Security
The privacy, confidentiality, and security of all customer data is of the highest priority at Windfall. We are committed to maintaining a safe platform for our customers and business partners and have taken extensive measures to safeguard data at every point.
Transmission of data
Windfall requires the secure transmission of customer data to and from our application and/or network; we work with customers to discourage transmission that is otherwise not secure. This is accomplished through a combination of Transport Layer Security (TLS/HTTPS) protocols, Secure File Transfer Protocol (SFTP), SSL certificates, and data encryption. Upon receipt, source files are logically separated and isolated from other customers.
Data storage and security
All customer data (source file and application) are stored in certified data centers in the U.S. that are managed through our cloud hosting provider. All data centers are monitored 24/7 by high-resolution interior and exterior cameras. Windfall uses server side encryption and uses best-in-class Advanced Encryption Standard (AES) 256-bit symmetric keys.
Data backup and recovery
Windfall maintains an updated disaster recovery plan. All production database servers are backed up regularly - with full weekly, and daily incremental backups occurring. Our data is replicated and distributed through our secure cloud hosting provider that enables Windfall to easily recover any lost data.
Application security
Windfall follows industry best practices for software development. Our development standards are in line with such groups as the Open Web Application Security Project (OWASP). Application code is frequently backed up and rigorously tested prior to releasing it to customers. In addition, Windfall employs industry-standard password controls (length and complexity). The web interface is accessible to contracted customers only, via always-on HTTPS.
Systems monitoring
Windfall will use a variety of approaches and technologies to make sure that risks and incidents are appropriately detected, assessed and mitigated on an ongoing basis. We will also assess on an ongoing basis whether controls are effective and performing as intended, including intrusion monitoring and data loss prevention.
Safe handling of data
All employees with access to customer data must pass thorough background screening and sign industry standard non-disclosure and PIIA agreements. Windfall employees are required to be aware of and work to protect the confidentiality, privacy, and security of customer data. The number of employees with access to customer data is kept to a minimum necessary to deliver Windfall products.
Usage of data
All data provided to Windfall is used to match and ultimately deliver Windfall’s services. Customer data may be used for validation of Windfall’s core dataset. Windfall will only share this data internally as inputs for matching and will not repurpose any data for output to other customers. For more details, see below under “Ownership of Data.”
Use of personally identifiable information
Personally Identifiable Information (or "PII") means any information defined as personally identifiable information under federal or state law. PII includes, but is not limited to, data points such as: name, address, date of birth, phone, and e-mail. This data will be used for matching purposes to Windfall’s core data set and to provide access to Windfall’s software platform and services. PII collected from customer data will never be redistributed or exposed to other customers.
Ownership of data
Anytime a customer uploads, submits, stores, sends or receives content through Windfall’s service, the customer retains ownership of that data. By using Windfall, we have a license to use and create derivative works off the data, which is fully owned by Windfall (ex: matching algorithms specific to the data you submit to Windfall).