The Impact Target

Data Protection & Security

Your data security and privacy are our top priorities. We implement enterprise-grade security controls and maintain transparent practices.

Contact Security TeamView Certifications
🔒

AES-256-GCM Encryption

All sensitive data encrypted with industry-leading authenticated encryption before storage.

SOC 2 Type II

Pursuing certification (target: Q3-Q4 2026). Following SOC 2 controls during preparation.

🌍

GDPR & CCPA Compliant

Fully compliant with EU and California privacy regulations. Data subject rights implemented.

Security Overview

The Impact Target is a team performance analytics platform with AI-powered insights for organizational development. We implement a privacy-first, defense-in-depth security architecture designed to protect your data at every layer.

Our Security Principles

  • Privacy by Design: Anonymous survey responses with no individual attribution
  • Defense in Depth: Multi-layered security controls across authentication, encryption, and access
  • Encryption First: All PII encrypted before storage using AES-256-GCM
  • Continuous Monitoring: 24/7 security monitoring with audit logging
  • Transparent Practices: Open communication about security and data handling

Security Architecture

Four-Layer Authentication: Our authentication system implements defense-in-depth with middleware checks, protected layouts, page-level validation, and API route verification. We never trust client-provided headers and always validate sessions server-side.

Anonymous Survey Architecture: Survey responses use cryptographically secure tokens instead of user IDs. Responses cannot be traced back to individuals, ensuring genuine anonymous feedback.

Compliance & Certifications

🎯

SOC 2 Type II

In Progress

We are actively pursuing SOC 2 Type II certification with a target completion date of Q3-Q4 2026. We are currently implementing all required controls and following SOC 2 security practices.

Status: Control implementation phase

Target: Q3-Q4 2026

Auditor: To be engaged in 2026

🇪🇺

GDPR Compliant

Active

Fully compliant with the EU General Data Protection Regulation. All data subject rights implemented including access, erasure, portability, and rectification.

Data Location: Multi-region including EU

DPO: [email protected]

Rights: Access, erasure, portability

🌉

CCPA Compliant

Active

Compliant with the California Consumer Privacy Act. We do not sell personal information. California residents have full access to data subject rights.

Data Sale: We do not sell personal data

Rights: Access, deletion, opt-out

Response: Within 45 days

📋

ISO 27001

Planned

We plan to pursue ISO 27001 certification following SOC 2 completion. ISO 27001 is an international standard for information security management systems.

Timeline: Post-SOC 2 (2027)

Scope: Information security management

Status: Roadmap planning

Security Frameworks We Follow

Even without formal certification, we implement controls from leading security frameworks:

  • SOC 2 Trust Services Criteria: Security, availability, confidentiality, privacy, processing integrity
  • OWASP Secure Coding Practices: Input validation, authentication, session management, cryptography
  • NIST Cybersecurity Framework: Identify, protect, detect, respond, recover

Encryption & Data Security

Application-Level Encryption

All personally identifiable information (PII) is encrypted at the application level before being stored in the database. This means the database only ever sees encrypted ciphertext—never plaintext sensitive data.

Encryption at Rest

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key Derivation: PBKDF2 with 100,000 iterations
  • Authentication: 128-bit authentication tags prevent tampering
  • Key Management: Master keys stored in Doppler (secrets management)
  • Key Rotation: Zero-downtime key rotation supported

Encryption in Transit

  • HTTPS: TLS 1.2+ for all connections
  • HSTS: HTTP Strict Transport Security enabled (2-year max-age)
  • Database Connections: TLS-encrypted connections required
  • API Integrations: All third-party services use TLS 1.2+
  • Certificate Management: Automatic provisioning and renewal

What Data We Encrypt

Personal Information

  • • User names
  • • Email addresses (encrypted + hashed)
  • • Account information

Team & Company Data

  • • Team names
  • • Team leader information
  • • Company names and websites

Survey Responses

  • • Qualitative comments
  • • Free-text feedback
  • • Response metadata

System Data

  • • Audit logs
  • • Session data
  • • Authentication tokens

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud services with multi-region deployment:

  • Database: CockroachDB Serverless (SOC 2 certified) with automatic multi-region replication
  • Application Hosting: Vercel edge runtime with global CDN
  • Geographic Distribution: Multi-region including EU data centers
  • Backup & Recovery: Automated daily backups with 30-day retention

Privacy Architecture

Privacy is built into the core architecture of our platform, not added as an afterthought. We implement privacy-by-design principles to ensure user data is protected by default.

Anonymous Survey System

True Anonymity: Survey responses use cryptographically secure 64-character tokens instead of user IDs. There is no way to trace responses back to individuals—by design, not by policy.

How it works:

  1. Team leader creates assessment and invites members
  2. Each member receives a unique anonymous token
  3. Members respond using token (no login required)
  4. Responses stored linked to token, not user identity
  5. Team leader sees aggregate results, not individual responses

Data Minimization Practices

  • Email Hashing: Email addresses stored as SHA-256 hashes for lookups; actual emails encrypted separately
  • Optional Fields: Survey comments and company website are optional—users provide only necessary data
  • Minimal Tracking: No cross-site tracking, no IP address logging, limited analytics
  • Results Release Control: Team leaders control when results are shared—immediate, scheduled, or manual release
  • Payment Data: We never store payment information—handled entirely by Stripe (PCI DSS Level 1 certified)

Data Retention Policy

Standard Retention: We retain data for 7 years after account closure or assessment completion for compliance and audit purposes.

Active Data:

  • • User accounts: Duration of use + 7 years
  • • Survey responses: Duration of use + 7 years
  • • Audit logs: 7 years (compliance)

Short-Term Data:

  • • Rate limit logs: 24 hours
  • • Email event logs: 24 hours
  • • Session data: 1-24 hours

Early Deletion: Users can request immediate deletion via GDPR right to erasure at any time.

Access Controls

We implement strict access controls to ensure only authorized individuals can access data:

  • Four-Layer Authentication: Middleware, layout, page, and API route validation
  • Role-Based Access Control: User, admin, and owner roles with granular permissions
  • Row-Level Security: Users can only access their own data and teams
  • API Security: CSRF protection on all state-changing operations

Third-Party Services & Subprocessors

We carefully select third-party services that meet our security standards and hold relevant compliance certifications. Below is a complete list of subprocessors with whom we share customer data.

SubprocessorPurposeData ProcessedLocationCertifications
Auth0Authentication & identity managementUser credentials, profile info, session dataGlobalSOC 2, ISO 27001, GDPR
StripePayment processing & subscription billingPayment info, billing data (tokenized)GlobalPCI DSS Level 1, GDPR
ResendTransactional email deliveryRecipient emails, delivery statusGlobalGDPR
CockroachDBPrimary database hostingAll application data (encrypted)Multi-region (US, EU)SOC 2, GDPR
DopplerSecrets & environment variable managementAPI keys, encryption keys, configUSSOC 2
UmamiPrivacy-focused website analyticsAnonymous usage data (no PII)Self-hosted/CloudGDPR

Note: We do not sell, rent, or share your personal information with third parties for their marketing purposes. All subprocessors are bound by data processing agreements and are required to maintain the same level of data protection as we do.

Subprocessor Updates: We will notify customers at least 30 days in advance of any changes to our subprocessor list.

Your Data Rights

Under GDPR and CCPA, you have comprehensive rights over your personal data. We make it easy to exercise these rights through our platform and APIs.

📥

Right to Access

You can request a complete copy of your personal data at any time. Data is provided in JSON format for portability.

How to request: Email [email protected] or use the data export feature in your account settings.

🗑️

Right to Erasure (Right to be Forgotten)

You can request deletion of your account and all associated data. Deletion is permanent and irreversible.

How to request: Email [email protected] or use the account deletion feature in your account settings.

✏️

Right to Rectification

You can update or correct your personal information at any time through your account settings.

How to update: Log in to your account and edit your profile, or email [email protected] for assistance.

📤

Right to Data Portability

You can export your data in a structured, machine-readable format (JSON) to transfer to another service.

How to export: Use the data export API or email [email protected].

Response Timeline

  • GDPR Requests: We respond within 30 days of receiving your request (1 month)
  • CCPA Requests: We respond within 45 days of receiving your request
  • Complex Requests: May require up to 90 days; we will notify you if additional time is needed

How to Exercise Your Rights

To exercise any of your data rights, please contact our privacy team:

Contact Privacy TeamView Privacy Policy

Incident Response & Security Monitoring

Security Monitoring

We maintain 24/7 security monitoring with comprehensive audit logging across all system components:

  • Audit Logging: All encryption operations, authentication events, and data access logged
  • Rate Limiting: Protection against brute force and abuse attacks
  • Security Alerts: Real-time alerts for suspicious activity and security events
  • Log Retention: Security logs retained for 7 years for compliance and forensic analysis

Incident Response

In the event of a security incident, we follow a structured response process:

1️⃣

Detection

Automated monitoring identifies potential incidents

2️⃣

Containment

Immediate action to limit impact and prevent spread

3️⃣

Investigation

Root cause analysis and impact assessment

4️⃣

Communication

Customer notification and transparency reporting

Data Breach Notification

In the unlikely event of a data breach affecting personal information:

  • GDPR Compliance: We notify relevant authorities within 72 hours as required
  • Customer Notification: Affected customers notified via email without undue delay
  • Transparency: Public disclosure of incidents with details of impact and remediation

Vulnerability Disclosure

We welcome security researchers to report vulnerabilities responsibly:

How to Report:

  • Email: [email protected]
  • Subject: "Security Vulnerability Report"
  • Include: Description, steps to reproduce, potential impact

Response Timeline: Initial response within 48 hours, status updates within 7 days, resolution target of 90 days for critical issues.

Continuous Security Improvement

Security is not a one-time achievement but a continuous process. We invest in ongoing security improvements and regular testing.

Regular Security Reviews

  • • Internal security audits quarterly
  • • Code security reviews on every pull request
  • • Automated security scanning on every commit
  • • Dependency vulnerability scanning

Testing & Validation

  • • Comprehensive security test suite
  • • CSRF and authentication testing
  • • Encryption validation tests
  • • External penetration testing (planned)

Team Training

  • • Security best practices training
  • • OWASP Top 10 awareness
  • • Threat modeling for new features
  • • Incident response drills

Security Roadmap

Our ongoing security initiatives include:

  • 2026: SOC 2 Type II certification completion
  • 2026: External penetration testing program
  • 2027: ISO 27001 certification
  • 2027: Public bug bounty program launch

Questions About Security?

Our privacy and security team is here to help. We're committed to transparency and are happy to answer any questions.

Privacy & Data Protection

For data subject rights requests, privacy inquiries, and GDPR/CCPA questions.

[email protected]

Security Vulnerabilities

For responsible disclosure of security vulnerabilities and security-related concerns.

[email protected]

Response Times: Security vulnerabilities within 48 hours • Data subject requests within 30 days (GDPR) or 45 days (CCPA)

Privacy PolicyTerms of ServiceContact Privacy Team

Last updated: November 6, 2025 • Version 1.0