Effective from: December 5, 2019
Litmus is an email Design, Testing, and Analytics platform. Litmus was created to empower marketers, designers, and agencies to confidently deliver customer experiences that ensure brand alignment and quality, as well as maximize performance and deliverability.
Users of the Litmus platform can:
Information is a critical resource at Litmus. To ensure that Litmus meets customer, industry, regulatory, and privacy standards, and to reduce the risk that restricted or sensitive information is accidentally released to unauthorized parties, Litmus adheres to the following structured four-tier data classification system:
This information is approved for public release by our Marketing team. Disclosing this information would not be a problem for Litmus, its customers or business partners.
This information is intended for use within Litmus, and in some cases with other affiliated organizations, such as business partners or vendors. Unauthorized disclosure of this information may be a violation of applicable law or contractual obligations, or may otherwise cause problems for Litmus, its customers or business partners.
This information is private or otherwise sensitive in nature and is restricted to those with a legitimate business need for access. Unauthorized disclosure of this information may be against applicable law or contractual obligations, or may cause significant problems for Litmus, its customers, or business partners.
This information is the most private or otherwise sensitive and is always monitored and controlled. Unauthorized disclosure of this information to people without a legitimate business need for access may be against applicable law or contractual obligations, and will cause severe problems for Litmus, its customers or business partners.
If you have opted-in to email communications from Litmus we will store your email address so we can continue to send you content.
Litmus stores the names and email addresses of users for authentication and identification purposes. A Litmus user is someone who logs into the Litmus platform (litmus.com) to use any of the many services Litmus has to offer.
Some may consider HTML or emails processed by Litmus to be customer data. Please see our Retention Policy for information about how this data is stored or removed.
For more information about excluding sensitive or Personally Identifiable Information (PII) from our platform refer to Does Litmus store any sensitive data or Personally Identifiable Information (PII)?"
If you use Litmus Email Analytics you may be sending us marketing list recipient data via your ESP’s merge tag or through a custom parameter. Litmus suggests that you do not send us any PII through the Litmus Email Analytics tool.
Litmus stores whatever is sent to us until it is manually deleted (Manually Deleting Your Data) or for the length of time set in the Data Retention Policy (What is the Litmus Data Retention Policy?), whichever comes first. We currently do not have the technology or means to prevent Litmus users from sending us sensitive data or Personally Identifiable Information (PII). If you feel that Litmus is currently storing sensitive data or PII and you would like it removed, please delete it from the platform. If you need assistance please check help.litmus.com for instructions on how to delete data or email us at firstname.lastname@example.org.
We recommend that customers with strict data sensitivity concerns omit any sensitive data or PII from our platform. Litmus should never have any of your sensitive, confidential, or proprietary data.
For more information on preventing tests or campaigns from including sensitive data or PII please visit the following:
For more information on deleting existing tests or campaigns that may include sensitive data or PII please see the following:
If you are a Litmus user with customers who may be protected by the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR) please see here for more information: Does Litmus comply with Safe Harbor, Privacy Shield, GDPR, and CCPA?
With our Email Analytics product, we collect data about the emails that you send. Such data may include the recipients’ email, the browser and email client they use, the city that they are located in, and details about how the recipients engage in the email (e.g., whether or not the email was read, forwarded, or printed).
The data that is collected for Email Analytics can be categorized as follows:
The account holder/owner retains copyright/ownership of any content uploaded to Litmus. In terms of your customer data, we only collect what you give us. For more information see here: Does Litmus store any sensitive data or Personally Identifiable Information (PII)?
Litmus maintains strict confidentiality and integrity of our customers’ data. We leverage the Amazon AWS infrastructure and built-in security controls, which incorporates several modern security standards and best practices. Additionally, AWS maintains several security certifications and accreditations (e.g. HIPAA, FedRAMP, ISO 27001, and PCI compliance among several others). You can learn more about AWS security here and their compliance program here
Data classified as “Confidential” or “Secret”, such as usernames, passwords, analytics data, and email addresses are encrypted at rest and in transport using a cryptographically strong cipher (AES-128 bit or higher). Data classified as “Internal Use Only” is encrypted and password-protected and is only accessible to Litmus employees, contractors, and business partners. Data classified as “Public” is not password-protected or encrypted.
For more information about excluding sensitive or Personally Identifiable Information (PII) from our platform see here: Does Litmus store any sensitive data or Personally Identifiable Information (PII)?
Enterprise customers can control session settings and password settings, two-step verification, SSO, and role-based authorization for each of their account users.
For a complete list of security controls see our help article Advanced Security & Privacy Settings
Additionally, account admins have the ability restrict Email Analytics access for users across three levels of access:
For a full list of Litmus user roles see here
The following technical and administrative security controls are in place at Litmus to strengthen our security posture and maintain the highest levels of confidentiality, integrity, and availability required by our customers:
|Application Security||The technical and administrative controls used to protect our applications from security threats.|
|Asset Management||The documentation, monitoring, and reporting of Litmus assets (e.g. data, physical machines, intellectual property), their owners, classification level, and lifecycle requirements.|
|Compliance & Security Audits||Scheduled third-party audits of our infrastructure, code, and processes to ensure we maintain the highest level of confidentiality, integrity, and availability of our systems and data. Compliance with major national and international privacy and data protection regulations.|
|Disaster Recovery||The processes and procedures followed in order to ensure the overall continuation of Litmus business operations during an outage event.|
|Endpoint Protection||The hardening, patching, and protection of endpoints used by Litmus employees and contractors.|
|Incident Response||The identification and resolution of information security incidents quickly and effectively, minimizing their impact to the business, and reducing the risk of similar incidents occurring in the future.|
|Network Security||The configuration and application of security controls as applied to network devices to prevent unauthorized access or incorrect updates to the Litmus network.|
|Password Management and Multi-factor Authentication||The policies, procedures, and technical guidelines that ensure the secure implementation of the password management lifecycle at Litmus, as well as the guidelines and best practices for enabling multi-factor authentication for services used by Litmus team members.|
|Physical Security||The policies, procedures, and best practices that ensure the physical protection of Litmus assets against accident, attack, or unauthorized physical access.|
|Security Awareness Training||Activities undertaken by Litmus employees to ensure that effective, risk-based decisions are made in the best interest of the organization, while protecting critical and sensitive information from being compromised.|
|Security Event Logging and Monitoring||The recording, storage, and monitoring of important security-related events to help in the identification of threats that may lead to an information security incident, and to support forensic investigations.|
|Vulnerability Management||The standards and procedures for the identification and remediation of Litmus system and software security vulnerabilities.|
Litmus enforces several internal security policies and access controls to ensure that our customers’ data is accessible only to those with proper authorization and need-to-know. Litmus only allows trained and authorized operations personnel to access data. There are several controls in place to ensure the proper individuals have access. Human Resources, IT, and the Litmus Security are all involved in the process and grant and revoke access. The Security team reviews access on a quarterly basis with the appropriate teams.
The data is accessed only through secure VPN access which uses Multi-Factor Authentication and elevated privileges to view campaign engagement data. This data is also encrypted at rest. Litmus is willing to work with any customer to ensure a comprehensive understanding of the nature of our data access control policies.
Litmus will never sell your Personal Information to anyone. Litmus will never share your Personal Information with anyone unless it brings value to you through the Litmus platform and through normal business operations.
Since all our data is stored with Amazon, we automatically adhere to Safe Harbor laws. Amazon’s Safe Harbor policy found here https://aws.amazon.com/privacy/ and here: https://aws.amazon.com/compliance/eu-data-protection/
Litmus is Privacy Shield certified (https://www.privacyshield.gov/participant_search) and complies with the EU’s General Data Protection Regulation (GDPR). Note that we currently do not have the ability to limit the processing and storage of data to the EU. Litmus stores its data in AWS (US-EAST region) and cannot segment its data by region. If you have any questions, please don’t hesitate to reach out at email@example.com.
If you are utilizing the Litmus Email Analytics Tool and you are using PII to track your email opens you are responsible for filling out the Litmus Data Processing Agreement (DPA)
Litmus recommends refraining from using PII in Email Analytics. See here for more information
Litmus is in the process of becoming CCPA compliant.
For more insight on information security at Litmus, please visit the Trust page
Please fill out the form linked here. The form must be filled out and you must confirm ownership of the email associated with the account you are requesting to be removed before we can move forward.
Please note, if you are a paying Litmus customer you must cancel your own account. We cannot do this for you. Please follow the guide here
All data may be downloaded from the Litmus platform before the Retention Policy automatically deletes the data from the system.
Email Preview results are deleted completely after 6 months.
Builder HTML and assets are stored indefinitely so you can use Litmus as a repository for email templates.
Proof HTML is stored indefinitely so you can use Litmus as a repository for your workflow.
Individual hits are stored for 14 months. Aggregate campaign data is stored indefinitely
If you would like to remove your data before the dates noted in the Data Retention Policy you can do so in the Litmus platform. Please refer to our Help documentation at help.litmus.com or email firstname.lastname@example.org for further assistance.
Litmus is SOC2 Type 1 certified. We are currently in the observation period for SOC2 Type 2 certification and expect to have the report early 2020. See this post for more information.
While we currently do not hold the ISO 27001 certification, we align our security principles, procedures, and best practices with ISO 27001. As Litmus has grown, we have recognized the need to provide clear and effective security policies and access controls to ensure that our customer’s data is secure and accessible only to those authorized. The Litmus team is willing to work with you to ensure that your company has a comprehensive understanding of the nature of our data access control policies.
The account holder/owner retains copyright/ownership of any content uploaded to Litmus. In terms of your customer data, we only collect what you give us. For more detail, please see this section of the FAQ
Clients are in charge of provisioning and deprovisioning accounts. This responsibility is owned by the admin of the account as appointed by the client.
If you decide to stop using Litmus, you can delete data in the Litmus platform before closing your account. See here for more information
Litmus may be able to send you all of your data in a downloadable format upon account closure. Please contact your Business Account Representative or email email@example.com with any questions, deletion, or download requests. Note that there is typically a 7-10 business day turnaround for these types of requests.