Effective from: October 25, 2021

Security FAQs

What does Litmus do?

Litmus is an email Design, Testing, and Analytics platform. Litmus was created to empower marketers, designers, and agencies to confidently deliver customer experiences that ensure brand alignment and quality, as well as maximize performance and deliverability.

Users of the Litmus platform can:

  • Create email designs and templates with HTML in Builder
  • Generate Email Previews across multiple desktop, webmail, and mobile clients with one send
  • Verify deliverability by ensuring messages reach the inbox with Spam Testing
  • Gain a better understanding of your email campaigns and your audience with Email Analytics
  • Create personalized & automated email content with Litmus Personalize
  • And more!

Does Litmus maintain ISO 27001 or SOC2 certifications?

Litmus has received a SOC 2 Type 2 report with zero findings for two consecutive years. Our SOC 2 Type 2 report is available to Enterprise customers upon request.

While we currently do not hold the ISO 27001 certification, we align our security principles, procedures, and best practices with ISO 27001. As Litmus has grown, we have recognized the need to provide clear and effective security policies and access controls to ensure that our customer’s data is secure and accessible only to those authorized. The Litmus team is willing to work with you to ensure that your company has a comprehensive understanding of the nature of our data access control policies.

Does Litmus have publicly available security assessments or questionnaires?

Yes, Litmus is registered on the Cloud Security Alliance’s (CSA) Security Trust Assurance and Risk (STAR) registry. Please visit the Litmus entry on the STAR registry to download our Consensus Assessments Initiative Questionnaire (CAIQ) v4.0.1. For more information about the CSA STAR CAIQ please see this CSA blog post.

CSA Star Level 1

What personal or customer data is stored at Litmus?

  • Email addresses of individuals who opted-in to Litmus marketing emails
  • The names, email addresses, and IP Addresses of users of the Litmus platform
  • HTML designed or uploaded, and Emails sent to Litmus for testing
Email addresses of individuals who opted-in to Litmus marketing emails

If you have opted-in to email communications from Litmus we will store your email address so we can continue to send you content.

The names and email addresses of users of the Litmus platform

Litmus stores the names and email addresses of users for authentication and identification purposes. A Litmus user is someone who logs into the Litmus platform (litmus.com) to use any of the many services Litmus has to offer. This data is provided directly to Litmus by the user or account holder.

HTML designed or uploaded, and Email sent to Litmus for testing

Some may consider HTML or emails processed by Litmus to be customer data. Please see our Retention Policy for information about how this data is stored or removed.

Does Litmus store any sensitive data or Personally Identifiable Information (PII)?

Litmus stores whatever is sent to us until it is manually deleted (Manually Deleting Your Data) or for the length of time set in the Data Retention Policy (What is the Litmus Data Retention Policy?), whichever comes first. We currently do not have the technology or means to prevent Litmus users from sending us sensitive data or Personally Identifiable Information (PII) in email designs. If you feel that Litmus is currently storing sensitive data or PII and you would like it removed, please delete it from the platform. If you need assistance please check help.litmus.com for instructions on how to delete data or email us at hello@litmus.com.

Litmus Recommendation

We recommend that customers with strict data sensitivity concerns omit any sensitive data or PII from our platform. Litmus should never have any of your sensitive, confidential, or proprietary data.

For more information on preventing tests or campaigns from including sensitive data or PII please visit the following:

For more information on deleting existing Email Previews or HTML that may include sensitive data or PII please see the following:

Where is my data stored and processed?

All data is stored and processed in the United States. We use Amazon’s AWS as our PaaS and IaaS. All Litmus platform customer data is stored and processed in AWS’s US-EAST-1 region.  Customers of Litmus Personalize have the option of having data stored and processed in AWS’s EU-WEST-1 region.

Currently, our subprocessors also store and process data on Litmus’ behalf in the United States. Please see the full list of our subprocessors and the subprocessors section of this document for more details.

CCPA and GDPR Considerations

If you are a Litmus user with customers who may be protected by the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR) please see here for more information: Does Litmus comply with Safe Harbor, Privacy Shield, GDPR, and CCPA?

What type of data is collected for Email Analytics?

We do not collect PII in Email Analytics. We only collect general data about the emails that you send. Such data may include the recipients’ web browser and email client they use, the general area of the world that the email was opened in, and details about how the recipients engage in the email (e.g., whether or not the email was read, forwarded, or printed).

The data that is collected for Email Analytics can be categorized as follows:

  • Campaign metadata – Campaign unique id, data regarding the date of the campaign, custom campaign fields
  • Activity data – Aggregated counts regarding email opens, forwards, print activities
  • Individual hit data – Data regarding email client, email client version and email platform (desktop, webmail, mobile)

What type of data is collected for Litmus Personalize?

For each impression served Litmus Personalize collects location, email client, email client version and email platform (desktop, webmail, mobile).  If the optional Litmus Personalize recommenders are being used, Litmus collects anonymous web activity.

Who owns the data processed by the Litmus platform?

The account holder/owner retains copyright/ownership of any content uploaded to Litmus. In terms of your customer data, we only collect what you give us. For more information see here: Does Litmus store any sensitive data or Personally Identifiable Information (PII)?

How is my data protected?

All data is encrypted using a cryptographically strong cipher:

At Rest:

  • AES-256 bit or higher

In Transit:

  • SHA-256 bit with RSA Encryption or higher
  • TLS 1.2 or higher

Litmus maintains strict confidentiality and integrity of our customers’ data. We leverage ​the Amazon AWS infrastructure and built-in security controls​, which incorporates several modern security standards and best practices. Additionally, AWS maintains several security certifications and accreditations (e.g. HIPAA, FedRAMP, ISO 27001, and PCI compliance among several others). You can learn more about AWS security here​ and their compliance program here

We recommend that customers with strict data sensitivity omit PII and confidential data from our platform.  For more information about excluding sensitive or Personally Identifiable Information (PII) from our platform see here: Does Litmus store any sensitive data or Personally Identifiable Information (PII)?

Data Classification

Information is a critical resource at Litmus. To ensure that Litmus meets customer, industry, regulatory, and privacy standards, and to reduce the risk that restricted or sensitive information is accidentally released to unauthorized parties, Litmus adheres to the following structured four-tier data classification system:

Public

This information is approved for public release by our Marketing team. Disclosing this information would not be a problem for Litmus, its customers or business partners.

Internal

This information is intended for use within Litmus, and in some cases with other affiliated organizations, such as business partners or vendors. Unauthorized disclosure of this information may be a violation of applicable law or contractual obligations, or may otherwise cause problems for Litmus, its customers or business partners.

Confidential

This information is private or otherwise sensitive in nature and is restricted to those with a legitimate business need for access. Unauthorized disclosure of this information may be against applicable law or contractual obligations, or may cause significant problems for Litmus, its customers, or business partners.

Secret

This information is the most private or otherwise sensitive and is always monitored and controlled. Unauthorized disclosure of this information to people without a legitimate business need for access may be against applicable law or contractual obligations, and will cause severe problems for Litmus, its customers or business partners.

What security controls does a Litmus account have?

Enterprise customers can control session settings and password settings, two-step verification, SSO, and role-based authorization for each of their account users.

For a complete list of security controls see our help article Advanced Security & Privacy Settings

  • Session settings: You can set how long a user’s session can be idle before they are automatically logged out. This helps prevent unauthorized access to a customer’s account.
  • Password settings: Admins can create password rules and adjust settings to ensure internal security requirements are met, including minimum password length and password complexity rules. You can set passwords to expire on a regular basis, for instance every 90 days. You can also opt to prevent password reuse and configure how many password changes are required before a password can be reused.
  • Two-step verification: To provide your account with an added level of security, we have two-step verification via SMS.
  • Multi-factor authentication: SAML-based Single Sign On is available to our Enterprise customers
  • Rules-based authorization: Litmus supports the concept of admin, user and read-only role permissions on an account. These roles, except for admin, can be assigned at the sub-account/team level to control access and permissions.

Additionally, account admins have the ability restrict Email Analytics access for users across three levels of access:

  • Full Analytics Access
  • Partial (No PII) Analytics Access
  • No Analytics Access

For a full list of Litmus user roles see here

What other security controls does Litmus employ to guarantee the security of customer data?

The following technical and administrative security controls are in place at Litmus to strengthen our security posture and maintain the highest levels of confidentiality, integrity, and availability required by our customers:

Application SecurityThe technical and administrative controls used to protect our applications from security threats.
Asset ManagementThe documentation, monitoring, and reporting of Litmus assets (e.g. data, physical machines, intellectual property), their owners, classification level, and lifecycle requirements.
Compliance & Security AuditsScheduled third-party audits of our infrastructure, code, and processes to ensure we maintain the highest level of confidentiality, integrity, and availability of our systems and data. Compliance with major national and international privacy and data protection regulations.
Disaster RecoveryThe processes and procedures followed in order to ensure the overall continuation of Litmus business operations during an outage event.
Endpoint ProtectionThe hardening, patching, and protection of endpoints used by Litmus employees and contractors.
Incident ResponseThe identification and resolution of information security incidents quickly and effectively, minimizing their impact to the business, and reducing the risk of similar incidents occurring in the future.
Network SecurityThe configuration and application of security controls as applied to network devices to prevent unauthorized access or incorrect updates to the Litmus network.
Password Management and Multi-factor AuthenticationThe policies, procedures, and technical guidelines that ensure the secure implementation of the password management lifecycle at Litmus, as well as the guidelines and best practices for enabling multi-factor authentication for services used by Litmus team members.
Physical SecurityThe policies, procedures, and best practices that ensure the physical protection of Litmus assets against accident, attack, or unauthorized physical access.
Security Awareness TrainingActivities undertaken by Litmus employees to ensure that effective, risk-based decisions are made in the best interest of the organization, while protecting critical and sensitive information from being compromised.
Security Event Logging and MonitoringThe recording, storage, and monitoring of important security-related events to help in the identification of threats that may lead to an information security incident, and to support forensic investigations.
Vulnerability ManagementThe standards and procedures for the identification and remediation of Litmus system and software security vulnerabilities.

Who has access to my data?

Litmus enforces several internal security policies and access controls to ensure that our customers’ data is accessible only to those with proper authorization and need-to-know. Litmus only allows trained and authorized operations personnel to access data. There are several controls in place to ensure the proper individuals have access. Human Resources, IT, and the Litmus Security are all involved in the process and grant and revoke access. The Security team reviews access on a quarterly basis with the appropriate teams.

The data is accessed only through secure VPN access which uses Multi-Factor Authentication and elevated privileges to view campaign engagement data. This data is also encrypted at rest. Litmus is willing to work with any customer to ensure a comprehensive understanding of the nature of our data access control policies.

Is my data shared with any third parties?

Litmus will never sell your Personal Information to anyone. Litmus will never share your Personal Information with anyone unless it brings value to you through the Litmus platform and through normal business operations.

We share Your Personal Information in personally identifiable form with affiliated businesses and agents as part of our normal business operations. We use this information to personalize and improve our products and services.​ To read our full Privacy Policy, please go to ​visit https://litmus.com/privacy. To see a full list of subprocessors click here

Does Litmus comply with Safe Harbor, Privacy Shield, GDPR, and CCPA?

Safe Harbor

Since all our data is stored with Amazon, we automatically adhere to Safe Harbor laws. Amazon’s Safe Harbor policy found here ​https://aws.amazon.com/privacy/ ​and here: https://aws.amazon.com/compliance/eu-data-protection/

Privacy Shield, GDPR, AND CCPA

Although the Schrems II decision invalidated Privacy Shield, Litmus is still committed to our Privacy Shield certification and compliance (​https://www.privacyshield.gov/participant_search​). In addition to our Privacy Shield certification we have added Standard Contractual Clauses (SCCs) to our Data Processing Agreement (DPA) to comply with the EU’s General Data Protection Regulation (GDPR). We are also California Consumer Privacy Act (CCPA) compliant. Note that we currently do not have the ability to limit the processing and storage of data to the EU. Litmus stores its data in AWS (US-EAST region) and cannot segment its data by region​.​ If you have any questions, please don’t hesitate to reach out at privacy@litmus.com.

If you are utilizing the Litmus Email Analytics Tool you are responsible for filling out the Litmus Data Processing Agreement (DPA)

If you have questions about our DPA please see our DPA FAQ

Additional Trust and Security Information

For more insight on information security at Litmus, please visit the ​Trust page

How do I make a GDPR or CCPA deletion request?

Please fill out the appropriate form linked here. The appropriate form must be filled out and you must confirm ownership of the email associated with the account you are requesting to be removed before we can move forward.

Please note, if you are a paying Litmus customer you must cancel your own account. We cannot do this for you. Please follow the guide here

What is the Litmus Data Retention Policy?

All data may be downloaded from the Litmus platform before the Retention Policy automatically deletes the data from the system.

Please note that our regular backups may contain data after deletion until those backups have been removed by the retention policy. Please see the Backup Data Retention schedule below for more information.

  • Personal Data: Names and email addresses are stored indefinitely until deleted by the account holder.
  • Email Previews: All Email Previews results are deleted after 6 months.
  • Builder: HTML and assets are stored indefinitely until deleted by the user.
  • Proof: Stored indefinitely until deleted by the user.
  • Checklist: All Checklists are deleted after 6 months.
  • Spam Testing: All Spam Tests are deleted after 6 months.
  • Email Analytics: Raw campaign data is deleted after 14 months.
  • Litmus Personalize: All campaigns, templates, content sources and impression counts are stored indefinitely until deleted by the user.
  • All data can be deleted manually. Please see the Manually Deleting Data section for more information.

Backup Data Retention

  • Point-In-Time Backups: 10 days
  • Weekly Cross-Region Backups: 1 month
  • Monthly Cross-Region Backups: 4 months

Manually Deleting Data

If you would like to remove your data before the dates noted in the Data Retention Policy you can do so in the Litmus platform. Please refer to our Help documentation at help.litmus.com or email hello@litmus.com for further assistance.

What happens to my data when I close my Litmus account?

The account holder/owner retains copyright/ownership of any content uploaded to Litmus. In terms of your customer data, we only collect what you give us. For more detail, please see this section of the FAQ

Clients are in charge of provisioning and deprovisioning accounts. This responsibility is owned by the admin of the account as appointed by the client.

If you decide to stop using Litmus, you can delete data in the Litmus platform before closing your account. See here for more information

Litmus may be able to send you all of your data in a downloadable format upon account closure. Please contact your Business Account Representative or email hello@litmus.com with any questions, deletion, or download requests​. Note that there is typically a 7-10 business day turnaround for these types of requests.

Start using Litmus.

Sign up for a free account in 30 seconds.

See Plans and Pricing