37signals (Basecamp, Highrise, Campfire)

0

37signals provide 3 main cloud services: Basecamp (Project Management Software), Highrise (Customer Relationship Management), and Campfire (Group Chat). 37signals are based in Chicago, Illinois USA and have been providing cloud services (starting with Basecamp) since 2004. You can contact real, live, people through their online support portal with a current average response time of 2 minutes (during business hours). They use encryption to protect your information while in transit between your computer and their servers, but they may not encrypt data stored on servers. 37signals have state-of-the-art servers protected 24/7/365 by onsite staff and sophisticated surveillance monitoring. These measures help 37signals maintain its expected availability of over 99% (the services are expected to be inaccessible less than 1% of the time). 37signals provide tools to allow you to export your data from their Basecamp & Highrise services. They recognize you as the owner of all data uploaded to your account and make no claims to it. Once your 37signals account is terminated, though, all data stored by the terminated cloud service will be deleted immediately.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name 37signals
Company Website http://37signals.com
Company Phone Number Not available
Company Email Address email@37signals.com
Physical Address 30 North Racine Avenue #200
Chicago, Illinois 60607
USA

What services does this disclosure apply to?
Basecamp
http://basecamp.com/

Highrise
http://highrisehq.com

Campfire
http://campfirenow.com

What country holds legal jurisdiction over the service(s)?
USA

How long has your company been operating?
Since 1999.

How long has your company been providing the service(s) covered in this disclosure?
Basecamp – since 2004
Highrise – since 2007
Campfire – since 2006

Is your company currently profitable?
Yes.

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
Not available

What channels are available for communication with clients?
Email, Online Support Desk
http://help.37signals.com/tickets/new

Which is your preferred channel for client communications?
Not available

Do you collect any information from client communications?
We collect the e-mail addresses of those who communicate with us via e-mail, aggregate information on what pages consumers access or visit, and information volunteered by the consumer (such as survey information and/or site registrations). The information we collect is used to improve the content of our Web pages and the quality of our service, and is not shared with or sold to other organizations for commercial purposes, except to provide products or services you’ve requested, when we have your permission.
http://37signals.com/privacy

What is your standard response time for customer support inquires?
Currently the average wait time is 2 minutes during business hours. Current wait times and Customer Happiness can be found at: http://smiley.37signals.com/

Do you proactively communicate information about future planned outages and maintenance to clients?
Not available

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Not available

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
Our uptime is over 99%
http://help.37signals.com/highrise/questions/90-is-our-data-backed-up-in-case-of-an-emergency

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
Not available

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Not available

Does the service monitor for any suspicious account activity?
Not available

Does your service offer two-step or multi-factor authentication?
Not available

Does your service offer login via other services?
Not available

Does your service secure all client data in transit?
Yes.

Your connection to Basecamp, Highrise, and Campfire is encrypted with 256-bit encryption. The connection uses TLS 1.0.

http://help.37signals.com/basecamp/questions/139-how-does-basecamp-classic-keep-my-communications-safe
http://help.37signals.com/highrise/questions/99-how-does-highrise-keep-my-communications-safe
http://help.37signals.com/campfire/questions/236-how-does-campfire-keep-our-chats-secure

Does your service secure client data at rest?
Not available

Does your service allow clients to collaborate with 3rd parties?
Not available

Does your primary system reside in a data center with a security certification?
Our state-of-the-art servers are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches.
http://37signals.com/security

Does your backup/disaster recovery system reside in a data center with a security certification?
Our state-of-the-art servers are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches.
http://37signals.com/security

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
We claim no intellectual property rights over the material you provide to the Service. Your profile and materials uploaded remain yours.
http://basecamp.com/terms

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
37signals uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run our services. Although 37signals owns the code, databases, and all rights to the 37signals applications, you retain all rights to your data.
http://37signals.com/privacy

Does client use of your service generate any metadata or other statistical information?
When you register for any 37signals product we ask for information such as your name, company name, email address, billing address, credit card information. Members who sign up for the free account are not required to enter a credit card.
37signals uses collected information for the following general purposes: products and services provision, billing, identification and authentication, services improvement, contact, and research. 37signals does not share your personal information with third parties, unless explicitly approved by you.

For further information, please refer to the Privacy Policy:
http://37signals.com/privacy

return to the top

Data Location

Where are the primary systems that host client data located?
All our servers are located in the US.
http://help.37signals.com/highrise/questions/91-is-highrise-reliable-secure-and-confidential-is-our-data-safe-where-is-the-data-hosted

Where are the backup/disaster recovery systems that host client data located?
All our servers are located in the US.
http://help.37signals.com/highrise/questions/91-is-highrise-reliable-secure-and-confidential-is-our-data-safe-where-is-the-data-hosted

Are there any other systems that host client data on behalf of your service?
Not available

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Yes.
Clients have full access to their data through the online portal for each service.
Basecamp
http://basecamp.com/
Highrise
http://highrisehq.com
Campfire
http://campfirenow.com

Can the client freely download their data from the service during the contract period?
Yes.
Data can be freely exported from Basecamp and Highrise.
http://basecamp.com/help/guides/account/exports
http://help.37signals.com/highrise/questions/16-can-i-export-notes-deals-or-cases-from-highrise

Can the client easily import/upload their data from a competing service provider into your service?
Not available

Does your services include an API to access client data?
Yes.
37 signals provides APIs to allow integration with all of our services.
https://github.com/37signals/api

Following termination of the service, will the client be able to access their data?
All of your Content will be immediately deleted from the Service upon cancellation. This information can not be recovered once your account is cancelled.
http://basecamp.com/terms

Following termination of the service, is all client data deleted?
All of your Content will be immediately deleted from the Service upon cancellation. This information can not be recovered once your account is cancelled.
http://basecamp.com/terms

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Not available

Does your company use client data or information for any business function (other than the provision of the service)?
37signals uses collected information for the following general purposes: products and services provision, billing, identification and authentication, services improvement, contact, and research. 37signals does not share your personal information with third parties, unless explicitly approved by you.
http://37signals.com/privacy

Does your company use client data or information to generate revenue (other than the provision of the service)?
No.

Do you access client data in any additional circumstance not yet specified in this disclosure?
Not available

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Not available

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
http://37signals.com/security

What method is used to perform service/client data backups?
All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
http://37signals.com/security

How long is backup data retained for?
Not available

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.