Information Security Practices

2.1 Our Engineering Team.

Our engineering team governs our data protection and information security, and is responsible for securing our product and services. When appropriate, we also engage external resources and experts. Our CPO takes on the role of Chief Information Security Officer and leads our security initiatives.

3.1 Information Security Policy.

The goal of our Information Security Policy is to protect all the data we retain and process. We align with current international regulatory and industry best-practice guidance, and we've designed our security program around best-of-breed guidelines for cloud security. Further details of our Information Security Policy are confidential.

3.2 Data Incident Policy.

In the event of a data incident, we have a documented policy and firm processes to guide our actions. Our Data Incident Policy outlines how we should document, investigate and report potential data incidents. We comply with the GDPR and will notify you by email should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses registered in our product or as contact persons for your subscription with us.

3.3 Business Continuity Policy.

We ensure the continuity and timely recovery of our critical business processes and services in the event of a disaster, and to ensure that our critical business processes operate at an appropriate level. We design our product to be highly available, fault-tolerant and fault-resilient. To achieve this, we follow industry best practices which we continuously improve on and review. Our product is hosted in a proven serverless infrastructure, which helps us minimise incidents, hacking, downtime and recovery time of our services. As a principle, all our processors and sub-processors are Software as a Service. Further details of our policies and processes are confidential.

3.4 Contractual Obligations.

As our customer, your use of our services is governed by a Data Processing Agreement. Our Customer Agreement sets out the rights and obligations for you and for us, including our obligation to keep your information and data confidential and thoroughly protected.

3.5 Code of Conduct and Anti-Bribery.

We expect those who use our product or do business with us to make decisions that reflect strong ethics and are consistent with our values. We therefore require our staff members, sub-processors and processors, and business partners to adhere to the principles set out in our Code of Conduct. We're committed to maintaining a high ethical standard, and we require that our staff members and business partners comply with all the relevant anti-corruption laws of the countries that we do business in.

3.6 Human Resources.

All of our staff members need to know what they can and cannot do when handling confidential information and personal data. In addition to their obligation to follow our Code of Conduct, our staff members must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts and in our Employee Handbook. The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract. If a staff member breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.

3.6.1 Hiring.

As part of our recruitment process for hiring new staff members, we carry out reference checks where relevant. We perform criminal checks on all roles.

3.6.2 Training.

Our new staff members go through a new hire program that includes education and training about how to protect and handle information. New hires learn about our commitment to information security and data privacy, our Code of Conduct, and our requirements for protecting and safeguarding information.

3.6.3 Confidentiality.

In addition to upholding their employment contract, our staff members must read and comply with our Code of Conduct.

3.6.4 Leaving.

When staff members leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 6.2.

4.1 Data Processing Agreement.

We use the terms "data controller", "processor" and "sub-processor" as defined in Article 28 of the EU's General Data Protection Regulation ("GDPR"), where the data controller and the processor, and the processor and the sub-processor, are required to have a "data processing agreement" ("DPA") in place. Our DPA meets the requirements outlined in the GDPR and is part of our Services Subscription Agreement. You can find a copy of our DPA on our website. We recommend that you keep a copy of our DPA on file in case you need to show that you comply with Article 28 of the GDPR.

4.2 Personal Data.

We consider any data relating to an identified or identifiable person as "personal data"; examples include: basic identity information such as name, address, email address, and ID numbers; financial information that identifies the individual; voice, transcript text and video data that identifies the individual; and web data such as location, IP address, cookie data and device identifiers. We process sensitive data solely on your behalf, and we use the data solely for the purpose of providing our services to you. When we build products, Privacy by Design is part of our product development process.

4.3 Processors and Sub-processors.

We use specialised companies to assist us with delivering our services to you. Before we engage a processor or a sub-processor, we perform a thorough security and privacy risk assessment aligned with the Data Protection Impact Assessment ("DPIA") process. We monitor the performance and applicability of our processors and sub-processors on an ongoing basis, and we review the DPIAs on an annual basis. Data to and from our processors and sub-processors is encrypted during transit, and all web communication is 128-bit encrypted as minimum. All of our websites use TLS 1.2, and we only support data sent via web submissions that use HTTPS.

4.4 Protecting the Personal Data About Your Users.

When you share personal data about your users with us, your company acts as data controller and we act as processor. We process this data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product. You can see the list of the sub-processors we use to process personal data about your users on our website.

4.5 Protecting Your Personal Data.

We process your personal data for the purpose of providing the various functionalities of our product to you. Employees in your account are created, managed and deleted by you within our product or by writing to our support team. We do not store or keep passwords, which are handled by a secure third-party provider. In our Privacy Policy, we set out what types of information we process as a data controller related to our website and product.

4.5.1 Data Subject Rights.

We comply with Data Subject Rights (aka "the rights of the individual") pursuant to the GDPR and similar legislations.

5.1 Infrastructure.

Our infrastructure is hosted with Amazon Web Services (AWS). The IT infrastructure that AWS provides is designed and managed in alignment with best security practices and a variety of IT security standards. AWS complies with (by November 2022): SOC 1/ISAE 3402, SOC 2, SOC 3; FISMA, DIACAP, and FedRAMP; PCI DSS Level 1; ISO 9001, ISO 27001, ISO 27017, ISO 27018. Our proven serverless infrastructure provides best practice in availability, scalability, security, and protection against attacks. We host our production, staging, and test environments on AWS, keeping production data strictly separate.

5.2 Security.

We consider security concepts, assessments and techniques fundamental to the development, reliability, and overall improvement of our product and services. We operate on principles of least privilege first. We pass all software changes through a formalised code review process prior to being released into isolated environments. We do not rely on outsourced development — all of our development is in-house. Encryption keys are securely stored. You are welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval.

5.3 Malicious Code Management.

Our backend infrastructure is automatically built by code using GitHub Actions and follows infrastructure-as-code principles, which means that our infrastructure is frequently rebuilt to ensure that it's always complete, lean and clean. Our serverless setup means we don't need to use antivirus or anti-malware software as that is handled by our platform provider. We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.

5.4 Software Patch Management & Malware.

We have a formal process for management and correction of vulnerabilities. Vulnerabilities should be reported to hej@rumli.com. Our commitment to software security is paramount. AWS takes care of Security of the Cloud, while we handle Security in the Cloud. Serverless on AWS means there are no manual patching cycles or planned outages. We actively monitor our software dependencies, ensuring code libraries and frameworks are always updated, especially concerning security patches. We employ continuous integration to thoroughly test all patches before deployment.

5.5 Logging.

Our logs are confidential and unavailable outside our company. Our logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed. We retain our logs until they are no longer needed, after which they are deleted. Examples of activities we log include: application exceptions, stack trace, traffic statistics, backend changes and deployments, and malicious activity and exceptions.

5.6 Data Backup.

We use point-in-time recovery to manage our database backups, providing continuous backups. We perform backup recovery tests regularly. Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed. We retain our backups for a maximum of 35 days, after which a backup is deleted. All user data is fully encrypted at rest, and our data backups also employ encryption to safeguard sensitive information.

6.1 Provisioning of Access.

All our staff members are granted an individual hej@rumli.com personal user account. We don't allow any two staff members to share or use the same personal user account. Access permissions for individual services and user roles are granted from our role-based access control model using least privilege first principles. Before we grant access, the internal owner of the respective service must approve the assignment of access rights and roles. We maintain a detailed access log which is continually monitored.

6.2 Review and Removal of Access.

Access rights to our services and data are reviewed at least annually, and staff member access is removed or downgraded when it is no longer required. When a staff member leaves, their user accounts are immediately disabled and, once no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the staff member remain valid after they leave our employment.

6.3 Passwords.

All internal user accounts are protected with a password and saved in a password manager which must meet the rules described in our password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST). We only grant access for authorised staff members with work-related need access.

6.4 Office Networks.

We rely on the principle of "working from anywhere", where our staff are free to work from wherever they are located. Our office networks therefore do not provide any protection or security specific to our product, and our product considers our office networks as any Internet connected network. No application or file storage services are provided by our office networks; we instead make use of our processors and sub-processors, which can all be accessed securely from anywhere.

6.5 Assets.

We broadly define our network equipment, stationary devices, mobile devices, software, and removable media as IT assets. We identify, register, and assign owners for all our IT assets.

6.5.1 Devices.

We make sure to install all required software updates, security patches and firmware upgrades. Our Operations Team ensures that disk encryption and screen lock timeout is enabled on all devices that we use to access our technical environment. Our staff members are instructed not to carry out unauthorised downloads, store or share personal data, or install or run unauthorised, untested, or unlicensed software without prior approval from our CPO. After use, our devices and other hardware are recycled, including wiping hard drives.

6.6 Physical Security.

Our office cannot be accessed directly from the street and entry into our office requires access to a keycard or similar.

6.7 Paper Documents.

We maintain a paper-free environment and documents are not printed unless necessary. We do not unnecessarily retain paper documents. When disposed of, all paper documents containing personal data are shredded. We have a clean desk policy and data is not stored on on-premise media.

Questions about our security practices?

If you have any questions or concerns about our privacy or security practices, you're welcome to get in touch.