DCA Security Policy
and Protocols

At Diaz & Cooper, we take our Clients’ security and privacy concerns seriously. We strive to ensure that Client data is kept as securely as possible when in our control, and that we collect only the data that is required to provide our services in an effective manner. Data security is a shared responsibility between Client and Agency, and an effective security management program including a combination of technologies, disciplines and processes.

Please note that Diaz & Cooper is a marketing agency and not data security specialists. We are not internet security experts and do not have the personnel or internal resources to provide cyber-security, penetration testing, etc.. Therefore, we do not ever handle or receive sensitive data including but not limited to: financial account numbers, social security numbers, insurance information, sales transactions, medical information, credit card numbers, etc for our Client's customers.

To prevent unauthorized access and ensure the correct use of Client information, we have put in place physical, electronic, and managerial procedures to safeguard data. We restrict access to information to those with the need to know that information in order to provide services.

• We require use of 2-factor authentication for access to our email accounts which are hosted by Gmail. Google's email security protocols can be found here: here
• All shared Client files such as marketing assets are stored online on Google Drive and all employees are required to use 2-factor authentication for access.
• Encryption-protected documents for sharing passwords and logins
• We keep passwords secure in a SOC 2 Type II compliant password manager (LastPass) with 2-factor authentication enabled.
• Credentials are shared via encrypted Excel document, emailed securely (with the password to open the encrypted document sent via text or separate email to our webmaster.)
• Every Quarter, we conduct a security sweep, following recommendations from Google, Last Pass and verifying proper personnel access levels to our internal and Client systems.
• All employees and subcontractors sign Non-Disclosure Agreements
• Diaz & Cooper verifies new employee identity using eVerify and we conduct a criminal records check using an online platform.
• All employees are required to take HubSpot's Data Privacy course. Additionally, new employees/contractors are required to take an online data security course that covers best practices that protect data from loss, modification, or theft either by data mishandling and protection from malicious attempts.
• Use of third party webhosting services which follow the ISO 27001 security standard
• Use of third-party platforms (such as Stripe, Paypal and authorize.net) to handle payment verification
• Use of third-party shopping cart and eCommerce platforms that have been pre-approved by Client’s security team
• Installing SSL certificates on all Client websites
• Recommendations for third-party security scanning prior to launching eCommerce websites
• Where appropriate we enable GDPR and CCPA compliance functionality through 3rd parties (MailChimp and HubSpot) on behalf of Clients to follow privacy laws. Any DCA-stored sensitive information is either stored securely in a SOC 2 Type II compliant password manager or in Google Drive (protected by 2-factor authentication). Here is HubSpot's CCPA policy; Here is HubSpot's GDPR policy; Here is MailChimp's CCPA policy; Here is MailChimp's GDPR policy

Diaz & Cooper cannot guarantee that any of our internal practices and procedures will prevent a security breach or hacking attack. We strongly recommend the use of a cyber-security and/or data risk management specialists for companies that have compliance requirements (such as HIPPA, SOAC, GLBA, PCI, FISMA, etc.) or any concerns about network or information security.

If Client uses its website to collect, store, display, process or otherwise use sensitive or confidential information then Diaz & Cooper at its sole discretion may require Client to utilize certain third-party services to improve the security of Client’s website.

Such third-party services may include security certificates, hosting Client’s site on a Virtual Private Server (VPS) or on a private server, and using programming that encrypts the sensitive or confidential information used by Client’s website. Client understands and acknowledges that there may be costs associated with these services and agrees to pay for said services if used by Client. Diaz & Cooper reserves the right to terminate Client accounts that refuse to meet security requirements for Client’s website or compliance requirements for email marketing.