Thinglink Privacy Architecture
Last updated 25 May 2018
Thinglink complies with NIST 800-63-3 Authenticator Assurance Level (AAL) 1. However, we do allow users to request that they are “remembered” for a longer period of time (a maximum of 30 days) without the need to log in. Reauthentication is required after 30 days. Session timeout is 30 minutes.
User secrets (passwords and salt) are stored in a database table, using SHA-512 with 100,000+ iterations and a per-user unique salt of 128 bits.
Users may attempt login 30 times within 24 hours before the account is locked for 1 hour. The minimum length of a password is 8 characters and we check any new passwords against the public 100,000 “most used” passwords list, as well as some common, well-known patterns (e.g. “thinglink1”).
Logs and Retention Policy
Thinglink collects three types of operational logs:
- HTTP access logs. These are logged into Logstash and entries are automatically purged after 30 days. We use these logs to detect intrusion and debug issues with our software.
- Application logs. These are logged into Logstash and entries are automatically purged after 90 days. We use these logs to debug customer issues.
- Action logs. These are stored by our system to our main database and are automatically purged after 30 days. We use these logs to audit access to customer account.
Security audit logs are collected to a separate Logstash instance and have a 6-year expiry period. These logs are used to track administrative access to production systems via SSH.
For any other collection containing personal data (e.g. CSV reporting files pulled out of the system for billing purposes, etc) the retention period is 90 days after which lists must be deleted.
All logs are stored in EU.
What is collected
We have three categories of users: viewers, visitors and registered users.
- A viewer is a person who sees an embedded Thinglink on some other site. Their usage of that site is governed by the terms of service of that site, and we are data processors for that use case.
- A visitor is a person who visits thinglink.com but has not logged in.
- A registered user is someone who has signed up to thinglink.com and has agreed to our Terms of Service.
The data collected for each of these users is different.
What personal data is collected?
What other data is collected?
Browser user agent, aggregate statistics (views/hovers/clicks per image)
Behavioral data (to improve our service), user flow through the system. Browser footprint, country, language.
Name, email, organization. Optionally credit card/paypal information and other billing data, postal code, user bio, twitter, facebook, google and microsoft IDs and access tokens, avatar picture, birthday, amazon affiliate id, skimlinks affiliate id, website address, EU VAT id, approver’s email.
Behavioural data to improve our service, user flow through the system. Browser footprint, country, language. Last activity, role (edu/business), business type & size, last login country, organization and creator, tl affiliate id, created content (incl. tags), developed applications and user preferences. Group memberships.
When user logs out, they become a
new visitor again.
This data can be accessed via command level (see below) or via the Thinglink Admin user interface. Access can occur from any country, but most likely USA, Russia and Finland.
Identifiable data is stored within our main database in Ireland (EU). IP addresses and browser footprints are visible to web analytics services (Google Analytics and Mixpanel) located in United States. Any identifiers that we use are pseudonymized before transfer and are unique per external service.
Customer sales data is stored in Hubspot (an U.S. service). No student account data is sent to Hubspot. Customer sales data includes, but is not limited to, name, email, phone number, other contact information, and communication logs with the customer. Deleting an account removes all relevant customer data from Hubspot. Some customer data may also be stored on employee’s computers, Google Docs and/or Dropbox. These are governed by our retention and encryption policies.
Customer support is done with Sirportly (UK service). Sirportly stores user email addresses and email communication.
Outgoing email is handled through Mailgun (US), which does receive your email address whenever we send you an email.
Credit card and payment data are handled through Stripe (US), Quaderno (ES), Churnbuster (US) and Firstofficer (FI); the first of which is the only one which actually receives and stores your Credit Card data. Quaderno manages the VAT calculations and is required to store by EU legislation the required data for correct VAT calculation, including things like your country and IP address. Firstofficer is used to perform data analytics on payments and improve our service. Churnbuster sends you payment reminders. All these services receive your name and email address.
Invoicing is done through Ronin (US) and Netvisor (FI). They receive things like your address and payment information and any other information we require to bill you correctly and fulfil the requirements of accounting law.
Our US-based customers can also use PayPal (US) to pay, but this is not an option for our EU customers.
We also use a number of content hosting services, which do receive your IP address, browser imprint and any cookies. These are Fastly, Facebook, Twitter, Linkedin, Google, Microsoft, Wistia, Amazon and Cloudflare. All of these may store your data in EU or in the US, depending on your locality.
Tags may contain embeds to different sites, and users are notified in advance prior to watching the image/video which sites will receive their IP address, cookies and browser footprints. User consent is requested before their data is sent to those sites by the browser. The data from these embeds may or may not be stored anywhere in the world, as it is not in our control.
Production system command level access
Production system access is strictly via SSH - no passwords are used. Public keys for all administrators are stored in an Ansible configuration file, and that file is updated as people gain or lose access. All production servers use the same configuration file, and any local modifications are overwritten automatically.
We are logging facts of authentication and all commands/application which users ran on our prod servers. Logs are placed on a Elasticsearch server using Logstash. Access to those logs is available only to restricted personnel. Production access logs are stored for 6 years.
Hardware security policies
All personal computers and external hard drives must be encrypted. Use of a VPN is strongly encouraged when connecting to a public network.
Testing and security checking policies
We have two in-house specialist that do tests and checks once in three months, one time per year we hire consultants to do pen testing and security checks. In addition we have open bug bounty program that supports white hackers which help us identify vulnerabilities. Therefore, the complex of organizational and practical steps are being done on a regular basis.
The pen testing/security check reports shall be stored in Google Drive for auditing purposes.
When a Thinglink user deletes their account, we remove all user content and all user data from the database. There is a brief period between deletion and before it becomes unrecoverable, and this period depends on our database maintenance schedule. The maintenance (called compaction) is automatic and depends on system load but typically occurs several times per day.
Aggregate, anonymized user data (such as statistics, e.g. total view counts) will remain.
We track unique users for our own statistics purposes with three main methods:
- If the user has agreed to our primary Terms of Service and is logged in, we track users with their user id as stored in an user cookie.
- If the user is just browsing thinglink.com and has not explicitly enabled Do-Not-Track functionality in their browser, we store a random unique identifier for 30 days on their browser as a cookie.
- In all other cases we store a combination of user’s IP address, their preferred language and the user agent of the browser.
In all cases, the data is pseudonymized using a strong hash function, so our internal database cannot be used to identify any particular user. The unique identifiers are purged after 30 days of non-use.
We use three tracking tools: Google Analytics, Mixpanel and Hubspot.
Google Analytics (GA)
GA is used to track the website traffic and get aggregate data on traffic sources, devices and system load. We do not send any unique identifiers to GA.
Google Analytics data retention period is set to 26 months. Any event older than that is automatically removed.
MP is used to manage our A/B tests, track conversion and all vital statistics for SaaS performance. We do send a pseudonymized identifier to Mixpanel, which is different from any of our other identifiers and cannot be used to identify the user.
We do not use the Mixpanel People product that would track individual users.
When user deletes their account on Thinglink, we clear any Mixpanel cookies and delete any associations between user data and Mixpanel. Only aggregated, anonymous data remains on Mixpanel.
Hubspot is used to track users who have signed up, agreeing to our Terms of Service. It functions as a customer database and contact point. We store user names, emails, company information, etc. to Hubspot.
If the user deletes their account on Thinglink, we remove any HS data as well.
Credit Card Data
We do not store or process CC data. We use Stripe to manage and process all of our CC data, and Quaderno to calculate taxation. In addition to whatever Stripe chooses to store to combat fraud, we also store the following items in Stripe’s database:
- Given name, last name, email, country, language and postal code (for sending receipts)
- Thinglink ID for this user
- VAT ID for corporations
This data is also available to our payment recovery tools and financial analytics tools (Churnbuster and FirstOfficer).
For US-based users, we also do offer Paypal payments, for which we do not collect anything extra. That data is not available to any other tools except Paypal itself.
Invoicing is done through Ronin and Netvisor. They receive things like your address and payment information and any other information we require to bill you correctly and fulfil the requirements of accounting law.
Note that deleting the account does not remove users from these tools fully, because we need to retain some data for accounting purposes.