Meet the new Web App — gracefully responsive across every screen, from the widest desktop to the phone in your pocket.

Trust & Security

Security at
ContactsPlus

The security of your Personal Information and contact data is a top priority. This page outlines the technical and organizational measures we use to protect it — in line with GDPR Article 32 and CCPA.

Last updated: July 24, 2025

At a glance

ContactsPlus protects your data with AES-256 encryption at rest, TLS encryption in transit, role-based access controls, and GDPR- and CCPA-compliant practices.

  • AES-256 encryption at rest, TLS in transit
  • GDPR- and CCPA-compliant data handling
  • Role-based access control and MFA support
  • Hosted on AWS; your data is always yours to export

Our commitment

Built to protect your data

We implement industry-standard technical and organizational measures to safeguard your information against unauthorized access, use, disclosure, alteration, or loss, in compliance with GDPR Article 32 and CCPA Section 1798.81.5.

Security measures

How we protect your data

Encryption

Data in transit is secured with Transport Layer Security (TLS). Data at rest is encrypted with 256-bit AES (Advanced Encryption Standard).

Access controls

Role-based access restricts data to authorized personnel only, and employees are bound by confidentiality obligations.

Authentication

Accounts require strong passwords, and we encourage enabling multi-factor authentication (MFA) where available.

Network security

Firewalls and secure server environments protect against unauthorized access to our systems.

Secure infrastructure

Our servers are hosted in Amazon Web Services (AWS) data centers, which comply with rigorous security standards.

Vetted third parties

Service providers (e.g., Stripe, Google Analytics) are bound by data processing agreements, with international transfers protected by Standard Contractual Clauses.

Data lifecycle

Data retention & deletion

We retain Personal Information and contact data only as long as necessary to provide the Services, improve our database, or meet legal obligations (e.g., tax, auditing) — typically up to 5 years after last update or use, per our Privacy Policy. You can request deletion of your data at any time.

Incident response

Data breach response

In the event of a personal data breach, we follow a structured incident response plan to detect, contain, and mitigate the issue. We notify affected users and relevant authorities within 72 hours (GDPR Article 33) or promptly (CCPA Section 1798.82), providing details on the nature and scope of the incident.

Proactive testing

Security testing & vulnerability management

Our security team conducts regular vulnerability assessments, penetration testing, and software updates to address potential risks. We partner with the security research community and third-party platforms like OpenBugBounty to identify and resolve vulnerabilities, and security patches are applied promptly.

Children’s data

Protecting children’s data

We do not knowingly collect Personal Information from users under 13, per COPPA (15 U.S.C. § 6502) and our Privacy Policy. For EU/EEA users aged 13–16, we require verifiable parental consent (GDPR Article 8). If you believe a minor’s data has been collected, contact support@contactsplus.com.

Your part

User responsibilities

To enhance your account security, we recommend:

  • Strong passwords: use a unique, complex password and update it regularly.
  • Multi-factor authentication: enable MFA where available.
  • Secure practices: don’t share your password or reuse it on other platforms, and be cautious of phishing.
  • Prompt reporting: notify us immediately at support@contactsplus.com if you suspect unauthorized access.

No method of transmission or storage is 100% secure; while we strive to protect your data, we cannot guarantee absolute security.

Responsible disclosure

Information for security researchers

We welcome collaboration with security researchers. If you discover a vulnerability in our Services, please follow our responsible disclosure policy:

  • Prompt disclosure: report the vulnerability with full details to security@contactsplus.com.
  • Good faith: don’t degrade Service performance (e.g., denial of service) or access/modify user data without permission; use a test account to demonstrate issues where possible.
  • Confidentiality: allow us reasonable time to resolve the issue before public disclosure.
  • Scope: limit testing to ContactsPlus properties (contactsplus.com, the app, APIs); report third-party issues to those providers directly.
  • Bounty program: we offer bounties at our discretion based on scope and severity. Contact security@contactsplus.com for eligibility, or submit via OpenBugBounty.

Get in touch

Contact us

For security concerns, to report a vulnerability, or to exercise your data rights:

We respond within one month (GDPR Article 12(3)) or 45 days (CCPA Section 1798.130). For more, see our Privacy Policy.