At Drift, we put the Customer at the center of everything we do. The security of your data is a pillar of this philosophy. We take the privacy and security of your data very seriously and make significant efforts to protect all of your data. Our security program is designed to make security part of our software and company DNA.
Looking for something specific? Here are some reference pages:
For deeper analysis, please request a copy of our in-depth Security Questionnaire and our Information Security Policy from your Account Executive or CSM, which aligns to SOC 2.
Our security framework uses best practices in the SaaS industry to support our objectives:
Data and information integrity. We ensure that customer information is always secure at any moment, during transit and at rest.
Continuous defense. We maintain availability of our services by proactively minimizing any security risks through continuous penetration, vulnerability, and risk assessments.
Alignment with standards and best practices. Our security practices follow industry guidelines for cloud security.
Drift sits at the very top of your company’s engagement funnel with a purpose to collect lead data from your site visitors and drive sales. The data required to do this is minimal. Drift does not mine, store, or attempt to access any special or sensitive categories of personal data.
Drift collects the following data:
Your organization is in control of this data at all times, including how long we store your data and when we delete it.
The Drift application also has the ability to set user permissions to limit access to data export, billing, workflow edits, and other features.
You may choose to integrate Drift with your company’s systems to provide a seamless lead engagement experience. Whether you connect Drift to Salesforce (to pass along lead data) or Office 365 (to book meetings on behalf of your employees), access is based on OAuth2 and data scopes are limited to only the necessary information for Drift to perform its function.
Lastly, Drift employee access to your data is provided as necessary for customer support. Access to data is authorized by our Data Protection Officer based on the principle of least privilege and is regulated through our internal information security policies.
Whether data is being transferred or stored, all customer data is secured with the latest encryption algorithms and technologies.
At rest, all data lives within our Amazon Web Services (AWS) infrastructure located in US-EAST datacenters. Resting data is encrypted using AWS provided technologies, which use a symmetric AES-GCM encryption algorithm with 256 bit encryption keys. Encryption keys are stored separately from encrypted data using AWS’ Key Management System (KMS).
During transit, either externally or internally between Drift services, data is encrypted using TLS 1.2 with AES 256 bit encryption to ensure data protection at all times. Drift SSL certificates are issued through AWS, and when Drift sends data to third-party systems data is encrypted by leveraging the SSL certificates owned by our partners. Drift is certified under the EU/Swiss-U.S. Privacy Shield Framework and all our agreements with sub-processors require that data only be transferred pursuant to Privacy Shield Certifications or mutually executed Standard Contractual Clauses.
Removable storage or hard copies (such as printed records) are not used and are strictly prohibited by our Security Policies.
Drift is a SaaS platform that is 100% cloud-based in AWS. We do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network. We use intrusion detection with a robust Security Information and Event Management (SIEM) system to immediately identify and respond to any threats, in coordination with 24/7 pagerduty service.
Customer data is stored in multi-tenant datastores and logically separated. Strict privacy controls exist in our application’s code to ensure data privacy and prevention of cross-customer data access. All data in our system are tagged by account and every request to our system requires account context, enforced by client-side JSON web tokens (JWT). Any attempt to tamper with an open session results in immediate log-out and rejection of all requests.
Security is a critical part of our software development lifecycle (SDLC) and our processes are built to emulate OWASP standards. Drift utilizes separated staging environments, manual code reviews, and automated static code analysis in order to verify code changes prior to deployment.
We have a continuous deployment model so our customers benefit immediately from resiliency improvements, bug fixes, and upgrades. Further, our development process enables immediate prioritization of critical updates and vulnerability remediations.
We take great care to make security a company-wide initiative. Our Data Protection Officer is directly responsible for our security program and governance process, employee training, and customer transparency. Background checks are a necessary step during the hiring of employees and contractors. Security is a topic in every quarterly planning process and we undergo annual company security training. Outside of our established review cadence, we engage in continuous assessment and iteration to meet the changing needs of our customers.
If you have further questions, please reach out to firstname.lastname@example.org and we can provide additional detail about the security of your data.