Information Security

Winnow Analytics, Inc. is committed to security and focused on keeping you and your data safe. Winnow Analytics, Inc. adheres to industry-leading standards while connecting, replicating, and loading data from all of your data sources.



Web portal connectivity

  • All connections to Winnow Analytics, Inc.'s web portal are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).

  • Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).

  • To take advantage of HTTPS, your browser must support encryption protection (all versions of Google Chrome, Firefox, and Safari).




  • Connections to customers' database sources and data warehouses are SSL encrypted by default.

  • Winnow Analytics, Inc. can support multiple connectivity channels

  • Connections to customers' software-as-a-service (SaaS) tool sources are encrypted through HTTPS.




  • Databases and API cloud applications - Winnow Analytics, Inc. only requires READ permissions. For data sources that by default grant permissions beyond read-only, Winnow Analytics, Inc. will never make use of those permissions.

  • Data warehouses - Winnow Analytics, Inc. requires the CREATE permission. This permission allows Winnow Analytics, Inc. to CREATE a schema within your data warehouse, CREATE tables within that schema, and WRITE to those tables. Winnow Analytics, Inc. is then able to READ only the data it has written.



Retention of customer data

All customer data, besides what is listed below, is removed from Winnow Analytics, Inc.'s system within 24 hours using AWS Object Expiration. Winnow Analytics, Inc. retains subsets of a customer's data that are required to provide and maintain Winnow Analytics, Inc.'s solution. This includes only:

  • Customer access keys - Winnow Analytics, Inc. retains customer database credentials in order to troubleshoot customer issues, and SaaS OAuth tokens in order to securely and continuously extract data without actual user credentials.

  • Customer metadata - Winnow Analytics, Inc. retains data points such as table and column names for each integration so that this information can be shown to your organization in Winnow Analytics, Inc.'s user interface.

  • Event data from Webhooks and Snowplow.js - Winnow Analytics, Inc. stores customer event data for the aforementioned integrations in an AWS S3 bucket within Winnow Analytics, Inc.'s VPC in the event that a customer should wish to perform a full resync of their event data.

  • Temporary data - Some data integration or replication processes may use ephemeral data specific to a data source. This stream of data is essential to the integration process, and is deleted as soon as is possible, though it may briefly exceed 24 hours in rare instances.



Solution infrastructure


Winnow Analytics, Inc.'s infrastructure is protected by a VPN, to which only named Winnow Analytics, Inc. employees have access via 2-Factor Authentication. All Winnow Analytics, Inc. processes operate within a defined Amazon Virtual Private Cloud (VPC) or VPC subnet, and connections between the two are further encrypted using SSL.



Physical and Environmental safeguards


Since Winnow Analytics, Inc. relies on AWS, physical and environmental security is handled entirely by Amazon. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1/2-3, PCI-DSS and ISO27001. See Amazon compliance and security documentation for more detailed information.



Your organization permissions

  • Members can use Single Sign-On through Google Apps.

  • Only members of your organization registered within Winnow Analytics, Inc. and Winnow Analytics, Inc. operations staff have access to your organization's Winnow Analytics, Inc. dashboard.

  • Your organization's Winnow Analytics, Inc. Dashboard provides visibility into the status of each integration, the aforementioned metadata for each integration, and the ability to pause or delete the integration connection - not organization data.

  • Organization administrators can request that Winnow Analytics, Inc. revoke an organization member's access at any point; these requests will be honored within 24 hours or less.



Company policies

  • Winnow Analytics, Inc. requires that all employees comply with security policies designed to keep any and all customer information safe, and address multiple security compliance standards, rules and regulations.

  • Two-factor authentication and strong password controls are required for administrative access to systems.

  • Security policies and procedures are documented and reviewed on a regular basis.

  • Current and future development follows industry-standard secure coding guidelines, such as those recommended by OWASP.

  • Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.



Compliance and privacy

  • Winnow Analytics, Inc. regularly (annually) undergoes its own, independent AT101/SOC2 audit, and the report is made available under NDA to all existing and prospective customers by request under NDA. This comes in addition to the benefits from the comprehensive set of Amazon AWS compliance programs.

  • Winnow Analytics, Inc., in its potential role as data subprocessor, adheres to the principles of the EU94/95 privacy rules as well the upcoming GDPR rules when they are in effect.

  • Winnow Analytics, Inc.'s Privacy Policy



Under The HIPAA Security Rule, Winnow Analytics, Inc. does comply with HIPAA requirements for Protected Health Information (PHI) and will sign a Business Associate Agreement (BAA) with customers who are subject to HIPAA mandates (typically, HIPAA covered entities). Winnow Analytics, Inc. is not a covered entity under HIPAA rules, and therefore cannot be "HIPAA compliant", since HIPAA itself applies to covered entities (that is, those entities that are subject to regulation by the HHS). Winnow Analytics, Inc. serves as a data pipeline, which means that PHI traversing the Winnow Analytics, Inc. environment is never permanently stored. All transmissions are encrypted using industry best practices (at present, TLS 1.2+). Temporary storage may occur when the amount of data transmitted exceeds the capacity for real-time processing, and as a result, requires short-term caching. Such temporary storage is encrypted and never resides in Winnow Analytics, Inc. systems for more than 24 hours.



In the event of a data breach


To date, Winnow Analytics, Inc. has not experienced a breach in security of any kind. In the event of such an occurrence, Winnow Analytics, Inc. protocol is such that customers would be made aware as soon as the compromise is confirmed.