We take our customer data security seriously.  Data transmitted over the internet is encrypted in transit over HTTPS using TLS 1.2, and any data we store for our internal processes and configurations is encrypted at rest with AES-256 encryption using an AWS KMS managed key.  Backups are encrypted and securely destroyed when their retention period has expired.  The ability to administer keys is strictly limited to a shortlist of trusted individuals approved by management and the security team.  It is not possible to delete a key that has been used to encrypt a volume we currently manage, ensuring we always have access to encrypted data.  

Information Classification and Protection

Narrative Science classifies any information we store under the following categories:

  • General/Public information

  • Personally identifiable information (PII)

  • Data that falls under the General Data Protection Regulation (GDPR)

  • Information classified by customers as sensitive

  • Information classified by Narrative Science as sensitive

Whenever possible, we design our systems not to collect any sensitive information. We take all requests to remove sensitive information seriously and will respond quickly.  We have an established and documented process to remove customer information from our systems and will do so upon request.  

Data Source Credentials

Narrative Science loads data from customers’ sources to Lexio via a vendor (Stitch), who is SOC2 and HIPAA certified. Their security details can be found here. Stitch stores credentials for data sources; Lexio never stores nor directly sees credentials for a data source. For Salesforce connections, an OAuth token is passed from Lexio servers to Stitch via a secure API request. For all other connections, credentials are entered directly into Stitch.