Dromo WebinarLearn how Dromo can solve your data importing problems

Register now
Blog Home

5 Security and Privacy Questions for your Data Importer

Micah Buckley-Farlee

Updated July 14, 2023

• 3 min read


  • While some vendors insist on processing or storing user data on their servers, others allow you to keep your user data completely private.
  • A SOC 2 audit provides independent certification of security controls.
  • For stringent security requirements, self-hosted deployment options let you process and store everything in your own environment and maintain full control.

You've done your due diligence. You're ready to leave the exhausting, time-consuming world of maintaining your own data importer. But with the increasing incidence of data breaches and identity theft, you have understandable reservations. The last thing you need is to jeopardize the data of your customers and business by rushing to a decision.

That's why we've compiled this guide – to help you choose a secure, privacy-first data importer with confidence.


How do you handle the data we share with you?

Not all data is created equally. Different types of data require varying degrees of care. An ideal data importer understands this and knows how to handle each type diligently. Let's break it down:

Directly Shared Data: Your Personal Information

When you register for an account, buy a product, or ask a question through the website, you are directly sharing information such as your email address or billing information. Review the vendor's Privacy Policy so that you know how personal data like this is handled and with whom it is shared.

Indirectly Shared Data: Your End Users' Personal Information

End users – such as the customers you invite to use your import tools – can share any kind of data through data importers, and that might include sensitive internal business data or personal data.

Wherever a vendor processes or stores this data on its own servers, it is incumbent on you to ensure that they are handling this data appropriately. Look for language in the Terms of Service and Privacy Policy that explicitly refer to end user data, as opposed to data that you share directly.

Do they give you the right to delete this data? Do they commit to only using this data as necessary to provide their service? Be alert for vendors that do not articulate this distinction, or that carve out rights to train algorithms on your user data or monetize it in any way.

Can I opt-out of having you process or store my customer data at all?

The best approach to data privacy is the one where your vendor never sees your data at all.

– Dave Fort, CEO at Dromo

Some vendors provide product configurations that prevent end user data from transiting their servers in the first place. Look for end-to-end in-browser processing that can parse, validate, and transform CSV and Excel files entirely in the context of the end user's web browser.

Ask about options to store processed data within your own cloud storage layer without providing read-access to the vendor.

Is your privacy policy compliant with GDPR and CCPA?

If you have users in California, the European Economic Area, or United Kingdom, they have extra rights when it comes to how data about them is handled under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

This may include rights to know what data the vendor is collecting, to know the legal basis on which it is processed, to opt-out of non-essential cookies, and many more. Make sure your data vendor accounts for the rights of your end users in it security and privacy practices.

Can I read your security report?

Every company that is serious about security should have a current security report detailing its posture and controls. Does it commit to notifying you in the event of a data breach? Does it encrypt data in transit and at rest? Does it routinely probe its systems for weaknesses?

Who has reviewed these controls?

There's a massive difference between words on a website and independent review of security policies. Instead of relying on the company's word alone, look for external certification from a trusted third party, such as a SOC 2 audit. The American Institute of CPAs (AICPA) developed the SOC 2 "trust service principles" to guide its auditors in evaluating whether companies are securely managing data and protecting customers' privacy.

5. Do you offer self-hosted options?

If you have particularly stringent security requirements, you may opt for a data importer that lets you host everything yourself – including all the metadata generated by your imports – completely within your cloud environment.

With all backend processing and storage occurring on your own servers, you have full control over your data security and privacy. In that case, look for a vendor that offers a self-hosted option where you can deploy their service via Kubernetes or Docker in your own cloud infrastructure.