Security and data privacy
Fantastyc is committed to the security of the data you process with us. To that end, we have created our systems from the ground up based on security and data protection best practices:
- We do not store the data that you load using our data integrations. At no time does your data ever enter a backup.
- We cache data for the time required for us to serve you in an efficient manner. In almost all cases, data remains in short-lived encrypted caches.
- While your data is on our systems or traveling between the data source and us or from us to you, the data is always strongly encrypted.
Contact firstname.lastname@example.org if you have any questions or comments.
Retention of customer processed data
All customer processed data exists as cached data in our systems. All caches are regularly invalidated with the timeline dictated by the design of the data source. In some cases caches may exist only for a few minutes and in some very rare cases, where we will tell you and obtain further consent, the caches may exist longer. Because we only ever cache the data, none of your processed data is ever stored to a backup. You can always fetch fresh data directly from the data source if the caches have been removed.
We do retain your customer access tokens in order to be able to fetch data at your request or your schedules. These credentials are securely stored encrypted. We may also retain data such as custom field metadata or account names and information where that data is required for the functionality of the data source integration.
Website, account management, and purchases
All connections to any of our services, our web portal, our account management system, and any purchases you make are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).
Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).
Connections to customers’ data source APIs and systems as well as connections from Fantastyc to data destinations such as Google Sheets, Microsoft Excel, or data warehouses are SSL encrypted by default.
Where we need to connect to a customer’s own database, such connections are also strongly encrypted at the customer’s choice.
Data source permissions
Fantastyc requires customers to give access to read the data from data sources such as Facebook Ads API. Where possible, we will make use of OAuth access tokens. By this mechanism, the customer grants access to the data through the data source service and we receive a token by which we access and retrieve the data. You will have access to revoke the tokens both from Fantastyc login management as well as from the data source services themselves.
Fantastyc only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions through our tools such as Fantastyc for Google Sheets or any automated scheduling that you have set up through Fantastyc. Where a data source gives us more than read-only access due to the nature of the data source, Fantastyc will never make use of those permissions.
We treat your tokens like passwords, they are strongly encrypted and never shared or logged.
Data destination permissions
Fantastyc will require various permissions based on the tools that you will use. We request the least amount of permissions that we need in order to provide you the service. Should the default permissions granted be more than we need, we will never make use of those permissions.
We practice industry best practices including the use of hardened and customized server images, bastion hosts, different types of firewalls and multi-factor authentication. As a “data privacy first” organization we follow regular standards on enforcement of least privilege, monitoring and reviewing our IAM (identity and access management) policies and security roles.
Physical and environmental safeguards
Fantastyc uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services and Digital Ocean are our providers of choice and all three organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.
Documents and certifications can be obtained directly from Google, Amazon and Digital Ocean respectively.
Fantastyc requires that all employees comply with security policies designed to keep any and all customer information safe, and address multiple security compliance standards, rules and regulations. We ensure that all employees are immediately trained on our security policies and at the very least annually conducted thereafter.
Two-factor authentication, VPNs, and strong password controls are required for administrative access to systems. All such policies are reviewed on a regular basis. Fantastyc has various change management and peer review practices in place within our software development life cycle to ensure best practices are followed.