California Consumer Privacy Act Notice: Pursuant to the § 1798.110 of the California Consumer Privacy Act (“CCPA”), the categories of Personal Information that we have collected about individual consumers in the preceding twelve months are:
LoanPro does not offer services or sell products to children and does not request or knowingly collect Personal Information from minors. HOW WE COLLECT YOUR PERSONAL INFORMATION – General. We collect Personal Information when:
You can exercise your rights under the CCPA by calling our toll-free number set forth in the contact information below. California Minors. California residents under age 18 (“California Minors”) have additional privacy rights under California law. LoanPro does not knowingly collect any Personal Information of California Minors or allow them to post content to our website or subscription service. To have any content or Personal Information provided by or about a California Minor removed, please contact LoanPro at the contact information provided below. Your Canadian privacy rights. This section applies to Canada residents only. Under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), we are required to comply with certain principles with respect to your Personal Information. These principles are:
If you wish to exercise any of your rights relating to your Personal Information or data under the principles outlined above, you may contact our Data Privacy Officer at the contact information set forth below. We may be unable to remove Personal Information to the extent that it is permitted or required to be retained by applicable law or document retention and data backup policies, or if removal is not practicable due to technological reasons. Please note that removal of your Personal Information may prevent or hinder us from providing further services and information to you.
LoanPro may require you to provide sufficient information to permit us to provide an account of the existence, use, and disclosure of Personal Information. The information provided shall only be used for this purpose.
Your Personal Information may be transferred outside of Canada for processing and storage. LoanPro and its service providers may store Personal Information on servers located in other jurisdictions, including the United States. Please note that privacy laws in such jurisdictions differ from Canadian privacy laws (e.g., PIPEDA) and that in some jurisdictions your Personal Information may be accessed by law enforcement authorities or the courts in such jurisdictions.
PRIVACY POLICIES OF OTHER WEBSITES –
LOANPRO’S CONTACT INFORMATION:
LoanPro Software, LLC 172 N East Promontory, Suite 275 Farmington, Utah 84025
Email: email@example.com Phone: (866) 350-4526
Data Privacy Officer
If you wish to report a complaint or if you feel that LoanPro has not addressed your concerns in a satisfactory manner, you may also contact your state or local data protection authority.
|FACTS||WHAT DOES LOANPRO SOFTWARE DO WITH YOUR PERSONAL INFORMATION?|
|Why?||Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires lenders to tell you how they collect, share, and protect your personal information. Please read this notice carefully to understand what we do.|
|What?||The types of personal information we collect and share depend on the product or service you have with us. This information can include: Business EIN, address, contact information, and other business information, agent user’s name and contact information|
|How?||All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons LoanPro Software, LLC chooses to share; and whether you can limit this sharing.|
|Reasons we can share your personal information||Does LoanPro Software, LLC share?||Can you limit this sharing?|
|For our everyday business purposes-such as to process your transactions, maintain your account(s), respond to court orders and legal investigations.||YES||NO|
|For our marketing purposes-to offer our products and services to you.||YES||NO|
|For joint marketing-with other financial companies.||YES||YES|
|For our affiliates’ everyday business purposes- information about your transactions and experiences.||YES||NO|
|For our affiliates’ everyday business purposes- information about your creditworthiness.||NO||We don’t share|
|To limit our sharing||Call 1-800-559-4PRO Visit us online: loanprosoftware.com Contact us via email: firstname.lastname@example.org Please note: If you are a new customer, we can begin sharing your information 30 days from the date we sent this notice unless you have expressly directed us to immediately share your information. When you are no longer our customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing.|
|Questions?||Call 1-800-559-4PRO or go to loanprosoftware.com|
|Who we are|
|Who is providing this notice?||LoanPro Software, LLC|
|What we do|
|How does LoanPro Software protect my personal information?||To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.|
|How does LoanPro Software collect my personal information?||We collect your personal information, for example, when you: Open an Active or Trial Account Use your payment profile on file Use our websites Give us your contact information We also may collect your personal information from others, such as affiliated partners, our Clients and other companies, social media, government agencies, and public records to provide our services and to comply with government requirements to know our customers.|
|Why can’t I limit all sharing?||Federal law gives you the right to limit only Sharing for affiliates’ everyday business purposes Affiliates from using your information to market to you Sharing for non affiliates to market to you State laws and individual companies may give you additional right to limit sharing|
|Affiliates||Companies related by common ownership or control. They can be financial and nonfinancial companies.|
|Non-affiliates||Companies not related by common ownership or control. They can be financial and nonfinancial companies. Non Affiliates we share with can include service providers and integrated partners for feature offerings.|
|Joint Marketing||A formal agreement between non affiliated financial companies that together market financial products or services to you. Our joint marketing partners include financial institutions, service level providers, industry consultants and other lending companies.|
LoanPro operates on the AWS (Amazon Web Services) platform. This gives us the ability to provide several data backup features. All LoanPro database servers are hosted in AWS RDS, using an Aurora MySQL engine cluster in either provisioned or “serverless” mode.
Hot Standby — Our company employs a real-time hot standby database for all operating SQL databases. Data is synchronously replicated automatically to multiple availability zones, even if the database itself is hosted in a single availability zone. This provides data redundancy, but also allows for instance failover. In the event of a failure, the cluster automatically selects a read replica to be promoted as master with minimum service interruption (within 30 seconds) with no manual interaction required.
For serverless engines, failover time is currently undefined (typically under 10 minutes), because it depends on demand and capacity availability in other availability zones.
Point-In-Time Recovery — Our company utilizes Point-In-Time Recovery (PITR) for the entire database. This is achieved through Amazon RDS automated snapshots and Aurora backup data. We have the capability to restore the database to one of the existing daily snapshots (up to the past 7 calendar days) or to a specific point in time in the same period typically within 5 minutes.
Daily Backups — Our company utilizes the snapshot feature of Amazon RDS to do daily incremental backups, up to the past 7 calendar days. These daily backups are redundantly stored in Amazon Simple Storage Service (S3). Amazon S3 redundantly stores data in multiple facilities and on multiple devices within each facility. To increase durability, Amazon S3 synchronously stores snapshot data across multiple facilities before confirming that the data has been successfully stored.
All documents, images, and files uploaded to the software are hosted in Amazon S3 cloud storage with versioning. This versioning allows us to retrieve not only the most recent version of the file, but up to the last 100 saved revisions of the file.
Please note that backup procedures and data-retrieval protocols are based on Amazon’s current product line, which is subject to change. If Amazon changes its products or services in a way that materially, adversely affects LoanPro and its customers, LoanPro will use all reasonable efforts to negotiate a remedy with Amazon, or to find a substitute provider or method to provide the same service.
Data safety and integrity are top priorities at LoanPro. We take the safety of your business data very seriously.
It is our top priority to make our clients’ data available when and where they need it, in the cleanest, most organized way feasible. The purpose of this Disaster Recovery & Business Continuity Plan is to outline how we will fulfill this purpose, even if a disaster were to affect our operations.
A disaster is any event or circumstance that restricts our ability to deliver our software to our customers for more than 24 consecutive hours, or that prevents us from operating out of our current facilities for more than 1 week.
In the event of a disaster, the following would be the priority for recovery of our operations:
|1.||Continuous Delivery of Our Software|
|2.||Software Development Operations|
We have architected our applications to facilitate automatic scaling or adjustment (fail-over). This keeps our applications running as seamlessly as possible, and limits downtime and recovery time, in the event of a disaster. We have also taken steps to ensure adequate data backup (See Data Backup Policy), rapid data recovery, and geographically diverse systems and personnel.
LoanPro Software has well-defined roles for our team members, in the event of a disaster, to ensure efficient recovery of the application. These roles and responsibilities are in force even outside times of disaster. They cover the following areas: Preparation, Testing, Identification, Assessment, Containment, Eradication, Recovery, Post Mortem.
In the event of a disaster that has an impact on the LoanPro Software application our organization will provide updates on the third-party provided Status page.
Our software operates inside of the AWS (Amazon Web Services) Cloud platform. This provides us with significant disaster recovery options. We operate with a “hot standby” database which continuously mirrors data from the primary database and a “pilot light” system to enable more server power on the fly when needed for queued job processing and web traffic. AWS servers and databases are available in various geographically-diverse zones to insure against a localized disaster. This can all be managed remotely through an AWS dashboard allowing for quick deployment and automated scalability as needed. On the EC2 platform the current AWS service commitment is to provide 99.9% monthly uptime.
We utilize Amazon’s world-class data centers, which are highly secure data centers equipped with state-of-the-art electronic surveillance and multi-factor access control systems. Data centers are staffed 24×7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. Data centers located across multiple geographic regions (Availability Zones) allows for the effective mitigation and management of disasters. In the worst-case scenario, we have architected system deployment which includes the streamlined ability to deploy the application to a new AWS region if necessary in a matter of hours.
We utilize VoIP phone systems with a fallback to landlines (or cell) in case of power or internet outages. In addition, at all of our support centers we operate with multiple internet providers and onsite backup generators in case of power outages. If a disaster were to disable our office for an extended period of time, we have the ability for support staff members to work remotely until the disaster is resolved. This allows us to continue to serve our clients throughout the disaster.
We have diversified operations in multiple locations, including our headquarters in Farmington, Utah, USA. In addition to our headquarters we have small offices in Tucson, Arizona, USA, and various locations in México. This diversification ensures that a local disaster will not affect our entire team. We also utilize servers across two continents that are backed up in geographically separate locations. This will ensure that at least part of our team has Internet access to be able to continue providing assistance and support to our clients. Our headquarters operates with redundant internet providers to ensure constant connectivity to provide service to our Clients.
LoanPro has insurance to cover our building, furniture, computers, etc. at our offices. Because of well-designed software architecture in the AWS Cloud, recovery time for impacted items to our clients should be very limited, in the event of a disaster our physical office is not required in order to have the application fully functional.
LoanPro has implemented measures to mitigate the threat of disaster.
In the event that one or more of our primary databases fails, we employ a synchronized backup database, in a separate geographic location, that will take over. Should every primary database and corresponding hot standby fail, we keep 30 days worth of daily server backups, which are stored on Amazon’s S3. Every 30 days, these data backups are stored in a magnetic format that can be put into service in 24-hours if all other backups fail. See Data Backup Policy for more details.
LoanPro has spent significant time structuring our code to make it possible to add new server instances on the fly. If any server fails, we can automatically create a new server and bring it into service. In addition we employ a dynamic load balancer to route traffic automatically which will result in limited/no impact to our clients in the event of a server failure.
LoanPro employs the latest security measures and testing to keep unauthorized users out of our software. Customer databases are separated to keep users from unauthorized data access. LoanPro stores personally identifiable information with a minimum of 256-bit encryption, making data that was illegally accessed very difficult, if not impossible, to use. Please review our data security breach policy for more details on how such an event would be handled.
LoanPro employs personnel in multiple countries across many geographic areas. While a reasonable number of them work at our main office, many of them, including a portion of our key personnel, work in satellite offices of sufficient distance that they would not all be affected by a localized disaster. Our company has policies and procedures in place that allow us to conduct normal business even if we suffer a significant loss in personnel.
In the event that LoanPro loses a significant number of key personnel, there is an established hierarchy in place that dictates seniority among existing officers. LoanPro has worked hard to document its policies, procedures, relationships, codebase and succession plans to enable new and existing employees to carry on company operations if key personnel are lost. We have implemented a company knowledge base that includes documentation on every area of the business in an attempt to decentralize information and eliminate “islands of knowledge”.
We have both automatic 24×7 system monitoring as well as a rotating on-call Development Operations team monitoring the software application at all times. This business policy results in very short response times to address any disasters that may occur.
LoanPro Software enforces rigid security protocols to prevent data security breach. These controls cover data access by all parties, and data-storage procedures including encryption, rotation of keys, firewalls, and other security measures. The purpose of this document is to outline our policies and procedures in the event that our data security is breached.
At a minimum, LoanPro Software uses industry-standard practices to protect our customers’ information. Sensitive information is protected using the most secure methods that are reasonably available.
Payment Profile Information — LoanPro Software integrates with Secure Payments, a sister product, for the storage of payment information and payment processing. Secure Payments is PCI compliant and maintains a PCI-DSS Level 1 Attestation of Compliance (AOC). LoanPro is integrated according to PCI standards and never directly interacts with payment data.
Data Access — Data access is restricted by username and password authentication. LoanPro offers a multi-factor authentication option to further protect against unauthorized access.
Our personnel have access to client data only the client authorizes the access by providing a support code. Records are kept for each support transaction, which include information about the authorizing party and the authorized support representative. All data access by LoanPro Software personnel is restricted to within our offices through IP filtering. A record is kept of any changes made inside a client account by LoanPro personnel. Our hiring process includes a full background check for any new employee.
Employees are granted access to information on a need-to-know basis. Employees are regularly trained on our security and privacy practices to avoid security breaches through social engineering. Changes to privacy and security policies are also disseminated immediately through staff meetings and memoranda.
Employees who are authorized to access LoanPro databases must have their IP address whitelisted in order to do so. Access is only permitted through a secure shell (ssh). Permissions to hardware, environments, and data are configured per user, using the principle of least privilege. All servers are housed in Amazon data centers, which use the latest in firewall and other security technology.
LoanPro will take the following steps in the event of a data breach: identify and close vulnerabilities, reinforce, report.
If a security breach occurs, our first action will be to identify the vulnerability that allowed the breach to occur. Once a point of vulnerability is identified, our team will implement the necessary configuration, code, or controls to limit and/or close it. This includes the reinforcement of security protocols. For more information on identifying incidents, see the Incident Types.
We have self-contained and external monitoring that continuously runs on our system. The primary responsibility to identify and address vulnerabilities falls on the on-call personnel in each department of our software division. Once a vulnerability has been identified, our entire software division is responsible for identifying and mitigating vulnerabilities. Departments responsibilities are as follows:
|Identify Vulnerability||Software Development, Development Operations|
|Eliminate/Mitigate Vulnerability||Software Development, Development Operations|
|Test Vulnerability Fix||Software Development, Development Operations, Quality Assurance|
LoanPro Software will provide timely and appropriate notice to affected parties, when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information from LoanPro Software. If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:
Security breach incidents are investigated fully after a fix for these events is put in place. Our internal and external monitoring keeps a detailed log of all events. Access to these logs is also tracked. Access to the logs is given to personnel on a least-privilege basis. The tracking of access to logs serves as the chain of custody documentation for evidence of a breach incident.
If the breach was the result of actions of LoanPro personnel, and the breach was not malicious in nature, a formal reprimand will be included in the individuals personnel file. If the same individual causes three breaches, without malicious intent, the individual’s employment or association with LoanPro will be terminated.
Any attempt to circumvent data security is a violation of the SaaS Agreement. All attacks on LoanPro Software IT resources are infractions constituting misuse, vandalism or other criminal behavior. If the perpetrator of a security breach incident is identified, their information will be reported to law enforcement. When an incident is identified, it is the duty of any LoanPro employee or contractor to report the incident to his or her direct supervisor.
If a LoanPro client or affiliated party suspects or can confirm an information security breach, the breach should be reported to LoanPro Software, either via email to email@example.com or by calling (800) 559-4PRO. LoanPro Software will investigate each report. Once the incident is dealt with, the reporting party will be notified of its conclusion.
If the data in question is defined as personally identifiable and was not in an encrypted format, a public notification may be warranted. For the purposes of this policy data is defined as personally identifiable if it includes a name (first and last name or first initial and last name) in combination with any of the following: Social Security Number, Bank Account Number, Credit, or Debit Card Account number with security access, or password that would permit access to the account. Personal information that is publicly and lawfully available to the general public, such as address, phone number, and email address, are not considered private information for the purposes of this policy.
Our office is relatively small and employees are able to easily recognize a non-employee. Any visitor who has access to more than our reception area is also required to wear a visitor’s badge and provide identification. Even if unauthorized access is gained, LoanPro adheres to a clean-desk policy, which requires all information on paper, whiteboards, etc. to be destroyed before the end of each day.
Passwords are required for all LoanPro computers. System access and access to sensitive data also require authentication through passwords. On top of this, no customer data is stored directly on computers located on our premises, but are housed in the cloud.
Additionally, our office entrances are monitored by cameras 24 hours a day. These cameras continuously record everyone entering the office. If motion is detected after hours, an alert is sent to key personnel informing them of what is happening. The cameras provide the option of a live stream that can be viewed remotely by our personnel. Recordings from these cameras are kept for 30 days.
If unauthorized physical access is discovered, the proper authorities will be notified and provided footage from our in-office cameras. An assessment will be made to determine if anything was stolen, or if information could otherwise have been taken.
Passwords for our software applications, company GSuite accounts, Monday.com, and Zendesk will be administratively reset to ensure they aren’t used to gain unauthorized access to sensitive data.
Because unauthorized physical access does not guarantee unauthorized access to information, notification about a physical breach will occur when unauthorized access to information has occurred or seems reasonably likely.
LoanPro Software will provide timely and appropriate notice to affected parties, when there is a reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information from LoanPro Software. If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:
We employ Pingdom and SumoLogic to continuously monitor our system an check for system failure. Our systems continuously monitor available disk space, CPU, RAM and Network load. For more information on system monitoring, see Operating Procedures.
When the system fails, our on-call developers or are our method of first response. On-call programmers are available 24x7x365. Our on-call development staff is responsible to make adjustments or fixes, where needed in order to bring the system back online.
Remediation and recovery may also require help from our business personnel to make sure the customer data is updated in a timely manner. Updates to customer data will always occur, but if there is a system outage, it can help if our system updates loans in a specific order.
If customers will be affected by a system outage, they are always notified via email as soon as possible. This notification may occur in the middle of the night, which is why email is the preferred method of notification. These notifications usually contain information about the outage, what is being done to fix it, and what the customer can or should do, if anything, to help the situation.
Anti-virus scans are performed on a weekly basis on all workstations. Anti-virus software is updated continuously to ensure that all the latest known malware is scanned for. The system also logs information on the following:
These logs are reviewed daily through Sumo Logic.
All LoanPro products employ backups of both the code base and customer data. If Malware is found on any of the workstations, the typical procedure is to eradicate the malicious software, assess the impacts, and recover the data or roll back the code if necessary.
If customer data is effected, or if the system will be down for any period of time, a post will be made to our status page and an email sent to the administrative user for affected customers.
We employ Pingdom and SumoLogic to continuously monitor our system an check for system failure. Our systems continuously monitor available disk space, CPU, RAM and Network load. For more information on system monitoring, see Operating Procedures.
If the source of the denial of service is internal, the procedure is to fix the issue within our own system. If it’s an external attack, we will employ additional servers, where needed, while the source of the attack is identified and dealt with.
Denial of service notifications will be made through our status page.
Our systems monitor file integrity and notify us of any issues. Logs of this monitoring can be queried to investigate any issues.
If we discover data problems, notification will be made to affected customers after the root cause of the loss of data integrity is discovered. Notification will most often occur via email.
Our systems are continuously monitored for potential unauthorized access. If confidentiality has been breached and a LoanPro employee has allowed access to our systems by an outside party, suspicious activity will be detected based on the accessing IP address.
If access to the user interface has been obtained by an unauthorized party, their activity in the software will be stamped with their user information. This makes it possible to identify and undo the changes they have made in the software.
If access has been gained to our codebase or databases, our logs will show the activity taken by unauthorized parties. This activity can then be undone using our data backups or code base backups.
If customer data has been stolen as a part of the breach, our customers will be notified with as much information as is available about what was taken.
System exploits are identified through weekly penetration testing. We run OWASP ZAP tests and document test results.
We also perform monthly testing to identify new vulnerabilities. If these vulnerabilities are introduced by a third party library, plugin, or application, they are thoroughly researched in order to understand and mitigate their effects.
Finally, we perform yearly internal penetration testing to identify vulnerabilities in our own system security.
When a system exploit is found, the vulnerability is patched by our development and/or development operations team.
If a system exploit allowed possible access to customer data, or affected customers in other ways, customers will be notified of the breach via email. The email should include a description of the exploit and measure that the customer can take to guard against its effects, if any.
We perform a weekly review of user access and activity in the AWS Console and servers.
If access has been gained to our codebase or databases, our logs will show the activity taken by unauthorized parties. If the activity was destructive, it can be undone using our data backups and code base backups. If sensitive information was taken, a report of the information will be made to the proper authorities.
Accounts and access are reviewed quarterly to ensure that access is not being granted where it shouldn’t and that inactive accounts are deleted.
All potentially-affected customers will be notified of unauthorized access and its potential effects via email. The email will be sent to the administrative user for each LoanPro account.
As LoanPro Software provides software to lenders in many spaces, several spaces that we operate in require our client (the business engaging in lending) to have a policy for their lending business that outlines how they safeguard Personal Information about their customers. To stay in compliance with the Gramm-Leach-Bliley (GLB) Act, federal law, and Federal Trade Commission (FTC), where relevant, as the software provider and system of record for our clients LoanPro Software, to its knowledge, is compliant with all aspects of these statutes and rulings. It is the financial institution’s responsibility to be compliant with all federal, state, or other governmental regulations. To this end, LoanPro Software assists in this compliance in many ways, including:
The Gramm-Leach-Bliley (GLB) Act, a federal law, requires that financial institutions take steps to ensure the security and confidentiality of this kind of customer data. LoanPro Software provides the tools necessary for our clients to comply with this including access management controls for their Agent Users (users of LoanPro software). This includes the ability to limit access to sections of the software via Roles, or limit the ability to access specific groups of loan accounts via Restriction Groups, or general access controls via IP whitelisting/blacklisting, and other tools that LoanPro provides to limit and control access as available to the Administrator User of the tenant in LoanPro Software. Safeguarding Personal Information is a top priority to LoanPro Software and should be to all of our clients. We suggest the following steps be followed to ensure that personal data remains confidential and secure.
LoanPro provides a Request For Proposal (RFP) process to our Enterprise Clients during the due diligence period. To initiate this process please contact your Enterprise Sales Account Executive and sign the Non-Disclosure agreement, which they will provide. To get an idea what is included in the RFP, see the list below, which is the table of contents of the materials that we will provide.