Security of my data on Constant Contact servers

How is data security managed?

The security of our site is managed on multiple levels, including Physical, Network, Host, Software, and User Account Security. Constant Contact maintains internal security policies and procedures in support of its ongoing operations. Access to resources is granted only to those who reasonably require access, based on their responsibilities. We are certified under the E.U.-U.S. Data Privacy Framework Principles, the Swiss-U.S. Data Privacy Framework and the UK Extension to the E.U.-U.S. Data Privacy Framework (collectively, the "Frameworks"). TrustArc, an independent third-party, has certified our compliance with the Frameworks (TRUSTe).

For more information, please visit and read over our Terms of Service.

• Physical Security
• Network Security
• Host Security
• Software Security
• User Account Security

Our company has a SOC 2 report available for potential and existing customers. SOC 2 is an independent audit report that ensures our systems and processes meet high standards for security. If you would like to request a copy of our SOC 2 report, please contact our legal department at legal@constantcontact.com. Customers will need to sign a Non-Disclosure Agreement (NDA) before receiving the report.

Physical Security

Physical access to our machines is restricted to specific individuals and uses multiple levels of security, including:

• The equipment hosting Constant Contact's services is located in physically secure facilities. Access to these facilities is limited to authorized personnel. Badge access and biometric authentication (hand scanners and fingerprint IDs) are required to access the facilities.
• Constant Contact equipment is isolated and secured in spaces reserved for Constant Contact equipment only. Spaces are not shared with 3rd parties.
• Access to hosting environments is regularly reviewed to ensure authorization.
• Security guards perform random checks of facilities hosting Constant Contact equipment to ensure physical security controls have not been compromised. 

Network Security

• Constant Contact's hosting environment is protected from the public Internet via web application firewalls, and monitored with a network-based commercial intrusion detection system.
• All of your account, credit card, and subscriber information and content is encrypted via TLS 1.2 connections over HTTPS.

Host Security

• Constant Contact undergoes industry-standard security hardening efforts on all systems. In accordance with our security and change management policies, unused services are disabled and software updates are applied on a regular basis.
• Constant Contact regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Constant Contact environment, they are thoroughly tested and deployed in a timely manner.
• All hosts and services are routinely monitored for integrity and availability. Operations staff review all alerts generated by monitoring systems and respond promptly.
• Our servers are monitored 24x7 for malicious activity.
• Administrative access to Constant Contact infrastructure is limited strictly to authorized users. Individual usernames and passwords are required for all machine and data access.
• Strong password guidelines are in place, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.

Software Security

• All internally developed code is subject to a strict Quality Assurance program, including extensive testing of functionality and business logic. Strong change control processes are in place to ensure that all code deployed to the production environment has been appropriately reviewed.
• Constant Contact regularly undergoes security reviews, including external and internal scanning for vulnerabilities on an ongoing basis by a 3rd party vendor. All vulnerabilities discovered are reviewed by internal security and addressed according to severity.

User Account Security

• User-level access to Constant Contact services is provided via a username and password selected by the end user.
• New customer accounts are also protected with multi-factor authentication. 
• Passwords and credit card numbers are encrypted.
• User account setup, maintenance, and termination are under the control of the end user. 

Questions?