Learn more about how Purple take Data and Security seriously
Data in Transit
All public facing portals and websites are encrypted with TLS (Transport Layer Security). TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Purple support TLS 1.2 minimum.
Purple regularly review TLS ciphers offered, and remove ciphers that are no longer considered to meet minimum security requirements.
Data at Rest
All Purple-hosted data is hosted within cloud services such as Google Cloud (GCP) or Amazon Web Services (AWS), and all disks hosting data are encrypted (AES-256) using the security controls available with those cloud providers.
All passwords are encrypted with the bcrypt hashing function.
Purple host and handle data in a way consistent with the standards of the EU’s GDPR regulations.
Separate active opt-in is sought for all marketing consents within the EU and as activated by customers elsewhere, and any EULA or opt-in consent is stored against the user and venue with the date, time and language of opt-in. Once a user has logged in, they are sent a link to an end user profile where they can view data held about themselves, view (and change) any opt-in consents and immediately delete all data collected about them.
Additionally, users can email the Purple Data Protection Officer (email@example.com) with any queries, for any changes to their data or to exercise their right to be forgotten.
Data is only used for the stated purposes, and Purple do not collect more data than is strictly needed (although the individual customers decide their own data uses and configure the portal to collect the information required by themselves, as well as uploading their own additional EULAs and privacy policies where required, consent of which is tracked individually).
Purple have a declared data retention period of 13 months of inactivity, after which all PII data about a customer are destroyed.
When a user joins a Purple SSID and reaches the splash page, their device MAC address and user agent are stored, as well as the AP MAC (and therefore venue the user is at). When a user logs in via the WiFi, any user data they provide is also stored against their profile. The exact data collected varies according to the login method chosen and the configuration created by the customer, but can include personally identifiable information (PII; see PII section below), as well as other potentially sensitive information such as a user’s Facebook likes. This data is either submitted by the user via web form, or transferred from their social media account if they grant access. Data in transit via the captive portal is always secured via TLS, and all data collected is initially stored local to the captive portal software in a document store.
Once a user is connected, RADIUS accounting data should be passed from the network controller to Purple’s RADIUS servers, providing basic network usage metrics: the time the session started, ended, the reason for the session end and data upload and download.
If configured by the customer, Purple may additionally collect domain lookup data via a third party company, WebTitan, by using WebTitan’s own DNS servers (the same mechanism for blocking access to prohibited websites). Domain look-ups are logged against the venue’s web-facing IP, and aren’t traceable to an individual user or device.
Location data is data collected passively about devices (both authenticated and non-authenticated) by compatible network access points. Typically, an AP records a received signal strength indication (RSSI) value, a MAC address (which may be randomised, depending on the client software) and a date/time for each client WiFi probe. With the right hardware and 4 or more APs, this data may be enhanced to an estimated geometric coordinate of the device relative to the uploaded floor-plan.
When a client MAC is recognised as having logged in via Purple in the past, some demographic data may be associated with the location data records (gender, age). Where a user has logged into this venue before and accepted the venue’s T&Cs, a recognised device will be linked against the user record, regardless of whether the user is currently authenticated to the WiFi.
Purple are voluntary supporters of the Future of Privacy Forum (fpf.org), via which a user can opt out of client MAC tracking across a range of services.
Purple do not store data about randomised MAC addresses (devices like modern iPhones that do not present their true MAC addresses until authenticated to the WiFi), and anonymous MAC addresses (addresses that haven’t authenticated to the WiFi) are one-way hashed with a company-specific salt on export to prevent sharing of data about anonymous devices and comparisons with third party data sources.
Customers can configure ‘Connectors’, which are third party integrations that copy data into or out of Purple’s hosting. This information is typically basic CRM data about end users (e.g. names and email addresses being exported to third party email lists, under accounts run by the same company).
Connector connection/session data is stored encrypted.
A RESTful API exists for extracting most end user data in raw format. Access to this service is via signed public/private keys, provided on request by the Purple support team once a customer’s rights to the data have been verified. Access to Purple APIs is encrypted in transit using HTTPS, and requested are signed with a nonce to prevent replay attacks, and a full audit log exists of all requests, including the source IP of the requests.
Users can also define Webhooks that trigger data export on certain actions (e.g. a user logging into the WiFi) via an HTTPS POST to a user-defined endpoint, which allows for real-time responses to events. These endpoints must be HTTPS with a valid certificate, and are verified by header.
Personally identifiable information (PII)
Depending on the customer’s configuration of their captive portal and the access method chosen by the end user, Purple may capture and store the following data classified by Purple as PII: first name, last name, date of birth, email address, mobile number, and social user ID (e.g. Facebook ID). Additionally, Purple can collect other data that is categorised as being potentially personally identifiable when combined with other data: client/device MAC, gender, login date/time, Facebook likes, Facebook/Twitter location/home town, postcode/zip code.
PII data is stored in three locations: the access document store (where the user logs into the WiFi), the central analytics data store (where the data is stored/processed) and in the end user-facing profile document store (where the end user themselves can review, modify and delete their own data). It is encrypted in all three locations, as detailed above.
When a user requests to be forgotten or when a user has been inactive long enough to meet the end of the data retention period, all PII data is removed from the user record and the user’s sessions become anonymous. Purple retain basic anonymous demographic information: the age and gender of the user at the time of log-in.
It is possible for customers to add custom data fields or survey questions for the user to complete, which can include other PII data such as national IDs or passport numbers. All custom data like this is treated as PII.
Purple do not handle or store any user financial data. Any payments are taken via a direct communication between the end user and our payment gateway provider ‘Stripe’ (www.stripe.com). Stripe are fully PCI-DSS compliant. Purple record only a one-time transaction ID for potential refund purposes.
Purple are both ISO 9001 compliant for business practice and ISO 27001 compliant for data security and storage. The business is audited annually by an accredited third party company to check that we remain compliant. This is in addition to our own in house interim audits and management reviews. Certification can be supplied upon request.
All data gathered by the Purple platform resides in one of three GCP hosting locations depending on where the customer is located in the world, they are as follows:
California for North and South America
London, UK and Amsterdam, Netherlands for Europe, Africa and the Middle East
Singapore for APAC, APJ, ASEAN and ANZ
Purple is compliant with regional data storage/privacy requirements where implemented, to retain data within the geographical boundaries determined by local legislation.
All user data is anonymized after a period of 13 months of inactivity. This means Purple will store a user’s personal data, in its full form, for at least 13 months, and after 13 months of inactivity (not logging back into the WiFi) we strip out anything which is deemed personally identifiable. This includes name, email, telephone number, etc. However, we do maintain non-identifiable information such as age and gender at the time of login, and session metadata such as time of login, network data usage and connection method used.
Purple may discard raw data sooner. For example individual location data records from location services can be dropped after 24 hours, but an aggregated record of when the device was present on a floor plan and what zones were visited will be kept.
Data Storage and Backup
All of our databases are replicated to a secondary instance in a different Zone. The replication is real time. In the event of planned database maintenance, DB instance failure, or a Zone failure, the affected cloud service (e.g. Amazon RDS or Google CloudSQL) will automatically failover to the standby. This means that we do not have a single point of failure.
Purple runs daily snapshots on all databases, which means we have the ability to restore our database quickly should the need arise..
The customer will have access to the end-user data and share ownership of this data with Purple as a third party, in order to provide the solution. In this scenario you are also considered a joint Controller of this data and are required to treat this data in accordance with the same regulations as Purple and any local legislation concerning the safe storage of data. At present the solution is centrally hosted.