Summary information on data security practices

Last updated: May 24, 2018

Decision Critical exists with the sole purpose of helping users take a more thought-out, informed and scientific approach to decision making in business situations worldwide.

The below information summarizes select items from our terms and conditions, privacy policy and cookies policy, and provides additional information on our current practices when handling data of all types.

The information presented here applies to services accessed via the and websites. Note that if you are accessing Decision Critical through a local provider (this would be access via any web address other than the above web address), please refer to that provider's policies.


If you have any questions, please contact us at [email protected]

Types of data

1. Scenario data: Decision Critical is an analytical system fed by assumptions and data input by users. Scenario data includes all assumptions entered into the system and outputs from the system. Scenario data are handled exclusively by Decision Critical and can only be disclosed to third parties if required by law. Scenario data may be accessed and reviewed by Decision Critical for customer service, quality assurance and improvement of functionality. Decision Critical scenario data is managed only on our servers, with no access given to third parties (see below for security information).

We do not access or use customer content for any purpose other than providing, maintaining and improving the Decision Critical services and as otherwise required by law.

2. User profile data: We collect information on our users to provide, improve, support and promote our service. Required user profile data includes name, email and country. Optional user profile data includes city, industry, company, phone number. Additionally, log data may be automatically collected (IP address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages and other statistics).

Decision Critical focuses its efforts maximally on supporting insights built through realistic enterprise modeling. As such, much of the supplementary code that goes into running a cloud-based system (automated emails, payments, customer relationship management, logging of usage, etc.) is done in modules created and maintained by third party service providers. These providers have their own privacy policies. The main service providers we use are: for automated emails sent by the system, for use tips and for marketing and for payment collection (see below) for management of our support desk Google Analytics

User profile data may also be stored in our accounting / CRM systems, in our email system (if we have corresponded with you by email) and in files offline.

3. Payment data: We process credit card payments via Stripe (and soon via Chargify) and do not collect or store complete credit card information (we receive only partial information for identification and payment reconciliation purposes only). If you choose to pay by wire transfer, any information that we receive as a result of our communication regarding the wire will be kept on our email account and in our accounting system and may also be kept offline.

Data security

The following applies to all types of information that are managed on our servers. For third parties' practices (Sendgrid, Stripe, Chargify, ZenDesk, Google Analytics), please see policies on their respective websites.

Data hosting locality: Data maintained by Decision Critical are hosted in Singapore and Japan. All data are transferred to Singapore and Japan for processing.

Data security: Decision Critical users benefit from high security standards. Data maintained by Decision Critical directly are hosted in third party data centers which maintain one or more of the following ISO 27001, SSAE SOC 2, SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2013.

All databases maintained by Decision Critical are kept on fully encrypted drives.

All data-transmitting connections with our servers are encrypted using Transport Layer Security (TLS) protocol 1.2 or higher.

Data are replicated in a backup data center in real time.

We supplement this with extensive automated monitoring systems.