Factual’s commitment to privacy, transparency, and consumer control
Factual's Approach to Privacy
Storage and Data Transfer
Storing and transferring data in a secure manner is an important aspect of Factual’s privacy practices. Factual uses a variety of physical, managerial, and technical safeguards to preserve the integrity and security of all stored data. We encrypt data in transit and generally encrypt data at rest as well. Factual also has a number of information security policies that govern internal processes around data storage and use.
Factual takes steps to protect the data we process on behalf of our partners. Factual employs multiple DLP practices and solutions including establishing logged and indexed data access auditing, alerts for excessive data transfers, firewall, VPN, and VPC software. Factual also often conducts risk assessments of processing and storage operations that involve partner data and information.
Employee Access and Use
Practices regarding employee access and use of data are a core component of Factual’s information security and privacy-focused approach to data storage. Factual upholds a framework wherein employees are granted the minimum level of access required to perform their duties. Factual imposes industry standard written confidentiality obligations on our employees and contractors. Both our privacy and information security teams also provide internal trainings on managing data responsibly and in accordance with legal and contractual requirements.
Factual has minimum thresholds in place for the provision of our products. These thresholds are designed to prevent the use of our services to advertise to small populations of devices. In keeping with our approach to “privacy-by-design,” these thresholds are implemented on both policy and technical levels.
Factual employs a strict policy designed to prevent the use of our services around sensitive locations. We are members of the DAA and NAI and consult these groups’ self-regulatory principles on sensitive places and follow their guidelines, as well as applicable laws and regulations such as the GDPR.
We do not segment or persistently identify users on the basis of inferences about certain characteristics such as sensitive health conditions, religion, sexual preference, immigration status, or status as active duty military personnel. Examples of sensitive places include specialty physicians offices, religious centers, domestic violence shelters, military locations, and LGBTQ centers, among others.
Even when policies are consistently applied to protect privacy, questions about risk may arise. When this happens, a single perspective or viewpoint is often not enough to determine the right course of action. That’s why our privacy team leads reviews of specific deals and customer requests through an established, documented review process to make determinations about data protection and risk. Our internal committee includes stakeholders from many different parts of the organization so we can understand multiple perspectives on data use. This helps mitigate against bias and groupthink around privacy and risk determinations.