Use AI to effortlessly answer any business questions from all your data.
Harness the power of AI without compromising on security.
Pair CorralData’s intuitive platform with our on-demand data team to take your insights even further.
Effortlessly integrate data without engineering expertise using 500+ prebuilt integrations.
Send relevant data to all of your platforms with our fully-managed Reverse ETL and drive results faster.
Help your clients become data driven faster through seamless reporting and collaboration tools.
Drive results by keeping teams informed and focused on real-time goals.
Turn data into success with complete visibility of every consumer interaction.
Make data-driven decisions that enhance patient care and your bottom line.
Use HIPAA-compliant AI to optimize every part of your med spa business.
Give everyone access to the metrics and insights that will achieve your mission.
Optimize property performance with AI-driven insights tailored for real estate.
Align headquarters and restaurant locations with the metrics that matter.
Easily surface the data you need to increase sales and drive revenue.
Make data-driven decisions to maximize your occupancy and net effective rates.
See how AMP scaled profitability and enhanced patient care
See how AMNH gained a better understanding of the ‘why’ behind their data
See how Bell Curve provided their clients with consolidated and tailored reporting
See how BodyLase unlocked full data visibility, enabling smarter marketing and stronger results
See how evolvetogether used AI-powered insights to shape a unified growth strategy
See how Geode Health unlocked the value of their data while protecting patient privacy
See how Engine identified and converted more high-value customers
See how Lacoste boosted their e-commerce performance with AI-driven insights
See how Moon Juice used live insights to find, reach, and convert their best customers
See how Pfizer turned complex data into real-time marketing intelligence
See how Ready Set Rocket streamlined client reporting and unlocked real-time insights
See how Schwarzman Scholars streamlined global campaign tracking to unlock faster insights and smarter recruitment
See how St. John Knits increased marketing efficiency by 50%
See how sweetgreen acquired new customers and built stronger relationships with their most loyal patrons
Last updated: November 28, 2022
CorralData Inc. (“us”, “we”, “our” or “company”) has adopted in full an industry standard Data Processing Agreement (DPA) from oneDPA.
The oneDPA contract was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively to not only ensure it meets legal requirements, but also to make it balanced, fair and easy to understand.
This page will outline the specific stipulations of CorralData Inc.’s DPA as a processor to our customers.
Processor (Company) to Controller (Customer).
The customer will act as the Controller (as defined in Section 1 of the Terms).
Corral Data Inc. will act as the Processor (as defined in Section 1 of the Terms).
Our DPA will commence on the final date of signature and will continue for 30 days after the end of the Main Agreement.
Without undue delay after becoming aware of a personal data breach.
30 days before the new sub-processor is granted access to Personal Data.
Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement.
As per the Main Agreement.
All laws, regulations and court orders which apply to the processing of Personal Data, including in the United States of America (USA).
This includes the:
… each as amended from time to time.
The provision of a data analysis tool and ongoing support services provided by Company to Business.
For the Term of the DPA.
Personal data processing activities include the ingestion, storage and management of Personal Data, in instances when hashed or aggregated data use is not possible, for Company to provide its services as described in the Main Agreement.
The types of personal data processed are customer email addresses, shipping, billing address, and other personal data which may be provided and are dependent on the platforms integrated by Company and data within those platforms.
The individuals whose Personal Data will be processed are Customer’s Customers and Prospects.
Not applicable.
Technical and organisational measures to ensure the security of Personal Data.
i) Preventing Unauthorized Product Access
Outsourced processing: We host our Service on Amazon Web Services (AWS). Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure on AWS. We do not own or maintain hardware located at AWS data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems, and each other. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Furthermore, Customers who have access to PII data within their CorralData interface are required to use Microsoft or Google Sign-in with two factor authentication to view any PII data.
Authorization: Customer Data is stored in storage systems accessible to Customers via only application user. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
ii) Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
Penetration testing: We maintain relationships with industry recognized penetration testing service providers for our penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Penetration tests are performed against the application layers and infrastructure layers of the CorralData technology stack.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Administrative or high risk access permissions are reviewed at least once every six months.
Background checks: Where permitted by applicable law, CorralData employees undergo a third-party background or reference check. In the United States, employment offers are contingent upon the results of a third-party background check. All CorralData employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the CorralData products. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. For Customers that have access to PII data, passwords are not stored since we rely on Google or Microsoft sign-in for two factor authentication. We have implemented technologies to ensure that stored data is encrypted at rest.
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by our team; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes. Our platform is designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Current sub-processors.
CorralData uses services of certain vendors for processing of customer data while providing services to its customers (”sub-processors”). Prior to engaging any third party sub-processor, CorralData thoroughly analyzes and evaluates the impact of such engagement on privacy aspects in the context of processing within CorralData products.
Current list of Company sub-processors providing services which might impact CorralData’s customers may be found here: https://corraldata.com/sub-processors/