Zingtree Data Security Plan

Disaster recovery and data security information.

Last Updated: July 9, 2019

Overview

Zingtree data consists of two parts: The decision trees that our customers build (by authors), and any data collected from use of those trees by end-users.

GDPR

Zingtree is fully compliant with the European General Data Protection Regulation. See our GDPR page here for details.

Penetration Tested

Zingtree undergoes regular penetration tests. A copy of the latest test results will be provided upon request.

DDOS Prevention and CDN

Zingtree uses CloudFlare as a proxy for all web traffic. This give you protection in case Zingtree is the subject of a DDOS attach, and also increases performance of the web site and your trees by taking advantage of Cloudflare's optimization and CDN capabilities.

Data Custodian

Zingtree's CTO will serve as the primary data custodian.

Data Sensitivity

We treat all customer data as equally sensitive.

Data Flow and Transmission

For decision trees, these are built using the author's browser. Zingtree sessions are defaulted as https, so there is no chance of a man-in-the-middle attack gaining access to the tree data.

For end-user use, trees can be deployed as https. Session history data is also sent to Zingtree's servers by https via an AJAX call from an end-user's browser.

Data Storage

Both decision trees and session history data are stored in a database server. Our infrastructure uses Amazon RDS, with a MYSQL database.

Data Access

Decision trees authors access trees via a log in to https://zingtree.com. Authors can also gain access to reports and session data via this login.

End-users may access trees via a secret URL, or an iFrame embedded on a web page in a customer's intranet or web site. In addition, end-users may be restricted by IP address filtering using CIDR notation.

Data Backup and Disaster Recovery

For tree authors, Zingtree has a Snapshots tool, which archives every change made by tree authors, and makes it easy to restore a decision tree to a previous stare, or compare versions. Paying customers can also export decision trees to a CSV or JSON format, and use Zingtree's reports or APIs to extract customer session transcripts and data collection.

On the server infrastructure level, Our Amazon RDS system which stores decision trees and usage includes daily and weekly backups automatically, with multi-site storage. These can be restored within a few hours of any disaster. Read Amazon's white paper detailing their Disaster Recovery plan.

Data Retention (Archiving)

You can set a custom Data Retention Policy via Account, Organizations and Billing, under the Data Retention tab. Non-paying accounts will have session records deleted after 6 months. Individual sessions may also be deleted by any authorized author.