Keeping your clients data secure and compliant
Over the years, advancements in cloud software and the associated technology have enabled us to do things with ever increasing ease and forever decreasing cost.
Fortunately, gone are the days of prohibitively high licence fees, packages that can’t be used remotely and systems can’t talk to each other. Instead, it now seems there are a plethora of software packages on the market that allow us to accomplish seemingly any task we can imagine.
That being said, with great power comes great responsibility. When you trust a third party system with sensitive vendor, landlord, staff or other customer information, how do you know that data is being processed and protected properly? After all, you’re trusting this provider with the business reputation you’ve worked hard to build.
Since the introduction of the General Data Protection Regulations (GDPR) in May 2018, understanding the importance our software partners place on the processing of data on your behalf (and how we all process data internally) has become even more important.
As Technical Director at rightval – the estate agency instant valuation tool, and drawing on 15 years experience building and scaling consumer and business to business software products, I knew from day one that the integrity of our client’s data is of paramount importance to our business.
Below I’ve shared some of the key data security features we implemented when we built rightval, and also some considerations we take into account when choosing a third party software provider or data processor to work with in our own business. I would encourage you to consider these factors yourself when exploring web based software for your own business.
Capturing data
Capturing and processing personal information online is a task that requires real planning and responsibility. As the number of online accounts we have increases, so does our digital footprint on the internet, meaning it’s never been more important to be confident in the software you are giving your data to.
As a lead generation tool, rightval captures both contact and address information as part of our instant valuation service.
We quickly realised that not all of our agents had secure websites (or with strong enough security) that we could run our valuation tool from. Therefore we invested heavily in developing our technology to provide Transport Security Layer Security (TLS) (or the padlock icon to the rest of us), managed by us, and provided to every valuation tool we deploy, even if the agents main website has no web security at all.
Protecting data
In the same way that you wouldn’t leave a filing cabinet unlocked at the end of a workday, data stored online needs to be protected as well. How it’s done will vary by provider but it’s always worth knowing that the information you send to your software company is held securely.
As lead generation is our business, safeguarding the data we capture had to be at the heart of our technology. I won’t bore you with jargon, but for our customers peace of mind, we make sure that when we store sensitive data, we do so using an encryption algorithm approved by the US government for the storage of “top secret” data. If the entire rightval database was ever “breached”, all an attacker would have access to is nonsensical letters, numbers and special characters.
In order to reveal the contents of that encrypted data to our authenticated clients, we use a “key” (our filing cabinet key), stored completely separately from our data stores and our actual system code, that’s only accessed by our secure servers.
The elephant in the room. Whilst not a day goes by that we don’t check, send and receive emails, unless you’re a bank, government organisation or have invested heavily in bespoke email security, sending sensitive client, vendor or landlord details by email is inherently insecure.
At rightval, we never send personally identifiable lead details to our agents by email. Instead, we include basic details to allow them to differentiate notifications (for example “new lead on a three bed property in London”). All other details require our users to be logged in and fully authenticated to access. If we didn’t adopt this approach, our efforts to securely encrypt our stored data would be wasted.
User accounts
Whilst it may seem tempting to create one account that is shared by everyone in your office to reduce the amount of time spent on administration, we all know that staff can come and go, meaning you’ll either need to reset an organisation wide password every time your structure changes, or potentially risk ex-employees having access to sensitive business information.
Always ensure your chosen provider allows you to add individual accounts for each team member, this not only protects your “master” account, but it makes it infinitely easier to manage organisational changes should they happen.
We made this approach an integral part of our platform at rightval. Not only do individual user accounts make it easy to assign leads to specific team members, but it also helps agents keep track of user access and activity more efficiently.
User access controls
Once you’ve set up your individual team members accounts, always ensure you check the available “permission” levels to ensure employees only have access to the data or features they need. Not only will this protect your businesses billing details and other business critical data, it’ll help you comply with the best practice of limiting exposure of data to those that need to use it, at the point they need to use it.
As a lead generation tool for estate agents, we appreciate that new vendor contact information is valuable data. Therefore we offer advanced access controls that can be implemented on a per-user basis including IP locking (to restrict access to your office location only) and time of day locking (restricting access to business hours only) or a combination of both.
Passwords
As mentioned above, single passwords for multiple users or “office passwords” should be avoided where possible, but if you have little option (such as a per-user licence), always ensure you choose a strong password. Whilst “password” is easy to remember, it’s doing nothing for the integrity of your businesses data!
If you’re struggling to think of a secure password for the admin or billing account for your software provider, we recommend sites like https://passwords-generator.org/ that will help you out. Letters, numbers and special characters are a must – just be careful where you keep a note of it!
Protecting passwords of rightval’s customers is paramount to us, after all, we can put all the security measures in the world in place but if we’re not protecting passwords then we may as well not have bothered!
As a result, we use the strongest, most stable one-way password encryption method available. No one at our company will ever be able to see or tell you your password, because even if we tried, we simply couldn’t decrypt it (this is where our password reset tool comes in handy!)
This is all very easy for me to say, right? Well here’s my encrypted rightval Director level password. If you manage to decrypt it, drop me a line and let me know.
$2y$10$AsWhbyHMBSDUlURyt5bl7upiTfn6L.G7mALoeLX31fGY5wIsY2Cxq
About the Author
Matt Sutton is Technical Director at rightval; One of the most advanced estate agent instant valuation and lead generation tools on the market.