MailChimp

0

MailChimp is an online email marketing solution. MailChimp is based in Atlanta, Georgia USA and has been operating since 2001. You can contact support people by email, live chat, or through their online support portal. MailChimp supports two-factor authentication and encrypts all data in transit between your computer and their servers, but they may not encrypt your data while it is on their servers. MailChimp does not disclose their data centre locations or security certifications, although they are TRUSTe certified for privacy. In 2012, MailChimp had an availability of 99.96% (MailChimp services were inaccessible for 0.04% of the year, or 3.5 hrs). MailChimp specifies that “you retain ownership of the materials that you upload to the service.” Upon account termination, your account and all data associated with it is permanently deleted.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name MailChimp
Company Website http://mailchimp.com/
Company Phone Number Not available
Company Email Address customersupport@mailchimp.com
Physical Address MailChimp
512 Means St
Suite 404
Atlanta, GA 30318 USA

What services does this disclosure apply to?
MailChimp

What country holds legal jurisdiction over the service(s)?
USA, State of Georgia
http://mailchimp.com/legal/terms/

How long has your company been operating?
Since 2001
http://mailchimp.com/about/

How long has your company been providing the service(s) covered in this disclosure?
Not available

Is your company currently profitable?
Not available

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
Online knowledge base and email 24/7/365 .
http://kb.mailchimp.com/home

What channels are available for communication with clients?
Chat and email.
http://kb.mailchimp.com/home

Which is your preferred channel for client communications?
Not available

Do you collect any information from client communications?
Not available

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
Not available

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Yes. Online status page
http://status.mailchimp.com/

Do you make incident reports available to clients after major incidents?
Yes – via MailChimp Blog
Example: http://blog.mailchimp.com/server-status-slow-delivery-today/

What is the expected uptime of the service?
The uptime for 2012 was 99.96%.
http://mailchimp.com/2012/#!/section/the-app

Current uptime can be viewed at http://status.mailchimp.com/

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
Not available

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Because the information in your Distribution Lists is so sensitive, account passwords are encrypted, which means we can’t see your passwords. We can’t resend forgotten passwords either. We’ll only reset them.
http://mailchimp.com/legal/privacy/

Does the service monitor for any suspicious account activity?
We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity. Certain changes to your account, such as your password, trigger email notifications to the account holder. Omnivore monitors account and campaign activity for signs of abuse. In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
http://mailchimp.com/about/security/

Does your service offer two-step or multi-factor authentication?
Yes via Alter Ego. AlterEgo is a MailChimp app that was created to add multi-factor authentication to your account.
http://kb.mailchimp.com/article/what-is-alterego/

Does your service offer login via other services?
Not available

Does your service secure all client data in transit?
Yes. MailChimp supports SSL encryption throughout the application.
http://kb.mailchimp.com/article/how-secure-is-our-data-if-we-host-it-through-mailchimp/

Does your service secure client data at rest?
MailChimp supports SSL encryption throughout the application.
From a recipient data specific stand point, all accounts receive a unique database once your list reaches what we consider a larger size and then we DO NOT co-mingle data at that point in one “master” database.
http://kb.mailchimp.com/article/how-secure-is-our-data-if-we-host-it-through-mailchimp/

Does your service allow clients to collaborate with 3rd parties?
Not available

Does your primary system reside in a data center with a security certification?
MailChimp complies with the U.S.–E.U. and U.S.–Swiss Safe Harbor Framework, which is overseen by the U.S. Department of Commerce and covers the collection, use, and retention of personal data from European Union member countries and Switzerland. We certify that we follow the principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
http://mailchimp.com/legal/privacy/

Does your backup/disaster recovery system reside in a data center with a security certification?
Not available

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
No – You retain ownership of the materials you upload to the Service.
http://mailchimp.com/legal/terms/

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Yes

Does client use of your service generate any metadata or other statistical information?
Yes: We may get information about how and when you use the Services. This information may include your IP address, time, date, browser used, and actions taken by you within the application.
Purpose for information is: To promote use of our services, to bill and collect money owed to us, to send system alert messages, to enforce compliance with terms of use and applicable law, to provide customer support, to protect the rights and safety of our members and third parties as well as our own.
http://mailchimp.com/legal/privacy/

return to the top

Data Location

Where are the primary systems that host client data located?
Not available

Where are the backup/disaster recovery systems that host client data located?
Not available

Are there any other systems that host client data on behalf of your service?
Not available

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Yes

Can the client freely download their data from the service during the contract period?
Yes

Can the client easily import/upload their data from a competing service provider into your service?
Not available

Does your services include an API to access client data?
Yes. Currently only JSON is supported for output data.

HTTPS is 100% supported with valid, signed certificates for all API methods. Those manually coding Submit URLs can simply change the http to https in the URL (make sure your connection library supports HTTPS!).
http://apidocs.mailchimp.com/export/1.0/

Following termination of the service, will the client be able to access their data?
No
http://mailchimp.com/legal/terms/

Following termination of the service, is all client data deleted?
Once terminated, we may permanently delete your account and all the data associated with it, including your emails from our Website.
http://mailchimp.com/legal/terms/

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Should an account owner ever reach out to our support team for assist, a support member can shadow an account. Otherwise employee access on our end is limited.
http://kb.mailchimp.com/article/how-secure-is-our-data-if-we-host-it-through-mailchimp/

Does your company use client data or information for any business function (other than the provision of the service)?
To protect the rights and safety of our Members and third parties, as well as our own. To prosecute and defend a court, arbitration, or similar proceeding. To send you informational and promotional content that you may choose (or “opt in”) to receive.
http://mailchimp.com/legal/privacy/

Does your company use client data or information to generate revenue (other than the provision of the service)?
No

Do you access client data in any additional circumstance not yet specified in this disclosure?
Not available

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
If a security breach causes an unauthorized intrusion into our system that materially affects you or people on your Distribution Lists, then MailChimp will notify you as soon as possible and later report the action we took in response.
http://mailchimp.com/legal/privacy/

Do you notify clients if their data has been lost or compromised?
If a security breach causes an unauthorized intrusion into our system that materially affects you or people on your Distribution Lists, then MailChimp will notify you as soon as possible and later report the action we took in response.
http://mailchimp.com/legal/privacy/

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
Not available

What method is used to perform service/client data backups?
Every user’s information is stored on a database shard. Each shard has two separate machines: one active machine that’s handling the day-to-day activity and an inactive machines that is synched up and waiting to step in just in case something goes wrong. There’s a third machine in a separate geographical location a few seconds behind these two machines. On top of all of that, we make a full backup of the entire shard every day, just in case something happens to our active machine and our inactive machine and the backup. Most system problems aren’t even noticed by anyone not in MailChimp HQ. If there’s a severe and catastrophic hardware failure, we have multiple layers of backup that we can use to restore as much data as possible.
http://kb.mailchimp.com/article/does-mailchimp-backup-my-data#details

How long is backup data retained for?
Not available

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.