Effective date: April 23, 2026
This Data Processing Policy explains Accellist, Inc.’s approach to data handling, retention, access controls, and subprocessor management. It is aligned with industry standards (SOC 2 Type II principles) and applicable privacy laws.
1. Scope
This policy applies to all personal and business information processed by Accellist in connection with the Service.
2. Data Classification
| Class | Examples | Handling |
|---|---|---|
| Public | Agency names, websites, public services | Indexed, displayed publicly |
| Internal | Usage analytics, click events | Encrypted at rest; access restricted to authorized staff |
| Confidential | User contact details, quote briefs | Encrypted in transit and at rest; need-to-know access |
| Restricted | Account credentials, payment tokens | Hashed/tokenized; never visible to staff |
3. Subprocessors
We engage third-party subprocessors to deliver the Service. Current subprocessors:
- Hosting provider (United States, SOC 2 Type II compliant)
- Email delivery (transactional emails, SMTP relay)
- Analytics and error monitoring
- Payment processors for paid plans (PCI DSS Level 1)
The current list is available on request to [email protected].
4. Access Controls
- Role-based access (administrator, editor, agency owner, subscriber).
- Two-factor authentication available for administrators.
- Access logs retained for 90 days.
- Principle of least privilege applied to all internal roles.
5. Encryption
- TLS 1.2+ for all transport.
- AES-256 at rest for databases.
- Bcrypt hashing for passwords.
6. Data Retention Schedule
| Data type | Retention |
|---|---|
| Active user accounts | Until deletion |
| Inactive accounts (no login > 3 years) | Anonymized after notice |
| Quote submissions | 24 months |
| Analytics events (non-aggregated) | 24 months |
| Email logs | 90 days |
| Backups | 30 days rolling |
7. Breach Notification
In the event of a personal-data breach, Accellist, Inc. will notify affected users without undue delay and where required by law, regulatory authorities within 72 hours. Notification will include the nature of the breach, data affected, mitigation steps, and support resources.
8. Data Subject Requests
We respond to access, correction, deletion, and portability requests within:
- 30 days (GDPR, with one 60-day extension if complex)
- 45 days (CCPA/CPRA, with one 45-day extension)
Requests: [email protected]
9. International Data Transfers
Data is primarily stored in the United States. For EEA/UK transfers, we rely on Standard Contractual Clauses (2021) and supplementary measures where required by the Schrems II decision.
10. Third-Party Processors / DPA
If you are an agency or enterprise client requiring a Data Processing Addendum, contact [email protected]. We offer a pre-signed DPA based on the GDPR Article 28 template.
11. Changes
This policy may be updated as our practices evolve or laws change. Material changes will be communicated through the Service.