Skip to content
Resource

Answering your top texting compliance questions – part I

See all resources

Rose Stangel

Organizations evaluating whether texting is right for them will encounter data security, legal, and compliance concerns as chief obstacles to overcome in conversations with team members. 

At Hustle, we’ve helped thousands of organizations of all sizes overcome these hurdles with product leadership, subject-matter expertise, a robust security program, and contractual agreements that can give your team the confidence they need to get texting.  

Note: the articles in this series are for general informational purposes only and do not constitute legal advice. Hustle is not a law firm, and reading this article does not create an attorney-client relationship. Laws and carrier policies change and can vary by jurisdiction and use case. You should consult qualified counsel about your specific situation.

In this article, we’ll walk through data processing, privacy, and security, and how Hustle can help.

Is our data safe? 

  • How do I know our data is secure from intruders? 
  • Will our data be sold or shared with any 3rd parties? 

How do I know our data is secure from intruders? 

If your audience can’t trust you with their email address or phone number, they will not trust you with their credit card…

Data security is a foundational pillar of trust between service providers and brands and, in turn, between brands and their audiences. At Hustle, data security is at the center of our decision-making. From how we develop software, which vendors we choose to work with, to which employees we hire. We know firsthand that when evaluating service providers, there can be an overwhelming number of details to consider.

There are a bajillion frameworks that could guide your evaluation, but the gold standard for application security is the System and Organization Controls standards commonly referred to as SOC 2. 

SOC 2 reports are audits performed by independent third parties that attest to the controls in place to ensure the security of your data. The audits are thorough, held annually to maintain continuity, and are scoped to include answers to questions like: 

  • Does the organization conduct background checks of employees?
  • Are employee devices enrolled in device management and protected from malware?
  • Are employees offboarded in a timely manner? Did they retain access to company systems after offboarding? 
  • Do employees have the appropriate role-based access to relevant systems and tools? 
  • Are vendor security reviews performed prior to engagement?
  • Are firewalls in place?
  • Is data encrypted in transit and at rest?
  • Has a penetration test been performed recently? What were the results, and were the vulnerabilities addressed according to the organization’s SLAs? 
  • Is security awareness training conducted upon hire and annually thereafter?  
  • Are policies in place to guide response in the event of a security breach, incidents, or even disasters?
  • Do the organization’s leaders meet to evaluate the security program? How often do they meet, and who are the members of the security team? 

Without a trusted third party attesting to the security program of your service providers, you are taking their word for it. 

Pro tip: Don’t do that

Along those lines, in addition to requiring SOC 2 certification, you should also request a Data Security Agreement that effectively embeds the existence and maintenance of a security program into your legal agreements with your service provider. 

It’s great when your service provider volunteers to maintain a robust security program. What’s even better is when you make them. A Data Security Agreement contractually obligates your service provider to do just that. 

To learn more about how Hustle secures your data, you can request a copy of Hustle’s SOC 2 certification from Hustle’s Trust Center

Will our data be sold or shared with any third parties? 

To succeed in their stated missions, nonprofits and educational institutions primarily rely on two contributions from their communities of supporters: time and money. Trust is at the core of these relationships. Trust that the non-profit will use those contributions towards stated purposes. Trust that the non-profit is shepherding these resources appropriately to succeed in achieving their stated missions. And, also trust that the personal information of supporters will be protected. This same level of trust is critical to relationships between all organizations and their audiences, regardless of whether they operate as for-profit or non-profit. 

While our technology at Hustle is designed, tested, and literally certifiably secure –which cannot be said of every service provider –your legal relationship with your vendors is equally critical to protect your supporters’ data. 

We understand that reading through the privacy policies of your service providers can feel like watching paint dry, but once you do it enough times, you’ll come to find it’s actually much worse. (in case you’ve ever wondered why lawyers get paid so much.) 

That aside, we advise customers to scrutinize the privacy policies of their service providers. Privacy policies are important because they are legally binding agreements that record the painstakingly detailed procedures service providers may be required to follow when using or disclosing your data. Just look at ours

Some key clauses you’ll want to look for are indications that the service provider reserves the right to sell customer information to third parties or that information is shared with affiliates and/or partners. These terms are often buried within dozens of other bullet points and can even sound vaguely acceptable because their purpose is to disguise behavior. You would probably not knowingly share your information with data brokers, lead generators, or advertisers, but you might with a “partner” of a service provider you assumed was trustworthy. 

To help your organization build confidence in your service providers, in addition to reviewing privacy policies, we at Hustle also strongly recommend that your team require a Data Processing Agreement to be in place with all your service providers.

A Data Processing Agreement or DPA is the legally binding contract that defines the roles between your organization as the “data controller” and your service provider as the “data processor”. 

A DPA legally obligates the “processor” to handle your data only according to your instructions, comply with applicable data protection laws, limit activities to those only necessary to perform their obligations under the agreement, and strictly adhere to security standards. DPAs will also detail the responsibilities of both parties in the event of security breaches, legal requests like warrants and subpoenas, data requests from your audience members, and more. 

These two added layers of legal review and paperwork are definitely annoying, but they are important and should give you the confidence that you have honored the trust of your supporters.  

Read more.

We're here to help you succeed.

Answering your top texting compliance questions – part II

Answering your top texting compliance questions – part II

Enhance the Gameday Experience with Text-Based Keywords & Automations

Enhance the Gameday Experience with Text-Based Keywords & Automations

Boost Engagement & Fundraising in Public Media with Texting

Boost Engagement & Fundraising in Public Media with Texting

See all resources

Ready to Hustle?

Have questions? We have answers. Schedule a demo to learn more.

Get started now

Don't leave
without this!

Discover Which Delivers Better ROI: Text Messaging or Email Marketing?

Before you go, grab our exclusive infographic comparing the ROI of text messaging vs. email marketing. See how personalized SMS can increase engagement and drive results for your campaigns.

By subscribing with your mobile number and email, you agree to receive text messages and emails from Hustle about promotions, product updates, account alerts, and company news. You can unsubscribe at andy time by replying STOP to any message you receive from us. Consent is not a condition of purchase. Message frequency may vary. Message and data rates may apply. Text message opt-ins are excluded from information sharing with third parties. T-Mobile is not liable for delayed or undelivered messages. Contact [email protected] for more information. See terms and conditions and privacy policy.