Chrome Extension Site Access
The Chrome extension is essential to LeadIQ's time saving value add and email verifying capability. But what websites does it actually have access to?
The LeadIQ extension has access to only two websites:
This site access is visible to the end user from Chrome's extension management page:
These sites are defined by LeadIQ and there is not a way for users to add sites to this list or grant the extension access to more than what is visible here. Any changes made by LeadIQ to the extension's site access would require removing and reinstalling the extension (ie: re-agreeing to the terms) in order to take effect, and would not be released without prior notification to the end user. At present there are no plans to add more sites to LeadIQ's site access.
When a user opens the LeadIQ extension and performs a search on linkedin.com, the extension will automatically read the page and load up the results of that search in the left hand panel:
The capability to automatically load search results from Linkedin saves users the time of manually typing First Name, Last Name, and Company into our software in order to query for contact information. The active step for the user is to click the "capture" or "+" button on the people for whom they would like to obtain contact data. Upon capturing with the extension, LeadIQ will use the First Name, Last Name, and Company as its inputs to perform a query against our own database and those of our data partners in order to return the requested contact data. This is also where LeadIQ's email verification step takes place, checking mail servers in real time to help determine the accuracy of the emails we provide.
The use of Linkedin as a starting point is also an important part of ensuring the quality of data we provide. Since the inputs of name and company that we use for our search are coming from Linkedin, they are very likely to be accurate since most people keep their Linkedin profile up to date. If a person moves to a new company or role, they will likely update their Linkedin and that new company will now be part of the input that LeadIQ uses for its search. The app will then take that information and conduct a fresh search to get the most up to date information and ensure the hygiene of the data entering your environment.
Importantly, the information being gathered from Linkedin itself amounts to only that which can be seen from the list view of a search (Name, Title, Company, and Geography), as seen in the screenshot above. This is information that Linkedin users have indicated as public information and that is how it's indexed by Google search engines. LeadIQ does not dig "under the hood" of Linkedin, nor do the emails or phone numbers we provide come from Linkedin. That information is obtained from our database, data partners, and email verifying algorithm.
Data Storage and General Security Measures
LeadIQ maintains a robust security program which is SOC2 certified and undergoes annual penetration testing by Bishop Fox. The following outlines at a high level the general measures that are in effect, and contains links to specific policy documents containing more detail.
Storage and Encryption
The customer data that LeadIQ stores includes a small amount of metadata in order to load your Salesforce layout. The data that we have provided you as part of our service (prospect data obtained using our Chrome extension or other in-app functionality) is also stored in this way.
LeadIQ uses AWS resources to store and encrypt sensitive data. To keep data encrypted at rest, LeadIQ ensures that all new and existing resources use Amazon server-side encryption. By default, AWS encryption uses AWS-owned or AWS-managed keys stored in KMS or S3. Amazon server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt LeadIQ data. LeadIQ engineers are required to ensure that Amazon resources are correctly configured to use AWS server-side encryption in a secure manner following Amazon recommendations. Data in transit is encrypted via TLS v1.2. Further documentation on the encryption used by LeadIQ can be found here:
Cryptography Policy: https://www.dropbox.com/s/h0xvqzvhu4uuby7/Cryptography%20Policy.pdf?dl=0
Antivirus and Firewall
LeadIQ utilizes antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software. Firewalls are also implemented to ensure that all outbound traffic to customer systems is restricted to only what is necessary to ensure the proper functioning of the services.
Additionally, our data center locations are physically protected from unauthorized access, with appropriate environmental and perimeter controls. The facilities are physically protected from unauthorized access, damage, theft and interference.
Backups, Disaster Recovery, and Business Continuity
LeadIQ creates full, daily database backups for all data stored in AWS. Backups are periodically tested by the LeadIQ engineering team. Business Continuity and Disaster Recovery plans are in effect to ensure continuity of service and preservation of customer data in the event of a natural disaster or other such event. In general these plans consist of phases from Notification, in which the damage is detected and assessed; to Recovery of the application or business operations at an alternate site; to Post Mortem or thorough investigation of the cause and future prevention of the incident.
LeadIQ also maintains an Incident Response Plan outlining the steps to be taken to assess the severity and execute the remediation of a security incident. For more information please see our policy documents here:
Backup Policy: https://www.dropbox.com/s/lji5p0djpsqw62b/Backup%20Policy.pdf?dl=0
Business Continuity Policy: https://www.dropbox.com/s/ybxgnx0ar2mouix/Business%20Continuity%20Plan.pdf?dl=0
Disaster Recovery Policy: https://www.dropbox.com/s/4wcrafp0x0won2v/Disaster%20Recovery%20Plan.pdf?dl=0
Incident Response Plan: https://www.dropbox.com/s/kx06cnd7b178l6b/Incident%20Response%20Plan.pdf?dl=0
Managing Vulnerability and Risk
With respect to the handling of personal data, LeadIQ maintains mechanisms for vulnerability and patch management that are designed to evaluate application, system, and network device vulnerabilities and apply security fixes and patches in a timely manner. LeadIQ performs internal vulnerability scanning and package monitoring on a constant basis using Systems used for these purposes include AWS Inspector, AWS GuardDuty, and Sonarqube.
LeadIQ is proactive in its approach to risk management, balancing the cost of managing risk with anticipated benefits, and undertakes contingency planning in the event that critical risks are realized. LeadIQ’s risk assessment methodology is based on NIST Special Publication 800-30 Revision 1 - Guide for Conducting Risk Assessments (https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf). LeadIQ also maintains appropriate system access controls to ensure that access to personal data is limited to those employees and contractors and agents who have a need to know or need to access that personal data to enable LeadIQ to perform its obligations under the MSA.
The relevant policy documentation can be found here:
Vulnerability Management Policy: https://www.dropbox.com/s/kf9onuli31f7s14/Vulnerability%20Management%20Policy.pdf?dl=0
Change Management Policy: https://www.dropbox.com/s/4y2k33xxlx12tua/Change%20Management%20Policy.pdf?dl=0
Risk Management Policy: https://www.dropbox.com/s/n4ts63nxjwxwgbz/Risk%20Management%20Policy.pdf?dl=0
Data Classification Policy: https://www.dropbox.com/s/vhxxrcpy3zhpqa7/Data%20Classication%20Policy.pdf?dl=0
Data Protection Policy: https://www.dropbox.com/s/e70qb363nnqj29g/Data%20Protection%20Policy.pdf?dl=0
Password Policy: https://www.dropbox.com/s/sah7jeixmpn7l7m/Password%20Policy.pdf?dl=0
Access Control Policy: https://www.dropbox.com/s/qs1iffhua01n5qd/Access%20Control%20Policy.pdf?dl=0