resides on Zipline’s backup, distaster recovery or business continuity systems, or (2) that Zipline is obligated by applicable law and/or industry and/or governmental regulations to retain. However, Zipline agrees that following its receipt of any request to return or destroy, it shall neither retrieve or use Customer’s Customer Data for any purpose other than those specified in (1) and (2) above.
Customer Personal Data collected on through the Service will be stored and processed in the United States, or in other countries if specifically agreed upon in an applicable agreement with Customer, and by using the Service, you consent to any such transfer of information outside of your country. Please note, we may transfer the Customer Personal Data we collect about you to countries other than the country where we originally collected it for the purposes processing the data and operating the Service. If we transfer your information to outside the country of collection, we will protect that information as described in this Policy and take steps, where necessary, to ensure that international transfers comply with applicable laws.
We regard the information you share with Zipline as private and confidential to your organization. We place strict controls over our employees’ access to internal data and are committed to ensuring that your data is never seen by anyone who should not see it. While the operation of the Service would not be possible unless there were some technical employees with sufficient system permissions to enable them to access and control software that stores and indexes the content you add to your Service, this team is kept purposefully small and are prohibited from using these permissions to view customer data unless it is necessary to do so.
All of our employees and contractors are bound to our policies regarding customer data and we treat these issues as matters of the highest importance within our company.
We understand that you rely on Retail Zipline to work. Our goal is to make the Service a highly-available, ultra-reliable service. Our systems are designed to tolerate the failure of individual computers or whole datacenters, keep many copies of your data online for redundancy, practice disaster-recovery measures often, and have staff on-call to resolve unexpected incidents.
Zipline’s obligations under this Policy will continue for so long as Zipline continues to have access to, is in possession of or acquires Customer Personal Data, even if all agreements between Zipline and Customer are terminated.
We regard the information you share within your Retail Zipline organization as private and confidential to your organization. We place strict controls over our employees’ access to internal data and are committed to ensuring that your data is never seen by anyone who should not see it.
While the operation of the Retail Zipline service would not be possible unless there were some technical employees with sufficient system permissions to enable them to access and control software that stores and indexes the content you add to your Retail Zipline organization, this team is kept purposefully small and are prohibited from using these permissions to view customer data unless it is necessary to do so.
All of our employees and contractors are bound to our policies regarding customer data and we treat these issues as matters of the highest importance within our company. If, in order to diagnose a problem you are having with the service, we would need to do something that would expose your communications to one of our employees in a readable form, we will ask for your consent prior to taking action.
There are limited circumstances when we ever share customer content without first obtaining permission. These are outlined in our Privacy Policy.
A fundamental privacy principle we abide by is that by default, anything you post to Retail Zipline is private to your organization. That is, viewing the communications and files shared within a specific organization requires authentication as a member of that organization. Retail Zipline has a comprehensive Privacy Policy that lays out our approach to privacy. Please take a moment to read it.
If you are using Retail Zipline on a device or account issued to you by your employer or another organization, they will almost certainly have their own policies in place regarding storage, access, modification, deletion and retention of communications and content. Please check with your employer or organization administrator about what policies they have in place regarding your communications and related content.
We know how important these issues are to you. They are equally important to us. The security, privacy and confidentiality of your information are core to our success as a business and we will continue to be proactive, vigilant and diligent in ensuring its safety.
If you have additional questions regarding data privacy, security or confidentiality, we’d be happy to answer them. Please write to [email protected] and we’ll respond as quickly as we can.
If you believe you have found a security vulnerability on Retail Zipline, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. See our guidelines on Reporting Security Vulnerabilities.
