Policies and Plans
Last Updated May 25, 2017
LoanPro Software strongly supports and believes in security and privacy. The following policies and procedures outline how we protect customer data.
INFORMATION THAT WE COLLECT - LoanPro Software collects information about both our Free-Trial and SaaS-Agreement Clients. This information includes personally identifiable data that you provide directly such as name, address, company name, and data gathered by our software such as browser type, time, location, and IP address from which the software is accessed. LoanPro Software does not offer services or sell products to children and does not request or knowingly collect personally identifiable contact information from minors.
COOKIES - The software we provide may set cookies in your web browser to store information during a period of software use. This information is necessary for various tools and features of the software including the collector queue, search parameters, and other features that use cookie data.
WHAT WE DO WITH COLLECTED DATA - LoanPro Software uses collected, non-personally-identifiable data to analyze and review our products to improve and enhance them. We also offer business opportunities to our clients on an opt-in basis for products, or connections that we deem relevant to that Client. We may use the data collected and share it in the normal operation of business to provide services that are integrated with our offerings. We may also share data with affiliated companies to market these integrated products and services, however, any products and services offered will be offered on an opt-in basis only. Note: LoanPro Software does not sell personally identifiable data to unrelated 3rd parties (no cold calling). LoanPro Software does share information with its related entities only in accordance with strict data security procedures.
DATA OWNERSHIP - All information or feedback that is provided to LoanPro Software, LLC becomes the express property of LoanPro Software, LLC with no intention or requirement of compensation for said material. During the Free-Trial period use of data entered into LoanPro Software is governed by section 2.2 of the Agreement. After activation data ownership is governed by section 4 of the SaaS agreement.
PUBLICITY - LoanPro Software shall keep current client lists private, unless disclosure of the client or client’s company as a current client of LoanPro Software is agreed to by the Client. LoanPro Software will not broadcast or create a press release announcing the agreement between parties unless agreed to by both parties.
CONFIDENTIAL INFORMATION - Confidential Information is defined in the SaaS Agreement. The party receiving Confidential Information will not disclose it to any person or use it for any purpose, except as expressly permitted by the Agreement. The receiving party may disclose Confidential Information only to its employees and contractors who need to know such information and who are bound to keep such information confidential. The receiving party will give Confidential Information at least the same level of protection as it gives its own confidential information of a similar nature or sensitivity, but not less than a reasonable level of protection. The receiving party will maintain Confidential Information in a safe and secure place and will not copy such information, except to the extent reasonably necessary for the purposes of this Agreement.
DATA SECURITY - LoanPro Software, LLC takes at least industry-standard precautions to protect our customers' information. When customers submit sensitive information, it is protected using safe and secure methods reasonably available. LoanPro Software is fully PCI Compliant in the storing and transmitting of credit card information via PCI-Wallet. In addition to PCI compliance and data encryption we also use industry-standard security procedures to protect data off-line. Our employees use customer-provided support codes to gain access to data in order to provide support. Through this system, a record is automatically kept of who authorized such support & who provided the support. All data access by LoanPro Software is restricted to within our offices and data center. Only employees who need the information to perform a specific job are granted access to personally identifiable information. Our employees must use a secure shell (ssh) to access this information and must also be allowed access from a specific IP address within our offices. Furthermore, All employees are kept up-to-date on our security and privacy practices to avoid security breaches through what is called "social engineering." Important details and changes are discussed in staff meetings and email memos. Finally, the servers on which we store personally identifiable information are kept in a secure environment, protected by a firewall and kept in a secure room in our data centers, currently with Amazon AWS.
|FACTS||WHAT DOES LOANPRO SOFTWARE DO WITH YOUR PERSONAL INFORMATION?|
|Why?||Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires lenders to tell you how they collect, share, and protect your personal information. Please read this notice carefully to understand what we do.|
|What?||The types of personal information we collect and share depend on the product or service you have with us. This information can include:
|How?||All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons LoanPro Software, LLC chooses to share; and whether you can limit this sharing.|
|Reasons we can share your personal information||Does LoanPro Software, LLC share?||Can you limit this sharing?|
|For our everyday business purposes-such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus||YES||NO|
|For our marketing purposes-to offer our products and services to you||YES||NO|
|For joint marketing-with other financial companies||YES||NO|
|For our affiliates’ everyday business purposes-information about your creditworthiness||YES||We don't share|
|To limit our sharing||
|Questions?||Call 1-800-559-4PRO or go to loanprosoftware.com|
|Who we are|
|Who is providing this notice?||LoanPro Software, LLC|
|What we do|
|How does LoanPro Software protect my personal information?||To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.|
|How does LoanPro Software collect my personal information?||We collect your personal information, for example, when you:
|Why can’t I limit all sharing?||Federal law gives you the right to limit only
|Affiliates||Companies related by common ownership or control. They can be financial and nonfinancial companies.|
|Non-affiliates||Companies not related by common ownership or control. They can be financial and nonfinancial companies.
Non-affiliates we share with can include service providers and integrated partners for feature offerings.
|Joint Marketing||A formal agreement between non-affiliated financial companies that together market financial products or services to you.
Our joint marketing partners include financial institutions, service level providers, industry consultants and other lending companies.
|Other Important Information|
Data Backup Policy
Data Backup Policy
Last Updated May 25, 2017
LoanPro operates on the AWS (Amazon Web Services) platform. This gives us the ability to provide several data backup features.
Hot Standby — Our company employs a real-time “hot standby” database for all operating SQL databases, which provides SQL database server redundancy in multiple geographic locations. Our database infrastructure utilizes synchronous, physical replication to keep data on the remote standby servers up-to-date with the primary servers. This allows for instantaneous failover of the operating database in case of hardware or network failure.
Point-In-Time Recovery — Our company utilizes Point-In-Time Recovery (PITR) for the entire database and individual database tables. This is achieved through Amazon RDS (relational database server) automated backups. This means that, in case of hardware failure, or data corruption we have the capability to easily roll back or restore the database to any single point in time within the previous seven days.
Daily Backups — LoanPro also runs a nightly process that exports and backs up all SQL database tables and stores those backups on Amazon's secure, cloud-storage system (Amazon S3) for a period of 30 days. After 30 days have passed, the daily SQL backups are rotated to a secure long-term, magnetic storage system for archive (Amazon Glacier).
All documents, images, and files uploaded to the software are hosted in Amazon S3 cloud storage with versioning. This versioning allows us to retrieve not only the most recent version of the file, but up to the last 100 saved revisions of the file.
Please note that backup procedures and data-retrieval protocols are based on Amazon’s current product line, which is subject to change. If Amazon changes its products or services in a way that materially, adversely affects LoanPro and its customers, LoanPro will use all reasonable efforts to negotiate a remedy with Amazon, or to find a substitute provider or method to provide the same service.
Data safety and integrity are top priorities at LoanPro. We take the safety of your business data very seriously.
Disaster Recovery Plan
Disaster Recovery Plan
Last Updated October 20, 2017
LoanPro has implemented measures to mitigate the threat of disaster.
Database Failure — In the event that one or more of our primary databases fails, we employ a synchronized backup database, in a separate geographic location, that will take over. Should every primary database and corresponding hot standby fail, we keep 30 days worth of daily server backups, which are stored on Amazon's S3. Every 30 days, these data backups are stored in a magnetic format that can be put into service in 24-hours if all other backups fail. See Data Backup Policy for more details.
Server Failure — LoanPro has spent significant time structuring our code to make it possible to add new server instances on the fly. If any server fails, we can automatically create a new server and bring it into service. In addition we employ a dynamic load balancer to route traffic automatically which will result in limited/no impact to our clients in the event of a server failure.
Security Breach — LoanPro employs the latest security measures and testing to keep unauthorized users out of our software. Customer databases are separated to keep users from unauthorized data access. LoanPro stores personally identifiable information with a minimum of 256-bit encryption, making data that was illegally accessed very difficult, if not impossible, to use. Please review our data security breach policy for more details on how such an event would be handled.
Significant Loss of Personnel — LoanPro employs personnel in multiple countries across many geographic areas. While a reasonable number of them work at our main office, many of them, including a portion of our key personnel, work in satellite offices of sufficient distance that they would not all be affected by a localized disaster. Our company has policies and procedures in place that allow us to conduct normal business even if we suffer a significant loss in personnel.
Loss of Key Personnel — In the event that LoanPro loses a significant number of key personnel, there is an established hierarchy in place that dictates seniority among existing officers. LoanPro has also worked hard to document its policies, procedures, relationships, and code base to enable new and existing employees to carry on company operations if key personnel are lost. We have implemented a company knowledge base that includes documentation on every area of the business in an attempt to decentralize information and eliminate "islands of knowledge".
System Monitoring — We have both automatic 24x7 system monitoring as well as a rotating on-call Development Operations team monitoring the software application at all times. This business policy results in very short response times to address any disasters that may occur.
Business Continuity Plan
Business Continuity Plan
Last Updated May 27, 2017
It is our top priority to make your company data available to you when and where you need it, in the cleanest, most organized way that is reasonably possible. The purpose of this Business Continuity Plan is to outline how we will fulfill our purpose, even if a disaster were to affect our operations.
The technical details of how our software application will operate during a disaster are outlined in the Disaster Recovery Plan. The purpose of this document is to outline how our team will continue to provide assistance to our clients during a disaster.
Software Application — our software system, as outlined in the Disaster Recovery Plan, is hosted on the AWS (Amazon Web Services) cloud. This mitigates interruption in the availability of our software if a disaster strikes our physical offices or data centers. For a more in-depth review of how we work to keep the application running normally, please review the Disaster Recovery Policy.
Support & Phone System — We utilize VoIP phone systems with a fallback to landlines (or mobile phones) in case of power or internet outages. In addition, all of our support centers operate with multiple internet providers and onsite backup generators in case of power outages. If a disaster were to disable our office for an extended period of time, we have the ability for support staff members to work remotely until the disaster is resolved. This allows us to continue to serve our clients throughout the disaster.
Geographic Diversification — We have diversified operations in multiple locations, including our headquarters in Farmington, Utah USA. In addition to our headquarters we have small offices in Phoenix, Arizona USA, and Hermosillo and Guadalajara, México. This diversification ensures that a local disaster will not affect our entire team. We also utilize servers across two continents that are backed up in geographically separate locations. This will ensure that at least part of our team has Internet access to be able to continue providing assistance and support to our clients.
Non-Time Critical Recovery — LoanPro has insurance to cover our building, furniture, computers, etc. at our physical locations. The architecture and design of our software, in tandem with its implementation in the AWS Cloud, limits recovery time for impacted items to our clients. In the event of a disaster equipment and personnel at our physical office are not required in order for the application to remain fully functional.
Data Security Breach & Incident Management Policy
Data Security Breach & Incident Management Policy
Last Updated September 8, 2017
LoanPro Software enforces rigid security protocols to prevent data security breach. These controls cover physical data access, need-to-know personnel access, and sophisticated, data-storage procedures including encryption, rotation of keys, firewalls, and other security measures. The purpose of this document is to outline our policies and procedures in the unlikely event that our security protocols are breached.
At a minimum, LoanPro Software uses industry-standard practices to protect our customers' information. When customers submit sensitive information, it is protected using the most safe and secure methods that are reasonably available.
Payment Profile Information — LoanPro Software achieves PCI Compliance through our integration with another Simnang product, PCI-Wallet, which has a primary focus of PCI-Compliance and payment processing. Using PCI-Wallet for this express purpose makes it easier to keep up with the rigorous PCI standard. Some of the requirements include: password changes every 90 days, rotating encryption keys, internal data security procedures and policies. PCI-Wallet maintains a PCI-DSS Level 1 Attestation of Compliance (AOC).
Data encryption is important to LoanPro Software and its clients. Information that is deemed sensitive (e.g. social security numbers, birthdays, and other personal information) is stored in encrypted form.
Data Access — We use at least the industry standard security procedures to protect data off-line. Our employees use customer-provided support codes to gain access to data in order to provide support. Through this system, a record is automatically kept of who authorized each support transaction and who provided the support. All data access by LoanPro Software is restricted to within our offices and data centers. Only employees who need the information to perform a specific job are granted access to personally identifiable information. Our employees must use a secure shell (ssh) to access this information and must also be allowed access from a specific IP address within the office. Furthermore, all employees are kept up-to-date on our security and privacy practices to avoid security breaches through social engineering. Important details and changes are discussed in staff meetings and memoranda. Finally, all servers are kept in a secure environment, protected by a firewall and kept in a secure room in our data centers.
Actions in the Event of Data Breach
Identify and Confront Attack Points — LoanPro will take the following steps in the event of a data breach: identify and close vulnerabilities, reinforce, report. If a security breach occurs, our first action will be to identify the vulnerability that allowed the breach to occur. Once a point of vulnerability is identified, our team will implement the necessary controls to limit and/or close it. We will then deploy the necessary controls to limit the spread of any data breach that occurred. This includes the reinforcement of security protocols. Finally, as required by law, LoanPro Software will provide written notice to the affected parties.
Provide Notice — LoanPro Software shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by LoanPro Software. If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:
- Written notice will be provided to the affected individuals using US Mail, unless the cost is excessive or insufficient contact information exists. The excessiveness of cost consideration will be the decision of LoanPro Software’s CIO and its legal counsel.
- If written notice to the affected individuals is not reasonably feasible, the following methods will be considered for providing notice:
- Personal e-mail notices (provided addresses are available),
- An informational web site.
Report to Authorities — Any attempt to circumvent data security is a violation of the SaaS Agreement. All attacks on LoanPro Software IT resources are infractions constituting misuse or vandalism or other criminal behavior. Reporting information security breaches occurring on LoanPro Software systems and/or on LoanPro Software networks to appropriate authorities is a requirement of all persons affiliated with LoanPro Software in any capacity, including staff and contractors.
Suspected or Confirmation Security Breaches — Suspected or confirmed information security breaches must be reported to LoanPro Software authorities. This includes the affected management. Contact the LoanPro Software by sending an email to firstname.lastname@example.org or by calling (800) 559-4PRO LoanPro Software will then investigate the report, and if a security breach of private and/or highly sensitive information occurred, will inform its Chief Information Officer (CIO) and/or law enforcement, as appropriate.
Expected Actions The entity responsible for support of the system or network under attack is expected to:
- Report the attack to management
- Block or prevent escalation of the attack, if possible
- Preserve evidence of the incident for future investigation
- Repair the resultant damage to the system
If the data in question is defined as personally identifiable and was not in an encrypted format, a public notification may be warranted. For the purposes of this policy data is defined as personally identifiable if it includes a name (first and last name or first initial and last name) in combination with any of the following: Social Security Number, Bank Account Number, Credit, or Debit Card Account number with security access, or password that would permit access to the account. Personal information that is publicly and lawfully available to the general public, such as address, phone number, and email address, are not considered private information for the purposes of this policy.