Spot is built from the ground up with privacy and security in mind.
Spot is built from the ground up with privacy and security in mind.
🔐 Spot implements all industry-standard security protocols to secure your data.
🔐 Your data is secure, encrypted, always available and backed up.
🔐 Access control is preserved from your tools: employees only access what they are allowed to.
What data does Spot collect ?
When creating an account, Spot collects your first and last name, email address, and profile picture if applicable.Your personal data, including your email, is safely stored and used only on a per-need basis to make Spot function optimally for you and your team.In particular, your email is only used to identify you across the various software connected to Spot, and to send you updates relevant to your Spot account. We will never communicate your email (or any of your personal data) to third parties for commercial purposes. See below ("How does Spot use personal data?") for additional information.When connecting integrations, Spot may collect additional personal data in the form of written documents and user information (see exhaustive details below in Data from Integrations).When visiting the Spot Website and App, Spot collects usage data (which may include browser and device information) which is sent to our partners Mixpanel and Hotjar for analytics purposes (it allows us to understand the usage of Spot and improve the platform). We will never sell your data or let it be used by other companies, people or entities except Spot.Additionally, Spot will collect any data you enter into the app through the Q&A feature.
Data from Integrations
When you add an integration, Spot will collect additional data from the third party service you are connecting. This will vary by integration, will be detailed when creating the integration, and your authorization will be requested to access this specific data in accordance with the authorization rules provided by that service. As a rule of thumb, Spot will request read-only access rights to collect:The users, user groups, documents, or other pieces of knowledge stored within the software you are connecting and which you have authorized to. This allows to populate Spot with searchable colleagues and documents, as well as understand who is working on what.The access rights for documents by users and groups - this allows us to ensure that the only people able to access documents within Spot are those who actually have access to them.Note that for all integrations, Spot will ask for your authorization while connecting your tool (OAuth 2.0 scopes) so that you are certain of the scope of data and actions we are accessing. The only exception to this is the Notion integration, which until a public API is released, will request full access to the integrating user's account. We will not, however, attempt to access anything other than the data mentioned above (pages, users, user groups, user permissions); and will not perform any actions which may modify the contents of your synchronized workplaces.The Slack and Microsoft Teams integrations will request some level of write access (join channels, compose messages).Spot will never ask for more than what it needs to function correctly & allow you to find documents or people within the right permissions.Data collected through third party software integrations is encrypted and stored on our secure infrastructure until you decide to disconnect said integration or delete your account. See "Which steps does Spot follow to ensure data security" and "How long does Spot retain data?" for more details on this.
Which documents does a Spot user have access to ?
Spot only lets users search and access documents and messages which are accessible to them within the original software, unless a person with share rights for that document has explicitly overriden these permissions within Spot.This means if a document hasn't been shared with me in the original software, it won't appear in any of my searches, or when I look at its owners documents, for instance.
Which steps does Spot follow to ensure data security and integrity ?
All data ingested and exchanged within Spot and between Spot and your services is encrypted in transit (SSL) and at rest (AES-256) - these are industry standards.The databases on which your data is secured are situated on a private network within our virtual private cloud and not directly accessible from the internet - only from Spot's servers.Aside from our analytics processors (Mixpanel, Hotjar), all of the data collected is stored on AWS.All data is stored and remains within the European Union, except for the anonymized data sent to our analytics processors (Mixpanel, Hotjar). Should this be an issue, contact your customer support representative to have these third party services disabled for your account.Please refer to the corresponding services' privacy policies for more informationMixpanel: https://mixpanel.com/legal/privacy-policy/Hotjar: https://www.hotjar.com/legal/policies/privacy/All cloud storage and networking used is compliant with PCI, HIPAA, SOC 1,2,3 as well as ISO/IEC 27001:2013, 27017:2015, 27018:2019, 9001:2015 among others.Spot is compliant with GDPR (for further details on this compliance, read the sections below).Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact us immediately.In the event that personal information is compromised as a result of a security breach, we will promptly notify the affected parties.
Data access by Spot employees
A Spot employee will never try to access non-anonymized personal data unless they have requested explicit consent for support or debugging purposes from a relevant member of your organization, and will provide proof of said consent if requested. The following employees at Spot have potential access to your personal data (authorized refers to a small subset of the listed employees who have the credentials required to access the data in question, not the procedure above which remains required for authorized employees):
Authorized software engineers may have access to all data stored in Spot.
Authorized customer success or support representatives may have access to all data stored in Spot, aside from the contents of documents imported from integrations.
Spot software engineers, data analysts or product managers may have access to anonymized data for debugging or product improvement purposes.
Data integrity and availability
Spot performs regular backups of all stored data. These backups are retained for a short period (7-14 days at most), to be used in case of disruption of service leading to data corruption or unavailability.All Spot infrastructure components (databases, servers ...) are replicated and configured to automatically failover in the event of failure.
How does Spot use personal data ?
Spot uses the data collected to:
- Make the product's features function, including:
- Allow documents and conversations to be searched
- Determine the owner of documents
- Determine the best contacts or topics related to a query
- Notify users of a question
- Give insights into the state of knowledge at your company
- Ensure data privacy within your Spot account through respect of externally set permissions
-Promote, analyze, modify and improve our products, systems, and tools, and develop new products and services through the use of collected usage statistics.
- Respond to inquiries, send service notices and provide customer support.
How does Spot disclose personal data ?
We don't. We do not sell your data and we do not share it with third parties - except those outlined above, for analytics or web hosting purposes.
How long does Spot retain data ?
Spot will retain data as long as the account is active. Should the account become inactive for more than 12 months, as defined by the absence of any user activity, the data will be deleted (you will be warned several times before that).Upon deletion of an integration, all data imported through that integration is deleted.Some data which is deleted through the UI of the Spot app may not be actually deleted from our servers, but kept for reversal purposes, or to ensure consistency (for example, archiving a document will not delete it fully from Spot, otherwise it would be reimported during the next synchronization). Upon deletion of an account, all data within that account is deleted.
What are my rights concerning my data ?
Opting out of receiving electronic communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages that are required to provide you with Spot's services.If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by signing in to your Spot account or by contacting us.Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data we control about you:
- The right to request confirmation of whether Spot processes personal data relating to you, and if so, to request a copy of that personal data;
- The right to request that Spot rectifies or updates your personal data that is inaccurate, incomplete or outdated;
- The right to request that Spot erase your personal data in certain circumstances provided by law;
- The right to request that Spot restrict the use of your personal data
- The right to request that we export to another company, where technically feasible, your personal data that we hold in order to provide services to you.
Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time.To exercise your rights, contact us at firstname.lastname@example.org (DPO).
For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file.