Constant Contact® Security Policy

Updated: Sept 2018

At Constant Contact, the safety, privacy, and security of the data our customers entrust to us is very important to us. We realize you might have a few questions around our security practices and have included below some of the ones you might find important. If you have further questions not listed below, please feel free to reach out to us directly at

Who owns the data I load into your service?

  • Your personal data belongs to you. We do not sell or rent your contact lists without your authorization. More details can be found in our Privacy Policy.

What do you do to keep my data secure?

  • We use opportunistic in-transit (TLS), access controls, and data security policies to protect your passwords, credit card numbers and email lists.
  • We have a defense-in-depth approach to security, with layered next-generation firewalls, network-based intrusion prevention/detection, DDOS mitigation, vulnerability assessments (internal and 3rd party) and state-of-the-art data centers covered by 24X7 guards and biometrics. In other words, we take securing your data seriously.

What about security in your applications?

  • Our goal is to design, build, and maintain secure applications. We believe security should be built in and not bolted on.
  • We regularly review our code as well as any third party code included in our products using static and dynamic analysis tools along with manual code reviews in critical areas.
  • We train our engineers in secure coding and architectural design patterns like the ones outlined in the OWASP Top 10, SANS critical security controls, and the NIST frameworks.
  • If you find an issue with our products, head over to the vulnerability reporting page and let us know.

What do you do to protect my data from loss?

  • We have a documented and tested business resiliency plan that includes replicating your data between our 2 geographically disbursed data centers.
  • Additionally, we have a comprehensive insurance program to protect your data and our company from a variety of losses.

Does Constant Contact have any certifications?

  • We annually attest to PCI-DSS compliance and are audited by an independent Qualified Security Assessor [QSA] to handle your credit cards.
  • As a wholly-owned subsidiary of a publically traded company on the NASDAQ exchange, our parent company, Endurance International Group Holdings, Inc., adheres to Sarbanes-Oxley regulations as they relate to our financial reporting.
  • For customers regulated under HIPAA/HITECH, we can sign a Business Associates Agreement.
  • If you need further information on how we demonstrate the effectiveness of our security practices, drop us a note at the email listed above and we will be happy to share the information with you.

Who are the people accessing my data?

  • All employees that have access to your data undergo a background investigation and must sign confidentiality agreements prior to being granted access.
  • Each employee receives annual refresher training on security practices and threats.

Does Constant Contact have a security team?

  • Constant Contact employs a dedicated team of security professionals that monitor the environment 24 hours a day, 7 days a week, 52 weeks a year. We are watching.

Are they any good?

  • Every one of the folks on the team is certified in at least one discipline of security and has many years of experience

I am a Law Enforcement officer and I need to contact the security team?

For more information: