Close

Let's get on each others' calendars.

A photo of a conference room filled with men and women in a discussion
A photo of a conference room filled with men and women in a discussion

Aimably Security Policies

Summary

Aimably's approach to application and data security adheres to two core principles: data minimalism and industry-normative policies.

Data minimalism, as it pertains to Aimably, is the practice of accessing, collecting and storing only the information required to perform the duties of our software and services. This practice is intended to reduce the impact of any security breach, due the limited nature of the data available during a breach.

Industry-normative policies, as it pertains to Aimably, is the practice of following the already-high standards established by the software-as-a-service industry through legal and normative processes. This practice is intended to give our customers the peace of mind that security breaches are as unlikely to occur with Aimably as with any other business software in use already.

Below, we will describe all our policies in detail.

Data Minimalism Policy

Aimably's operational philosophy is to limit the amount of personal data points collected through the regular use of Aimably. At this time, the following personally-identifiable data points are those currently collected:

The following high-risk personally identifiable information is never tracked or recorded in any of Aimably’s internal systems, but is used for data processing by separately hosted third-party applications. The following personal data is only captured by the third party-application(s) who are independently subject to PCI attestation and auditing:

The following high-risk personally identifiable information will never be collected or used by Aimably software, Aimably employees or Aimably-affiliated third-party applications:

System and Organization Controls (SOC) Policy

In order to assure our customers and prospects of the effectiveness of our security policies and procedures, we annually request an independent audit of our company's operations following the AICPA SOC2 standard. We are proud of our results and are happy to share them with our clients. A copy of our SOC2 report is available upon request via the Help Center.

California Consumer Privacy Act (CCPA) Policy

In compliance with the CCPA, Aimably offers users the following privacy rights:

At this time, Aimably does not sell consumers’ personal information. In the event that Aimably adjusts this practice, the option to opt out of sale of personal information will be provided.

In order to exercise your rights under the CCPA, please submit a request at the Aimably Contact Us page.

*In compliance with CCPA, Aimably may reject a request to delete personal information whenever that information is required to maintain an ongoing business contract with the user’s employer.

EU General Data Protection Regulation (GDPR) Policy

In compliance with the GDPR, Aimably offers users the following privacy rights:

In order to exercise your rights under the GDPR, please submit a request at the Aimably Contact Us page.

*In compliance with GDPR, Aimably may reject a request to delete personal information whenever that information is required to maintain an ongoing business contract with the user’s employer.

Aimably shall, to the extent legally permitted, promptly notify Customer if Aimably receives a request from a Data Subject to exercise the Data Subject’s rights of access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, or objection to the Processing (each a “Data Subject Request”) without itself responding to such request. Taking into account the nature of the Processing, Aimably shall reasonably cooperate with Customer and Controllers in dealing with Data Subject Requests by appropriate technical and organizational measures, in so far as this is possible.

Security Policies

Aimably maintains an information security policy that is approved annually by management and published and communicated to all Aimably employees and relevant third parties. Aimably maintains a dedicated security function on behalf of all affiliated companies to design, maintain, and operate security within the organization. This function focuses on developing policy and procedures for system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment, and statements of applicability.

Other Information Security policies and statements include, many of which are summarized below:

Systems Security

Aimably maintains appropriate systems security for the Aimably Service in accordance with commercially reasonable industry standards and practices designed to protect Customer Data from theft, unauthorized disclosure, and unauthorized access. Such systems security includes, among other things, the following practices and procedures with respect to the Service:

Vulnerability Management

Aimably maintains appropriate practices designed to protect Customer Data in the Aimably Service from system and application vulnerabilities, including:

Access Control

The networks, databases, software, and computer systems Aimably employs in performing the Aimably Service are protected by a user name and password system which requires strong passwords which meet industry guidance for strong password construction and maintenance. Where appropriate, commands requiring additional privileges are securely logged (with time and date) to enable a complete audit trail of activities. Aimably promptly terminates all credentials and access to privileged user accounts of an Aimably employee upon termination of his or her employment.

Physical and Environmental Security

The hosting provider for the Aimably Service limits access to the relevant hosting facilities to employees and employee-accompanied visitors using commercially reasonable Internet-industry standard physical security methods. At a minimum, such methods include visitor sign-ins, restricted access key cards or locks for employees, limited access to server rooms and archival backups, and burglar/intrusion alarm systems. Access to all data centers requires multi-factor authentication which is limited to authorized personnel reviewed on a monthly basis.

Security Incident Management

Aimably maintains security incident management policies and procedures, including detailed security incident escalation procedures. Customer will be notified within seventy-two (72) hours of its discovery of a security breach of the Aimably Service that results in the unauthorized disclosure of Customer Data (“Security Breach”). In the event of a Security Breach, Aimably will promptly perform an investigation, take appropriate remedial measures, and provide the Customer with the name of a single security representative who can be reached with security questions or security concerns twenty-four (24) hours per day, seven (7) days per week, during the scope of its investigation.

Disaster Recovery

Aimably maintains a disaster recovery plan in place for its various hosting locations from which Aimably services are performed. Aimably will provide Customer with a copy of its then-current disaster recovery plan promptly following Customer’s written request for same. Aimably will notify Customer regarding the occurrence of any disaster where the disaster recovery plan is invoked. If Aimably’s disaster recovery plan is invoked, Aimably will (a) execute such plan and restore Aimably Service to the Service Availability Service level described in the Customer Agreement in accordance with the requirements of such plan, but no more than one (1) day after invoking such plan subject to hardware availability, and (b) Customer will be treated with at least equal priority as any other customer of the Aimably Service.

Business Continuity

Aimably maintains a business continuity plan that is tested on an annual basis to assist in reacting to a disaster in a planned and tested manner. Aimably will provide a copy of its then-current business continuity plan promptly following Customer’s written request for same.

Contingency plans have been developed and implemented to ensure that business processes can be restored within identified time-frames. These plans are to be maintained and practiced so as to become an integral part of all other management processes.