Privacy and security at Smarty

Bailey Hendrickson

Thomas Isom

Danielle Dufner

Published June 8, 2026

1) Privacy, security, and confidentiality are governed like a program, not a checklist

Smarty’s approach starts with formal policies, oversight, and recurring reviews.

Policies and procedures are documented, accessible to relevant employees, and reviewed annually, including:

Access management and password
Asset management
Incident response
Information management
Information security
Key management
Risk management
Software development
Vendor management.

The IT and Operations Security Team runs the information security program, including:

Policy maintenance
Monitoring audit logs for suspicious activity
Tracking incidents
Coordinating security awareness training
Reviewing changes that could impact security/availability
Reviewing vulnerability scan results with remediation planning

Security isn’t one-and-done, so Smarty reinforces it continuously: onboarding includes required acknowledgment of training and security/privacy tips, plus annual security training focused on responsibilities for protecting confidential and sensitive customer/company data.

2) Risk management is proactive and revisited every year

Smarty looking intently over the data privacy and managing risk

Smarty has a formal risk management lifecycle that includes annual risk assessments that evaluate operational, reporting (financial and nonfinancial), internal reporting, compliance, fraud risks, and system-impacting changes.

Those risks are rated, and high-risk items are prioritized with mitigation plans. Risk mitigation also includes insurance coverage—general liability, workers’ compensation, and a combined cyber risk and technology errors & omissions program. The cyber and tech E&O policies are paired with a shared limit, and together they help cover Smarty’s data processing liability.

Going back to #1, Smarty conducts an annual review by the Compliance Committee, and the Executive Team reviews and approves the risk assessments.

3) Data security and confidentiality controls are layered (classification, encryption, access control)

Smarty has multiple layers of protection for subscriber data and other company data (including public/proprietary datasets, security logs, and application output):

Data classification

All managed/processed/stored data is classified under an Information Management Policy that categorizes information based on sensitivity and risk. All subscriber data is classified as ‘restricted information,’ and that classification level determines the security protections and access authorization mechanisms used.

Encryption in transit and at rest

Data in transit is encrypted using TLS (Transport Layer Security). This keeps your data private and unmodified as it travels across the public internet, carrier networks, proxies, etc. Confidentiality, integrity, and authentication are at the forefront of Smarty’s mind when you send requests to our APIs.

Data at rest is secured using encryption. Even if unauthorized access to the storage layer (a stolen drive, a misconfigured snapshot, an over-permissioned admin account, a compromised backup) occurs, your data remains unreadable without the encryption keys.

Access controls and segregation

Access to customer-facing production infrastructure (application servers, databases, firewalls, load balancers, and other stateful resources) is limited to employees with a role-specific need.

Similarly, access to customer data is strictly controlled through role-based access controls aligned with job responsibilities.

From our client side, users are limited to their specific dashboard and their own end-user data.

Operational hygiene

There are also some basic operational hygiene measures in place to keep Smarty safe.

Email is filtered for known viruses.
Workstations receive OS/application security updates via device management.
Server updates are reviewed and released after management approval.

4) Data retention and secure disposal

Screen displaying a wall being deleted and broken down

Smarty uses data lifecycle controls to prevent “data sprawl” by retaining customer data only as long as it’s needed for legitimate business and legal purposes, then securely deleting or anonymizing it.

The typical lifespan of stored data in Smarty’s AWS infrastructure is ~120 days, but investing in our Enhanced Data Privacy upgrade provides a solution where data isn’t retained after processing.

We’ll cover Enhanced Data Privacy in section 9.

For secure file transfers, customers can upload files through a secure transfer page using a destination email and password; Smarty returns the encrypted information via Google Drive using that same password. Those files are automatically deleted after 30 days, and the process is audited bi-weekly.

Confidential information disposal is handled through formal media and data destruction policies, including the secure destruction of printed materials (via paper shredders) and appropriate methods for hard drives.

Destruction activities are also tracked—logs are maintained to document when confidential information or media are destroyed and how they’re disposed of. Endpoint handling is also secure: laptops and workstations are reformatted using industry-standard methods to ensure confidential data is destroyed, including when an employee leaves the company.

5) Incident response and monitoring

While our security measures are incredibly robust, some things are beyond our control, and we’re cognizant enough to have an established incident response approach:

Smarty maintains an Incident Response Policy that covers identification, communication, remediation, and resolution. Incidents will trigger an investigation, including root cause analysis to determine the best remediation plans.

This policy is updated frequently, and the security team monitors audit logs, tracks and documents known incidents, and communicates security updates to the rest of the organization.

Business continuity and disaster recovery are designed for availability and resilience:

Business continuity is tested annually for adequacy and training.
Production operations are distributed across multiple geographically separate locations using cloud hosting providers.
A full backup of the operational state is maintained remotely, with daily full backups stored there.

6) Third-party risk management is formal: contracts, assessments, and ongoing review

Someone looking ahead on the calendar for when the next review of privacy and security measures should be

Third-party risk is treated with the same level of caution and rigor.

Smarty assesses suppliers' security and privacy practices to ensure their controls align with our data access and service scope. Vendor agreements include commitments to confidentiality, security, availability, and privacy requirements, with critical vendors facing even harsher requirements.

For example, critical vendors must complete a security/privacy questionnaire or provide an unqualified SOC 2 report before services are acquired.

Security doesn’t stop there, though. Smarty views vendor security as continuous, too, conducting an annual critical vendor review to ensure SLA commitments are met. Routine inspections of subprocessors help validate continued compliance with agreed security/privacy requirements, backed by contractual commitments.

7) SOC 2 and confidentiality

Smarty takes confidentiality seriously, too. We’ve developed:

A classification policy that defines how confidential information is stored and used
- Confidential info isn’t used for testing in test environments
Proper labeling for sensitive data
Development-specific environments for testing/validation
Confidential information disposal controls (destruction policies, shredders, destruction methods, and destruction logging)

Smarty is SOC 2-aligned, following all controls and supplier expectations (like SOC reports for data centers and SOC 2 reports for critical vendors).

8) HIPAA, PII protections, and regulated compliance

Smarty processes business address data and classifies subscriber data as restricted.

Our risk register explicitly lists “Compliance (GDPR, CCPA, HIPAA)” as a considered area of focus, with an internal prevention note requiring breach reporting within 24 hours, depending on the severity of the breach.

Fraud/theft risks include a “PII Theft” entry with prevention that starts with “Never take or store it,” plus encryption/shredding, restricted access, and breach notification.

Essentially, Smarty implements controls commonly relevant in regulated environments (encryption, access controls, incident response, vendor oversight, and retention/destruction).

Smarty maintains security and privacy controls that can support customers’ compliance goals, while customers themselves still remain responsible for their own HIPAA compliance approach and obligations.

9) Enhanced Data Privacy: The “don’t store request data” option for maximum retention control

"Enhanced Data Privacy," also referred to as "EDP," that prevents subscriber data and/or Personally Identifiable Information (PII) from ever being logged at the point of submission or via the Provider's APIs:

Enhanced Data Privacy is an optional feature available under certain subscription plans (tier 2 or higher), specified in a Sales Order, with a 10% upcharge.
If enabled, Enhanced Data Privacy guarantees that subscriber data (including input request data) is processed solely in transient memory (RAM) and isn’t stored or retained after the request completes.
Under Enhanced Data Privacy, Smarty may retain operational data (lookup volume, timestamps, account identifiers) for up to 120 days for reporting, diagnostics, and service integrity.
Because subscriber data isn’t retained, it’s excluded from internal analysis, performance tuning, and product development.

A body image quote that says: "Enhanced Data Privacy is the “stateless processing” mode with Zero Data Retention. Your address goes in, your result comes out, and the address doesn’t get kept around."

Conclusion/TLDR

Smarty is honored to be your partner in address data intelligence (or to even be considered, if you’re just looking at us as an option 🥰). We take privacy and security very seriously and are proud to provide you with tools that support your compliance journey. There are many areas we focus on regarding compliance:

Data retention

Baseline: Data retention is limited to what’s necessary for business and legal purposes, and data is then securely deleted or anonymized.

Enhanced Data Privacy: The request data is processed in RAM and not retained after completion (only limited operational metadata is retained).

Data privacy

Smarty supports compliance with data privacy laws, including the CCPA/CPRA, HIPAA’s privacy and security rules, and the GDPR, through appropriate technical and organizational measures. Subscriber data is classified as restricted, protected with encryption in transit (TLS) and at rest, and access is controlled through role-based access and job responsibility. The Enhanced Data Privacy solution, a form of Zero Data Retention, provides the purest compliance with the strictest data privacy laws and regulations.

Selling to third parties

Smarty doesn’t sell (within the broad meaning under California privacy law) subscriber data to third parties. Vendor relationships are governed by contractual privacy/security requirements and ongoing assessments.

Names / personal identifiers

Subscriber datasets are business address data, and our risk controls explicitly call out avoiding the collection or storage of PII in the first place, alongside encryption, restricted access, and breach notification practices.

“Are you compliant with [insert regulatory framework here]?”

Smarty operates a formal security program aligned to SOC 2-style Trust Services Criteria, with controls spanning confidentiality, risk management, incident response, vendor oversight, retention/destruction, and business continuity. Customers remain responsible for their industry-specific compliance obligations, and Smarty’s controls (and Enhanced Data Privacy, if applicable) are designed to help support those compliance goals.

Was this helpful?