Skip to main content
Act-On Software

Security and Privacy at Act-On

Act-On is designed beyond industry standards to preserve and protect your privacy, your intellectual property, and your investment in marketing. Here’s how we do it.


  • The Act-On solution is served from a LAMJ stack fronted by load-balanced and firewalled internet connection.
  • The application is served over HTTP/ HTTPS on external ports 80 and 443 (re-mapped internally to protected ports). Browser-based connections flow through either firewall ports 80 or 443 depending on requirements.
  • Our API access is over HTTPS using SOAP with email delivery is over SMTP. Currently the client is a web-browser or mail reader with all HTTP/HTTPS sessions, stateless. Act-On’s client-side components can operate in both Citrix XENAPP/XENDESKTOP and VMware virtual environments.
  • Our hosting provider is EasyStreet Online Services, Inc. EasyStreet maintains separate upstream internet connections through three Tier 1 providers: AT&T, Century Link, and Level 3. 

Data confidentiality

  • Act-On is a hosted SaaS solution with a multi-tenant environment.
    • All customer account data is isolated and protected from access by other multi-tenant accounts. 
  • Physical access is restricted to the Act-On operations team, and housed in a secure Type II SSAE 161 (formerly SAS 70) audited facility.
  • All multi-tenant data is partitioned logically and isolated to prevent unauthorized access. No data for any two accounts is stored in the same table.
  • Physically, electronic card locks and biometric authorization restrict inperson access to authorized personnel only, and additional key locks provide secure access to Act-On computing assets.
  • The site is physically staffed 24/7, locked and security guarded 7x24, 365, with monitored electronic and biometrics authorization with intrusion detection, internal alarming and external security service. All access is physically logged and cameras provide additional recorded surveillance. 

Backup, continuity, and failover

  • Act-On applies an automatic hourly snapshot backup that is maintained for three days with daily snapshots maintained for disaster recovery (DR) offsite for 28 days.
  • Weekly snapshots are maintained for DR offsite for 4 weeks. Act-On provides business continuity and failover across the entire platform.
  • Act-On applies automatic HA fail-over for data storage and network fabric and automatic hotswap for disk failures. DR data is restored from mirrored snapshots with DR failover for the application servers.


  • Security, application and operating system patching is performed by the Act-On operations team on a regular schedule with monitoring and alerting systems in place for early issue detection and staff notification. All critical infrastructure is redundant and is covered under hardware and software maintenance contracts.

Encryption and directory services

Act-On performs secure data transmission using strong encryption: SSL, TLS, AES2-256, which includes 256-bit encryption. If a directory service such as LDAP or AD is used, the credentials are protected throughout the authentication process.


Act-On sends all mail with DomainKeys Identified Mail (DKIM) authentication. DKIM provides a method for validating a domain name identity that is associated with a
message through cryptographic authentication.

Site administration, access control, and permissions

Act-On customers designate which of their employees will have access to the organization’s Act-On account. Those persons can sign into the system and use its capabilities with needing to have any “special privileges” (such as Domain Admin or root access) outside the Act-On application. 

There are three possible user roles:

  • An administrator has master control over both sales and marketing users and features. The administrator can add or remove account user privileges and assign specific rights. The account administrator sets the password security policy for the entire account. Secured logins and passwords are required to access the application.
  • Marketing users have full access to both marketing features (such as creating campaigns, segmenting lists, assigning lead scores, setting up webinars, etc.) and sales features (such as prospect profiles and list segments).
  • Sales users see a different dashboard than marketing users. They do not have access to marketing assets and features other than website visitor tracking, and reports of their own email campaigns.

If Act-On is integrated into a CRM system, anyone with access to the CRM system can see an Act-On Hot Prospect lists if there is one for their territories. All a company’s salespeople, whether designated users or not, can receive alerts from the system.

Content access and control

For any one Act-On customer, the administrator and all marketing users share full access to all creative assets and content, but no one else does. Certain types of content, including stationery, message templates, forms, and landing pages can be shared with channel partners who have their own separate Act-On accounts. The content owner can add the recipient to a list and actively publish the content to that list. The recipient is passive, and cannot take action within the system to acquire content from a separate account.


With regard to compliance with Payment Card Industry (PCI) Data Security Standards (DSS) other regulatory requirements such as HIPAA: the Act-On platform does not process credit card transactions or maintain credit card data. Third party services- First Data, and PayPal are used for payment processing. Act-On is audited every month by TrustWave’s TrustKeeper.

  • Was this article helpful?

Have a question about this topic?

Ask the community!