Can Vendors Use Your Data? Read the Fine Print

Your contact data assets represent the lifeblood of your company. Your organization probably has procedures in place to secure this data. But what about the third-party vendors you work with?

Some vendors – particularly email validation providers – have terms in their master service agreements (MSA) allowing them to store the data you send them. And, in some cases, use this data for their own “research” purposes. This article discusses why we feel this is a bad idea, and why you should be careful about who accesses your data.

The problem with third-party data storage

In an ideal world, any company that processes your most sensitive data should offer you a gold-plated guarantee that it will never fall into the wrong hands. Unfortunately, it doesn’t always work that way in practice. Here are some sobering facts:

  • There have been numerous well-publicized breaches of customer data involving vendors and contractors, such as the recent exposure of over 1.3 million customer records by a Walmart vendor, the infamous Target payment card breach of 40 million customers in 2014, and many more.
  • According to a 2018 study by the Ponemon Institute, 59% of companies surveyed experienced a data breach caused by a third party, and three-quarters of respondents feel that these incidents are on the rise.
  • Third-party data storage has even been a problem in security-critical environments like health care, with regulatory burdens such as HIPAA compliance. In 2018 an estimated 20% of health care data breaches were due to third-party vendors, including some of the largest breaches, with problems ranging from lax procedures to attacks by insiders.

These concerns are compounded when you work with vendors who retain and store your data beyond its original business purpose. Unfortunately, terms allowing for the storage and subsequent usage of this data are often buried in the fine print of service agreements, leaving its security in the hands of the vendor. This can potentially open you up to risks that fall outside the reach of your own data security policies and procedures.

We don’t store your data

Of course, one of the best ways to safeguard your data is to work with a vendor who won’t store it in the first place – like Service Objects. We never store customer data, and security and privacy are among our highest concerns.

When you use one of our real-time products for contact data validation, we process each record you send us against continuously updated databases such as USPS and Canada Post address data, known problem email addresses, and over 400 million phone listings, together with other proprietary resources. And once we return these validation results to you, the original data is discarded.

We invite you to learn more about our own bank-grade security procedures, including secured 24/7/365 data centers, encryption of sensitive information, and hardened servers with multi-layer perimeter security. And, of course, a policy that no copies of your real-time data nor your responses are stored.

As we approach three and a half billion transactions validated, with a track record stretching back to our founding in 2001, we feel that data security policies are extremely important. This is why leading companies like Amazon.com, Microsoft, and most major credit card providers trust us with their data. Firms like these scrutinize contract terms involving access to their data, and you should too.