Overview of Security Practices

Overview of Security Practices

Effective: January 1, 2020

FullContact is committed to protecting the security of personal data and contact data stored in FullContact’s applications. If you are a user and believe your account may have been compromised for any reason, please contact support with as many details as you can provide. For information about our privacy practices, visit our privacy page.

Information for Security Researchers FullContact is committed to working with security experts around the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we’d be happy to work with you.

Information for Users Guarding our users against security breach is something we take seriously. We are committed to doing all we can to remain secure and helping our users to manage their own account security responsibly.

Information for Users

At FullContact, the security of your data is a serious priority that we're committed to.

What FullContact does to protect data

We use a variety of industry-standard security technologies and procedures to help protect personal and public data from unauthorized access, use, or disclosure. We require users to enter passwords to access account information. To protect data in transit, FullContact uses encrypts all traffic using TLS configured with industry best-practices. Contact data in FullContact is stored using 256-bit AES encryption at rest.

CCPA, GDPR, and “Do not Sell My Personal Information”

To request a copy of the data FullContact has about you, or to request that your data not be processed or sold please visit: https://dashboard.fullcontact.com/claim

Security testing and updates

FullContact’s security team tests for security vulnerabilities and bugs on a regular basis and we also partner with industry security teams and the security research community to help make our security procedures better. Potential security risks can be reported to us on the third-party service HackerOne.

Third-party applications using FullContact data

We require unique keys for developers who want to return data from a search for publicly available information or permission-based data, and we reserve the right to revoke an app key if our developer terms and conditions or guidelines are not followed. In addition, we use industry-standard protocols for authorization. For more information about FullContact’s APIs for developers, see www.fullcontact.com/developer.

Secure physical location

Our servers are located in Amazon’s AWS data centers. Our users can find information about the security of Amazon’s servers at https://aws.amazon.com/compliance/.

Confidentiality

We hold our employees to strict guidelines regarding confidentiality and do not allow disclosure of personal or private contact information to any third party without permission.

Recommended precautions for our users

We recommend creating a strong and unique password to use when accessing your FullContact account, and we recommend changing your password to another strong and unique password on a regular basis to prevent unauthorized access to your account in the case of a data breach involving compromised passwords on our system or another system you access with the same or a similar password. Please do not disclose your account password to unauthorized people or make your password easy to guess. No method of transmission over the Internet, or method of electronic storage, is 100 secure. Therefore, while FullContact uses reasonable efforts to protect your Personal Data, FullContact cannot guarantee its absolute security.

Information for Security Researchers

If you are a Security Researcher, please let us know about any security issue and we’ll make every effort to quickly correct it. However, you must follow our responsible disclosure policy:

  • Disclose the vulnerability and all known details promptly. We do not assign bounties until full disclosure has been made and the scope and severity of a given vulnerability has been completely evaluated. Bounties are assigned entirely at the discretion of FullContact's security team; often investigation will find that the scope of a vulnerability is greater than initially reported leading to higher bounties. We aim to pay fair bounties and encourage motivated security professionals to continually test our properties and services.
  • Give us a reasonable time to respond to the issue before making any information about it public in order to protect our users from a possible malicious attack in response to your disclosure. You’re more than welcome to post a write-up after the issue has been fixed and public disclosure has been agreed upon.
  • Act in good faith not to degrade the performance of our services (including denial of service). We understand accidents may happen.
  • Strive not to access or modify information in users’ accounts should you find a vulnerability. If necessary, please create a second account to demonstrate the issue. If you cannot, you may report using real accounts.
  • Limit the scope of your activities to FullContact properties, not those belonging to other services we may use such as analytics providers or support helpdesks. Those issues should be reported to the providers directly. If you're unsure how to proceed, or have questions about whether a vulnerability is eligible for a bounty, please contact us!

We will not take legal action or engage with law enforcement for security activities provided you comply with this policy. Please read about our eligibility guidelines and report security issues using our HackerOne page. If you need to speak with the security team, open a HackerOne ticket, or send an email to the security@fullcontact.com mailing list.

If you believe your own account may have been compromised for any reason, please contact support@fullcontact.com with as many details as you can provide.

 

Recent Blogs