1. Authentication
  2. Data Residency
  3. Hosting & Physical Security
  4. Encryption
  5. Storage
  6. Payments
  7. Data Processing Addendum (DPA)
  8. HIPAA takes security very seriously. We follow best practices when it comes to data security, and only selected employees can access our databases.


We offer both Salesforce oAuth 2.0 or email and password authentication methods. Passwords are hashed and salted. We can never access your plain-text password and will never ask you for your password, or for your Salesforce Password.

Your oAuth Tokens are encrypted and stored in our Database for processing your data. You can revoke access to our app at any time by visiting the instances page ( and clicking on Disconnect next to the instance:

Data Residency

Dataimporter offers hosting in multiple locations:

Frankfurt, Germany
Dallas, TX
Sydney, AU

You choose which server the data should be hosted on when you sign up for Dataimporter. We cannot transfer accounts / jobs from one region to another. If you wish to move regions, then you will need to sign up in the other region.

Dataimporter does not perform any cross-region data transfer. All of the file storage, credentials, and processing will occur in the region which you select.

Hosting & Physical Security

Linode provides strict and strong security policies, including but not limited to:

- Access to the data center floor is restricted to data center employees and authorized visitors.
- Data Centers are staffed 24/7/365 with security guards and technicians.
- All employees and visitors are identified using biometrics and state issued Ids before entering the facility.
- HVAC and power have redundant systems, so if one goes out, the others keep our systems powered and within operating temperature.
- All of Linode's systems are segregated from other tenants by locking cabinets. Only datacenter staff assigned to supporting Linode systems have access to the keys.
- Multiple Internet carriers using independent fiber connections to the data center floor.
- Our networks within the data centers have redundant routers, switches, and service providers. Multiple systems can fail without affecting downtime or performance.

The Linode data centre in Frankfurt is both ISO/IEC 27001:2013 and PCI DSS compliant.

We have firewalls on our servers, with only the necessary ports open, and only to specific IP Addresses.

Encryption encrypts your data with AES 256-bit at rest. This includes the connection parameters you provide e.g. Postgres Database credentials, Dropbox oAuth tokens, and Salesforce oAuth tokens. We regularly rotate our encryption keys and only certain staff members have access to the tokens, and to your data.

Dataimporter makes API calls to your external systems, and Salesforce for the transfer of your external data. This means that data coming from external sources is only held in memory, and not on disk.

Manually uploaded CSV and Excel files are encrypted and stored for 1 hour, for the upload process to complete, and then permanently deleted.

All our services are provided via HTTPS. All information is encrypted in transit via TLS. 


We store the following data:

- User data – As part of registration you must provide your first name, last name, email address, company name, and country.
- Data Connection parameters – If you connect to an external data source e.g. Dropbox, we will store the oAuth token. 
- Data Connection metadata – We also store metadata about the external source e.g. Type, Name etc. This is to provide you with a friendly interface, as well as to assist u with debugging / logging.
- Job Run History – We provide the history of which jobs have been run. This is so that you can audit your processed jobs as well as perform functions such as Rollback. The result files are stored for 14 days after the jobs have been processed.

Enterprise Customers can control how long their data is stored on Dataimporter servers, if at all via their Account Settings page:

Payments uses Stripe ( as our payments provider. Stripe is a PCI Level 1 Service Provider. All Credit Card information is processed using HTTPS for all requests over TLS. All Credit Card information is encrypted at rest.

We store the last 4 digits, the expiry, and the brand of the credit card on our servers.

Data Processing Addendum (DPA)

Here you can view the latest version of our DPA. If you would like a signed or amended copy then feel free to email us at with your request and we will get back to you as soon as possible. complies with the European Union's Global Data Protection Regulation (GDPR).


Dataimporter can sign a business associate agreement to meet HIPAA requirements. Please contact about this.