Client data management
Protecting your clients’ data is a significant concern for your professional services firm, and Intapp is committed to supporting your firm’s data-management responsibilities.
With Intapp products, your firm gains comprehensive control over — and real-time transparency into — your data assets, including client data. On this page, we detail your firm’s role in managing client data and how Intapp empowers you in this process.
Intapp works with its clients to support both data security and data privacy. However, at times, the goals of privacy regulations might be counter to the goals of security controls. In such cases, clients will have to balance these competing aims while weighing their business needs and requirements.
When using Intapp products, your firm is responsible for controlling the client data your users upload to those products, while Intapp is responsible for processing that data. This includes data entered manually as well as data uploaded through integrations or other automated means. In other words, your firm is typically the data controller, while Intapp acts as a data processor.
Intapp and your firm share responsibility for complying with applicable privacy regulations. Learn more here.
Although specific products process different sets of data, there are some general categories of personal data that most of our products process.
End-user information refers to the personal data collected about individuals who directly interact with Intapp’s products. This category of information is crucial for user authentication, access control, and personalizing the user experience across our products. You can see additional examples of end-user information below:
Intapp products need a minimal set of business contact information, such as name and email address, to provide your users with access to the products and/or send them reports or notifications.
Additional information such as titles, roles, other contact information, or reporting structures, may be stored in Intapp products to support various business processes and user needs.
For monitoring purposes and security checks, Intapp products may track user actions, and those actions may contain personal data. An example would be a user’s login history, which could include the IP address from which the user connected.
Intapp products may monitor and control text entered by users in free-text fields, and these entries may contain personal information about both users and clients.
Intapp products may process other types of end-user information. For example, users might upload information about their educational background, specific achievements, or client experiences.
Client information encompasses information related to our clients’ clients or business contacts. Our products process this data to support business functions, including relationship management, service delivery, and compliance activities.
To characterize and classify information about the services you provide to your clients, it is critical for Intapp products to store and process details about your clients. Client information will include the following:
May contain personal information
Contains names and business contact information of persons at client sites
May include information collected from news sources or corporate filings
Often, your work for your clients will contain information about third parties. These third parties might be your clients’ vendors or suppliers, or parties adverse to your clients. In most cases, the information about third parties will be limited to what is needed for the specific engagement.
Several types of personal data are not commonly found in Intapp products. These are often seen as more sensitive data elements that might require specific treatment or protections. Nevertheless, it is possible that a limited set of such information may be entered into Intapp products. Because your firm controls what data is uploaded or entered into Intapp products, your team should review the need to process such information and limit it to cases where such processing is required, ensuring that such personal data is adequately protected.
Types of sensitive personal information
Your firm will gain a more precise understanding of your data responsibilities and Intapp’s by reviewing the sales agreement between your firm and Intapp. In particular, your firm will want to review the below sections of the contract:
The MSSA contains commitments pertaining to the engagements and the responsibilities of each party. Specifically, it describes the commitment regarding the protection of confidential data, including client data.
The DPA specifically addresses the requirements around processing personal data. Among other things, the addendum limits processing by Intapp to that required to provide your firm with the subscribed service. The addendum also describes how Intapp will respond to data subject requests, secure personal data to a level that is compliant with relevant regulations, and handle cross-border transfers and sub-processing.
Our SCCs provide assurances around protecting personal data when transferred to a different country. The SCCs also contain a detailed listing of the security controls in place for Intapp products.
Your firm can select from several available locations for data processing. We host Intapp Cloud Infrastructure in multiple global locations, and your firm can select your service delivery region of preference; that region is where your data will be processed.
Flexibility in selecting your service delivery region lets you locate your applications within the region that matches your business requirements. For instance, European firms can choose to leverage clusters in the European Union so that they are under familiar European regulations.
By default, Intapp deploys client instances in the region where the client’s primary address is located, as described in the MSSA. We encourage global firms to determine whether a different geographic region might be better suited based on their regulatory and compliance needs.
Intapp products are generally accessible from any location, even outside the geographic region in which they are deployed. Intapp relies upon our SCCs to provide a contractual commitment regarding the protection of personal data when transferred to a country outside the relevant geographic region.
Intapp has a mature security program designed to address the need for confidentiality, integrity, and availability of all client data, including any personal data included therein.
Specifically relevant to privacy, Intapp products are certified to be compliant with the controls in International Organization for Standardization (ISO) 27018 and ISO 27701, which address the security of personally identifiable information in public clouds. Learn more here.
Various privacy regulations have different requirements and/or allow data subjects to request certain restrictions or information.
To support your firm in updating personal data, we provide APIs that facilitate data flows to and from other client systems.
In many cases, our products must process personal data to accomplish their purpose or to meet regulatory requirements. As a result, your firm’s ability to restrict processing capabilities is very limited.
Limited restrictions to restrict data processing are available in some products. For example, in Dispatch for Intapp DealCloud, your users can mark contacts as “opted out” of marketing communication, which simplifies compliance with local opt-out or opt-in requirements.
To carry out their intended purpose, Intapp products must retain client data for an extended period.
In addition, our ability to delete information during the business relationship is often limited.
During intake, an anti-money-laundering or know-your-customer check is legally required, and our product must retain evidence of that check to demonstrate compliance. Likewise, our product must retain certain logs or audit information to help firms comply with specific U.S. Securities and Exchange Commission (SEC) rules.
In some instances, your firm’s business requirements to retain data may be less stringent because the regulations your firm is subject to are limited. In these instances, Intapp’s automated data retention rules are in place to remove information when applicable.
Please note that client data removed at the end of the retention period might be available in data backups for a limited time after it has been removed from the live instance. To support a “right to be forgotten” request, Intapp DealCloud lets your users delete contact records and mark a record in such a way that the record cannot be added again.
Intapp products provide an extensive role-based permission model that allows clients to limit end-user access to only the data required to perform that user’s role. In addition, Intapp products support implementing ethical wall restrictions to limit access to information on specific clients or engagements.
By leveraging the large footprint of Microsoft Azure data centers, Intapp addresses firms’ data-sovereignty concerns by offering a wide choice of geographical regions where their data can reside. This flexibility allows firms to locate their applications within the region that matches their business requirements.
With Intapp, firms can retain ownership of their data. In addition, neither Intapp nor our sub-processors will use data for purposes outside the scope of the contracted services. Intapp service agreements detail how data is stored, controlled, and used.
Intapp does not access customer data, except with permission, and only for necessary support issues. Intapp also provides firms with activity logs of any logins. Although Intapp applications use a multitenant model, different tenants’ data is not commingled.
Client data management forms the foundation for a firm’s success by ensuring client confidentiality and regulatory compliance. Proper management enables firms to maintain control over vital data assets and adhere to industry standards.
Intapp empowers firms by providing comprehensive control and real-time transparency over their data assets. This enables confident compliance with regulations and robust data governance practices.
Intapp provides tools and features within their products that allow firms to maintain strict control over client data access, ensuring that sensitive information is only available to authorized personnel.
Yes, Intapp products are designed to support firms in meeting various regulatory requirements by providing robust data governance capabilities and ensuring proper data handling practices.
Intapp can manage a wide range of vital data assets, including client information, engagement data, financial data, and other confidential business information critical to a firm’s operations.