Trust
Trust Us With Your Privacy and Security
Privacy, security and data protection are core to our culture of respect, responsibility and earned trust.
Our Commitment
Directly was designed and built on a foundation of privacy and security. From our inception, we’ve made technology, policy and business decisions that strengthen privacy and security and reduce risk for our customers.
At Directly, all data is protected by a rigorous set of enterprise-level controls, policies, and practices to protect privacy and security.
At Directly, all data is protected by a rigorous set of enterprise-level controls, policies, and practices to protect privacy and security.
Our Data Principles
- Protecting your data is core to what we do.
- You and your users own and control your respective data.
- We keep your data private and secure.
- We minimize, encrypt, de-identify and delete your data.
- We apply new data protection technologies and comply with current regulations.
A Core Principle & Differentiator:
Data Ownership, Minimization & Restricted Use
Data Control
Data Security
Data Management
Data Control
You own and control your data.
 | TL/DR: We will never, ever, sell your data to anyone. |
| We minimize and filter the data we process; we do not repurpose data for ANY secondary uses. |
| You own and control your data. Directly processes customer data on behalf of you and your end users. Customer data can be deleted and removed at any time. |
Data Security
Data Security and Minimization Protocols
| Encryption | Data is transmitted and stored securely from a company’s systems to Directly via SSL encryption and using Directly’s private API key. |
| PII Filters | We use customizable PII filters to redact personal data and information identifiers before any question is routed to an appropriate expert. The selected expert is then able to view only the user’s first name and the request ticket without personal data identifiers (e.g., email address, phone number, social security number, and credit card number have been filtered out). |
Data Management
De-Identification for your customers data
| Automatic Redactions of Original Texts From Users | Our system automatically redacts personal data identifiers from users’ questions after 30 days. |
| Customized Redactions and De-Identification of Personal Data | Our redaction process can be customized for your own requirements. For example, you can permanently delete or redact all data (x days after question closes) and this option can be turned on/off only by the customer. |
Independently Verified Compliance,
Controls and Assessments
One of the priorities of our privacy and security practices is to ensure that use of your data is transparent, safe, and respectful. Directly’s Compliance Team performs regular assessments to ensure risks are appropriately mitigated and controls are designed and operating properly.
We use SOC 2, Type 2 Controls for Service Organizations for organizational oversight, vendor management programs, internal corporate governance, risk management, and regulatory oversight. These controls provide assurance of the security, availability, confidentiality, and privacy of the data processed by our systems. We undergo periodic audits to receive updated SOC 2 Type II reports. These reports are available upon request and under NDA.
We implement European Union (EU) model clauses, known as Standard Contractual Clauses (SCC), for the safe transfer of personal data from the EU to the United States.
We comply with specific customer requirements and assessments, such as Microsoft’s Supplier Security & Privacy Assurance Standards (SSPA).
Leading Edge Security Policies & Protocols.
Directly is relentless on security.
Security & Protocols
Data Centers
Policies & Tools
Beyond Compliance
Security & Protocols
Info Security Policy and Protocols
| Confidentiality | Our security measures protect the confidentiality and integrity of customer data. We protect confidentiality through contractual agreements with employees, third-party vendors and other external users. Our policies and authorization controls restrict access to systems that contain customer data, requiring strict authorization for access. |
| Security | Our approach focuses on security governance, risk management, and compliance. This includes encryption at rest and in transit, network security and server hardening, administrative access control, system monitoring, logging and alerting, and more. Our technical solutions ensure the prevention, detection, containment, and correction of security issues, threats, and vulnerabilities. Directly proactively monitors our platform, services, and networks to identify threats and predict malicious behavior. |
| Availability | You own and control your data. Directly processes customer data on behalf of you and your end users. Customer data can be deleted and removed at any time. |
| Risk Assessment and Third Party Penetration Testing | Our internal risk assessment controls are designed to identify and prevent potential threats to the Company, reduce the likelihood of vulnerabilities being exploited, and assess the overall strength of our security framework. We also retain leading security firms to conduct black-box testing and white-box code audits. Quarterly internal and external network and web application penetration testing protect hosting and DevOps environments. We work closely with a third-party management bug bounty program, which combines analytics, automated security workflows, and global human expertise to find and fix potential vulnerabilities. |
Data Centers
Transparency & Hosting Options on Data Centers
|
Our customers know where our data centers are located, who can access that data, and under what circumstances that data can be accessed. |
|
We support a variety of cloud deployment options. Customers can also freely implement any type of preprocessing filtering or data obfuscation or perturbation, and our services team can consult on best practices to filter and minimize data transfer. |
|
At any point, you can change your deployment to fit the adapting needs of your business, your geographic presence, and your budget. Since Directly always gives you control of your data, you’ll never be forced to keep your data in a single cloud location. |
Policies & Tools
Compliance & Policies
| GDPR & CCPA | GDPR and CCPA provide important standards for personal privacy protection, and we’ve built our platform to meet and surpass these requirements. These regulations are designed to protect individuals’ personal data and expand their rights to control its use. The core requirements compel companies to establish and maintain effective data governance throughout the data lifecycle. |
| Privacy Policy & DPAs | Our Privacy Policy describes our commitment to protect personal privacy and to comply with the GDPR and the CCPA, other privacy laws, and fair information principles. We enter into DPAs with customers, vendors, and experts to ensure third-party protection of data. |
Beyond Compliance
Culture, Training, and the Future of Data Protection
| Our Ongoing Commitment | All employees and contractors undergo extensive data protection, privacy, and security training and testing, including with Microsoft’s Supplier Security and Privacy 101 Training. |