This policy is designed to cover the most frequently asked security questions in concise forma Secondly, this policy can help you determine whether Rejoiner meets your organization’s security requirements. The goal of our policy is to protect all individuals using our platform, including subscribers and end customers, from data theft and other security threats that may undermine their right to privacy.

Our Security Planning and Response Team

Since we are small company, the responsibilities of maintaining our security requirements are shared by all members of our team. Biannually, our team meets to do a security risk assessment on our platform and determine areas where we need to proactively secure our application. Minutes of these meetings are accessible internally. Any concerns or information you would like to pass on to our security team, please use the contact form here.

Platform and Infrastructure Hosting

Our marketing automation platform is hosted by third party cloud providers. Specifically, IBM Softlayer [Softlayer] and Amazon Web Services [AWS]. Softlayer and AWS are responsible for all necessary infrastructure related to our private cloud, but are not responsible for our local private network or our system configuration.

Physical access is securely restricted to AWS and Softlayer data centers and both have many third party certifications, including PCI and ISO 27001 compliance. For more information about Softlayer and the security of their platform, please access their security page here. For more information about AWS and the security of their platform, please access their security page here.

Data Collection, Retention, and Usage

We collect and store data from two entities, clients, i.e users of the Rejoiner platform, and customers, end-users shopping on client's eCommerce websites. Clients of the Rejoiner platform will have access to our metrics and configuration dashboard.

This dashboard stores the following data:

  • Email
  • Password (salted hash)
  • Email templates
  • Images and logos
  • Campaign performance reporting
  • Subscriber data and lists

Our APIs collect the following information from customers:

  • Browsing activity
  • Time on page
  • Page view frequency
  • First and last name
  • Birthdate
  • IP address
  • eCommerce events, i.e. add to cart, remove from cart, purchase
  • Purchase data, i.e. transactional total, purchased items, promotion usage
  • Email engagement, i.e. opens, clicks

Data collected via our dashboard and API endpoint is stored in perpetuity on encrypted hard drives. This includes backups of our database. We retain data even when a client cancels their account and unsubscribes from our service. All data, whether generated by the client or the end user, is considered to be confidential, private, and proprietary. We do not share our data with third party services or anyone outside of the Rejoiner team. Internally, we use data for analytics purposes and improving the quality of our platform.

Payment Processing

Rejoiner does not store any payment processing information. All payment processing is handled by a third party entity Stripe. Stripe supports all industry standards around payment processing, including PCI. For information about security standards at Stripe, please click here.

Server Administration

We are passionate about both Debian and Ubuntu and our servers all run the latest version of the respective OS. Security updates are applied when made available. SSL vulnerabilities are patched immediately when announced via CVE. Various security channels are monitored for any vulnerability that may affect our users. Access to our servers is restricted by firewall and SSH certificates. Updates and system configuration is managed by Puppet and Ansible, both very popular configuration tools.

Access Control to Internal Systems

All engineers, administrators, and third party contractors have unique credentials to access our systems. This includes login credentials to Rejoiner servers, network devices, third party applications, and the platform itself. Upon leaving the company, these accounts are removed, blocking any further access to the above systems.

External and Internal Networking

All of our public facing endpoints require customers to use SSL/TLS encryption. This includes access to our dashboard and API. Communication between servers and internal applications are channelled via private subnets, inaccessible to anyone except administrators. Third party web services and APIs leveraged by the Rejoiner platform communicate through SSL and TLS channels.

We do not use or support any HTTP web services under any circumstances. In addition, our external and internal network is monitored via an IDS/IPS system which logs and blocks suspicious network activity. We monitor these reports and logs to ensure that our network is not compromised.

Security Alerts and Notifications

In the event of a security breach where we believe your information may have been compromised, we will notify you personally via email with an explanation of the breach along with our strategy for mitigating the threat. All security notifications including important information about recent system updates, SSL vulnerability patching, or general consumable security information will be broadcasted by our dashboard messaging system.