Compliantly Collect
First Party Data on
Auto-Pilot
Empower Compliance with Data Privacy Laws Worldwide. Purple's Captive Portal Offers Unmatched Flexibility for Implementing Necessary Conditions, Opt-In or Opt-Out Choices, and Custom Data Fields to Meet Global Data Protection Requirements
Data & Data Security
Data in Transit
​​
​
-
All public portals and websites use TLS encryption.
-
TLS 1.2 minimum supported.
-
Regular review of TLS ciphers.
​
​
DNS Data
​​
​​
-
Collects domain lookup data via WebTitan.
-
Logged against venue's IP.
-
Not traceable to individual users.
Webhooks
​​
​​
-
Real-time data export triggers.
-
HTTPS POST to user-defined endpoint.
Data Sovereignty
​​​
​
-
Data stored in three GCP locations.
-
Compliant with regional data storage laws.
Data Reset
​​
​
-
Hosted on Google Cloud (GCP) or Amazon Web Services (AWS).
-
Data disks encrypted (AES-256).
​
​
​
Location-Based Services
​​
-
Passive collection of device data.
-
MAC address, RSSI, date/time recorded.
-
Location coordinates with right hardware.
Personal Identifiable Information
​​
​
-
Data varies by configuration.
-
Encrypted and stored in three locations.
-
PII data retention of 13 months of inactivity.
Data Retention
​​
-
User data anonymized after 13 months of inactivity.
-
Non-identifiable information retained.
-
Raw data discarded sooner if needed.
Data Protection
-
Compliant with EU's GDPR.
-
Clear data purposes and rights in EULA and privacy policy.
-
Separate active opt-in for EU marketing consents.
-
Users can view, modify, or delete data.
-
Purple Data Protection Officer for queries.
Connectors
​​
​​
-
Third-party integrations for CRM data.
-
Connector connection/session data encrypted.
Payments
​​
​​
-
No handling or storing of financial data.
-
Payments via Stripe, PCI-DSS compliant.
Data Storage and Backup
​​
​
​
-
Databases replicated with real-time backups.
Captive Portal
-
Stores device MAC, user agent, AP MAC.
-
User data stored based on login method.
-
Data secured via TLS in transit.
-
RADIUS accounting for network metrics.​
API
​​
​
-
RESTful API for extracting user data.
-
Encrypted with HTTPS, requests signed.
ISO Compliance
​​
​​
-
ISO 9001 for business practice.
-
ISO 27001 for data security.
-
Audited annually.
Data Ownership/
Controller
​​
-
Customers share data ownership.
-
Joint Controller with Purple & Flow.
-
Data treated per local legislation.
Application Components
Captive Portal
​​
​
-
Configurable splash page.
-
T&Cs acceptance required.
-
OAuth access via social media.
Location/Presence Data Collection
​​
-
Collects MAC addresses and RSSI.
-
Coordinates with the right hardware.
-
Location data linked to WiFi users.
Customer Portal
-
User account hierarchy.
-
Password policies and rotation.
-
Secure access control.
Radius
​​
​​
-
Authentication required for all traffic.
-
One-time password for security.
Personnel Management,
Procedures, and Policies
Staff Access
​​
​
-
Limited access to key staff.
-
Contractors strictly prohibited from live data.
Incident Response
​​
-
Security Incident Reporting Policy.
-
Data protection contacts notified.
-
Clear staff termination procedure.
Development and Testing
​​
​​
-
Secure development policy.
-
Code review, testing, and QA.
Releases
​
-
Weekly deployments for maintenance.
-
Large releases on a quarterly basis.
Threat Management
​​
​
-
Monthly automated tests.
-
Weekly software patches.
-
Third-party penetration test annually.