Data Privacy & Security

Your Trust. Our Priority.

At Digital Inventory Group LLC, we understand that your business depends on the security and privacy of your data. We've built our platform on enterprise-grade infrastructure and maintain rigorous security practices to protect your information and your customers' data.

Effective Date: January 27, 2026

Our Commitment

Digital Inventory Group (DiG) operates as a trusted reseller and implementation partner of GoHighLevel, serving thousands of businesses across home services, health & wellness, and professional services industries. We leverage the same enterprise-grade infrastructure that powers over 2 million businesses worldwide.

Security isn't just a feature—it's foundational to everything we do. From the moment you connect with us, your data is protected by multiple layers of security controls, encryption standards, and compliance frameworks. We continuously monitor, test, and improve our security posture to stay ahead of emerging threats.

This page provides transparency into how we protect your data, our compliance commitments, and the controls you have over your information.

Infrastructure Security

Enterprise Cloud Hosting

DiG operates on GoHighLevel's enterprise platform, which leverages best-in-class cloud infrastructure:

Google Cloud Platform (GCP): Delivers at least 99.5% monthly uptime SLA
Amazon Web Services (AWS): Provides 99.95-100% reliability, backed by SOC 2 Type 2 and ISO 27001 certifications

Network Protection

Multiple layers of network security protect your data:

Firewall Protection: Network-level firewalls, security groups, and access control lists (ACLs)
DDoS Mitigation: Automatic detection and mitigation of distributed denial-of-service attacks
Traffic Encryption: All data in transit protected by TLS 1.2/1.3 with 2,048-bit encryption keys
Network Segmentation: Logical separation of customer environments to prevent cross-tenant access

Configuration Management

Automated Monitoring: Configuration changes detected within 30 minutes
Centralized Logging: Comprehensive logging and monitoring across all systems
Automated Alerts: Real-time alerting for security events and anomalies
Regular Audits: Continuous compliance verification and security assessments

Data Protection

Encryption Standards

Your data is protected at every stage:

Protection Layer	Standard	Implementation
Data in Transit	TLS 1.2/1.3	2,048-bit encryption keys for all connections
Data at Rest	AES-256	Industry-standard encryption for stored data
Password Security	Hashing + Encryption	Passwords are hashed and encrypted, never stored in plain text
Key Management	Hardened KMS	Secure key management system with strict access controls

Tenant Separation

Logical Isolation: Multi-tenant architecture with unique identifiers
Access Controls: Strict data separation prevents cross-customer access
Database Security: Row-level security and encrypted connections

Secure Data Centers

Our infrastructure operates in certified data centers with:

24/7/365 physical security monitoring
Biometric access controls
Environmental controls (fire suppression, climate management)
Redundant power and network connectivity

Application Security

OWASP Top 10 Protections

We protect against the most critical web application security risks:

SQL Injection prevention
Cross-Site Scripting (XSS) protection
Cross-Site Request Forgery (CSRF) mitigation
Insecure deserialization safeguards
Security misconfiguration prevention

Security Development Lifecycle

Code Reviews: Peer review of all code changes before deployment
Static Analysis: Automated scanning for security vulnerabilities
Dynamic Testing: Runtime vulnerability detection and prevention
Penetration Testing: Annual third-party security assessments
Vulnerability Management: Rapid patching and remediation processes

DDoS Protection

Multi-layered defense against distributed denial-of-service attacks:

Traffic analysis and anomaly detection
Automatic mitigation and traffic scrubbing
Rate limiting and request throttling
Geographic and IP-based filtering

Business Continuity & Disaster Recovery

High Availability Architecture

Multiple Availability Zones: Infrastructure distributed across geographic zones
Automatic Failover: Seamless transition to backup systems in case of outages
Load Balancing: Traffic distributed across multiple servers for reliability
Uptime Monitoring: 24/7 system health monitoring and alerting

Backup & Recovery

Backup Type	Frequency	Retention	Protection
Database Backups	Daily	7 days	WORM-protected (Write Once, Read Many)
System Snapshots	Daily	7 days	Encrypted and replicated
Contact/Opportunity Recycle Bin	On deletion	30 days	Customer-recoverable

Recovery Time Objectives

Database Restoration: Available from any point within 7-day window
Recycle Bin Recovery: Instant restoration for contacts and opportunities
Disaster Recovery Plan: Documented procedures for major incidents

Identity & Access Control

Authentication Requirements

Password Policy: Minimum 8 characters with complexity requirements (uppercase, lowercase, numbers, special characters)
Two-Factor Authentication (2FA): Available for all user accounts
Session Management: Automatic timeout after inactivity
Password Reset: Secure verification process

Authorization Controls

Role-Based Access Control (RBAC): Granular permissions by user role
Principle of Least Privilege: Users granted minimum necessary access
Agency/Sub-Account Structure: Hierarchical access controls for agencies and their clients
API Key Management: Secure generation and rotation of API credentials

Employee & Support Access

Bastion Host Access: Secure SSH access via hardened jump servers
Just-in-Time Access: Temporary elevated permissions (24-hour maximum)
Access Logging: All privileged access logged and auditable
Customer Consent: Support access only with customer permission or in emergency situations

Compliance & Privacy Frameworks

International Privacy Frameworks

DiG operates on infrastructure that maintains the following certifications and compliance frameworks:

EU-U.S. Data Privacy Framework (DPF): Certified for transatlantic data transfers
UK Extension to EU-U.S. DPF: Compliant with UK data protection requirements
Swiss-U.S. Data Privacy Framework: Certified for Swiss data transfers

U.S. Privacy Laws

We comply with comprehensive U.S. privacy regulations:

California Consumer Privacy Act (CCPA/CPRA): Full compliance including consumer rights management
Virginia Consumer Data Protection Act (CDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Texas Data Privacy and Security Act
Oregon Consumer Privacy Act

GDPR Support

For customers with EU/UK data subjects, we provide:

Data Processing Agreements (DPA) available upon request
Tools for managing consent and data subject requests
Data export and portability features
Right to erasure (deletion) capabilities
Cookie consent management options

Payment Security

PCI-Compliant Processing: All payment processing through certified third-party processors (Stripe, NMI, Authorize.net)
No Card Data Storage: DiG does not store full credit card numbers or CVV codes
Tokenization: Sensitive payment data replaced with secure tokens
Secure Forms: Payment forms hosted on PCI-compliant domains

Data Breach Notification

We maintain incident response procedures that include:

Notification to affected customers as required by applicable law
Regulatory notification in accordance with jurisdiction requirements
Transparent communication about the nature and scope of any breach
Remediation steps and customer support

SMS & Communications Security

A2P 10DLC Compliance

DiG maintains active A2P (Application-to-Person) 10DLC registration for all business messaging:

Carrier Registration: Registered with The Campaign Registry (TCR)
Brand Verification: Verified business entity with active trust score
Campaign Registration: All use cases registered and approved by carriers
High-Volume Throughput: 60-4,500 messages per minute based on trust score

TCPA Compliance

We help you maintain compliance with the Telephone Consumer Protection Act:

Dual-Consent Checkboxes: Separate consent for SMS and phone calls
Consent Language Templates: Pre-built compliant consent disclosures
Timestamp Documentation: Automatic logging of consent events
Opt-Out Management: Automatic STOP/UNSUBSCRIBE handling
DNC List Integration: Tools for managing Do Not Call lists

Messaging Best Practices

Sender ID Verification: All phone numbers properly registered
Content Filtering: Automated scanning for prohibited content
Rate Limiting: Carrier-compliant sending limits
Delivery Monitoring: Real-time tracking and error reporting

Organizational Security

Employee Security

Background Checks: Screening for all employees with access to customer data
Security Awareness Training: Annual mandatory training on security best practices
Acceptable Use Policies: Clear guidelines for data handling and access
Offboarding Procedures: Immediate access revocation upon separation

Vendor Management

Vendor Risk Assessments: Security evaluation of all third-party providers
Contractual Requirements: Data protection and security obligations in all vendor agreements
Subprocessor List: Transparent disclosure of data subprocessors (available upon request)
Regular Reviews: Ongoing monitoring of vendor security posture

Endpoint Security

Full Disk Encryption: All employee devices encrypted
Endpoint Detection and Response (EDR): Advanced threat detection on all corporate devices
Patch Management: Regular security updates and vulnerability remediation
Remote Wipe Capability: Lost or stolen device protection

Incident Response & Security Operations

24/7 Security Monitoring

Security Operations Center (SOC): Continuous monitoring of security events
Automated Threat Detection: Machine learning-based anomaly detection
Incident Response Team: Dedicated team for security incident management
Escalation Procedures: Defined processes for incident severity levels

Vulnerability Management

Regular Scanning: Automated vulnerability scanning across infrastructure
Patch Management: Rapid deployment of security patches
Risk Prioritization: Critical vulnerabilities addressed immediately
Remediation Tracking: Documented resolution of security findings

Customer Notification

In the event of a security incident affecting your data:

Initial Notification: Within 72 hours of discovery (or as required by applicable law)
Incident Details: Nature of the incident, affected data, and timeline
Remediation Steps: Actions taken to address the incident
Customer Actions: Recommended steps to protect your account
Ongoing Updates: Regular communication until incident is fully resolved

Your Privacy Controls

Data Subject Rights

You have the right to:

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (subject to legal retention requirements)
Portability: Export your data in machine-readable format
Opt-Out: Opt out of certain data processing activities
Non-Discrimination: Exercise rights without penalty

How to Exercise Your Rights

Email: [email protected]
Subject Line: Privacy Rights Request - [Your Request Type]

Include:

Your full name and email address
Your account or agency name
Specific request (access, deletion, correction, etc.)
Any relevant details to help us locate your data

Response Time: We will respond within 30 days (45 days for complex requests)

Consent Management

Within your DiG account, you can:

Manage customer consent records
Update communication preferences
Configure cookie consent banners
View and export consent audit logs
Update privacy policy links and disclosures

Data Retention

Active Accounts: Data retained while account is active and for business purposes
Inactive Accounts: Data retained for legal and contractual obligations
Deletion Requests: Data deleted within 90 days of verified request (except where retention is required by law)
Backup Retention: Deleted data removed from backups within 7 days

Transparency & Reporting

Security Disclosures

We believe in responsible disclosure. If you discover a security vulnerability:

Email: [email protected]
Subject Line: Security Vulnerability Report

Please include:

Description of the vulnerability
Steps to reproduce
Potential impact assessment
Your contact information for follow-up

We will acknowledge your report within 48 hours and provide updates on remediation.

Annual Security Reports

Upon request, we can provide:

Summary of security controls and practices
Compliance certification status (through our platform provider)
Recent penetration test results (redacted as appropriate)
Subprocessor list

Contact Information

Mailing Address

Digital Inventory Group LLC
317 Ruth Vista Road
Lexington, SC 29073
United States

Governing Law

This Privacy & Security page and all related policies are governed by the laws of the State of South Carolina, without regard to its conflict of law provisions.

Last Updated: January 27, 2026

Commitment to Continuous Improvement

Security and privacy are not one-time achievements—they require ongoing vigilance and improvement. We continuously:

Monitor emerging threats and vulnerabilities
Update our security controls and practices
Train our team on the latest security standards
Listen to customer feedback and concerns
Invest in new security technologies and processes

Your trust is our most valuable asset. We don't take it lightly.

Questions about our security practices? Contact our privacy team at [email protected]

e. here

CONTACT US

SOCIALS

CRM + Automations + AI = Growth at Scale

317 Ruth Vista Road

Lexington, SC 29073

(877) 796-7787

[email protected]

Do Not Sell My Personal Information | Accessibility | Data Processing Agreement