SmartSpace.ai Data & Security FAQs
Q: What is the purpose for which third parties will be processing personal data?
A: The third-party entity, HubSpot, processes personal data for the purpose of providing customer relationship management (CRM) services. This includes managing customer interactions, tracking customer information, and facilitating customer service and support.
Q: Which locations will third parties be processing personal data?
A: The third-party entity, HubSpot Inc. processes personal data from its servers located in the United States. The server infrastructure is hosted on Amazon Web Services (AWS).
Q: What are the names of the legal entities who will be processing the personal data?
A: The legal entity that will be processing the personal data is:
• HubSpot Inc. - our Customer Relationship Management (CRM) provider
Q: Will any third party be used to process Personal Data under the contract?
A: Yes, we use third-party service providers to process personal data under the contract. These third parties are contractually obligated to maintain the confidentiality and security of personal data and are restricted from using such information in any way not expressly authorized by us. We have a policy that prohibits IT vendors from accessing our information security assets until a contract containing security controls is agreed to and signed by the appropriate parties. All IT vendors must comply with the security policies defined and derived from our Information Security Program.
Q: Do you comply with all applicable local data protection regulations to which you are subject?
A: Yes, we comply with all applicable local data protection regulations to which we are subject. We have a comprehensive data protection policy in place that outlines our commitment to protecting personal data and our compliance with data protection laws and regulations.
We also have a breach notification policy that establishes the requirements and procedures for reporting a breach of sensitive information, in compliance with various regulations including NZ Privayc Act (2020), GDPR, HIPAA, and CCPA. Furthermore, we conduct an annual review of our privacy policy to ensure that personal information is used in conformity with the purposes identified in the privacy notice.
Q: What lawful basis do you rely on for transferring personal data outside the EEA (e.g., EU Standard Contract Clauses or by being registered with Privacy Shield)?
A: The lawful basis for SmartSpace to transfer personal data outside the EEA includes legitimate interest, performance of a contract, and freely given consent. These principles guide our data transfer operations and ensure compliance with data protection regulations.
Q: Where will personal data be processed and what processing operations are being carried out from these locations?
A: Personal data is processed in New Zealand and may also be processed in the UK and Europe in compliance with GDPR regulations. We do not collect or hold any sensitive patient health information in or outside of the US.
The types of personal data processed include Identity Data, Contact Data, Financial Data, Transaction Data, Technical and Usage Data, Profile Data, Interaction Data, Marketing and Communications Data, Professional data, and Requested data.
The processing operations carried out include collecting, holding, using, and disclosing personal information for various purposes such as enabling access to our services, assessing new clients, providing services, contacting and communicating with users, internal record keeping, administrative purposes, analytics, market research, business development, advertising and marketing, compliance with legal obligations, and considering employment applications.
Q: Does SmartSpace.ai process any personal data outside the EEA?
A: Personal data is processed in New Zealand and may also be processed in the UK and Europe in compliance with GDPR regulations. We do not collect or hold any sensitive patient health information in or outside of the US.
Q: Which countries will personal data will be processed in?
A: Personal data is processed in New Zealand, as outlined in our Privacy Policy, as well as in the United States by our third party CRM.
Q: Please describe the steps which you have taken to comply with the General Data Protection Regulation (GDPR)?
A: To comply with the General Data Protection Regulation (GDPR), we have taken several steps:
1. Breach Notification Procedures: We have defined procedures for notifying appropriate parties of a breach of sensitive information. For personal data breaches in the UK and Europe, where we are the controller, we notify the Information Commissioners Office (ICO) without undue delay, and where feasible, not later than 72 hours after becoming aware of it. The notification includes the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm.
2. Risk Management: We regularly review internal and external risk factors, including employee behaviour, policy lapses, technological vulnerabilities, cyber-attacks, market changes, and regulatory developments. We have also activated the Drata compliance framework and rolled out PC monitoring from Drata.
3. Security Awareness Training: We have selected a security awareness training platform and have started the 2024 security compliance program.
4. Policy Review: We have a defined breach notification policy that establishes the requirements and procedures for reporting a breach of sensitive information. We also conduct an annual review of our privacy policy to ensure that personal information is used in conformity with the purposes identified in the privacy notice.
Q: Do you have a Data Protection Officer / is there an individual within your organisation who is responsible for data protection?
A: Marco van Emmenes - CTO
Q: What systems and procedures do you have in place which allow you to notify us of any data breach?
A: We have a defined Incident Response Plan that establishes the requirements and procedures for reporting a breach of sensitive information. The policy outlines the process for breach notification based on applicable regulations and includes appropriate reporting timelines, content, and methods outlined by those regulations.
When a breach occurs, we notify affected individuals as soon as practicable. For breaches involving personal data in the UK and Europe, we notify the Information Commissioners Office without undue delay, and where feasible, not later than 72 hours after becoming aware of it. We also have a Disaster Recovery Plan that includes a Notification/Activation phase to detect and assess damage and to activate the plan.
Q: What controls do you have in place to prevent, detect and mitigate the effect of data breaches?
A: To prevent unauthorized access or disclosure, we have put in place physical, electronic, and managerial procedures. These procedures are designed to safeguard and secure personal information and protect it from misuse, interference, loss, and unauthorized access, modification, and disclosure.
We also have a policy that prohibits IT vendors from accessing our information security assets until a contract containing security controls is agreed to and signed by the appropriate parties. All IT vendors must comply with the security policies defined and derived from our Information Security Program.
In terms of detection, we have controls in place to restrict the use of removable media to authorized personnel. Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices). These tools are configured to automatically receive updates, run scans, and alert appropriate personnel of viruses or malware.
To mitigate the effects of data breaches, we maintain cybersecurity insurance to mitigate the financial impact of business disruptions.
In the event of a breach, we have defined procedures for notifying appropriate parties, including affected individuals and various regulatory bodies. The notification timeframes and procedures are outlined in our Incident Response Plan.
Q: How do your systems/processes allow personal data relating to a specified individual to be identified, exported and deleted?
A: We have a Privacy Policy in place that details the procedure for handling requests related to personal data. When we receive a request to access, amend, or delete personal information, we utilize the built-in functionality of our third-party system to identify the relevant records. This system allows us to either export the data for review or delete it as per the request.
Q: What controls do you have in place to enable you to identify and delete data on receipt of a request to do so?
A: We have controls in place to identify and delete data upon request. Our Data Protection Policy outlines the procedures and technical controls in support of data protection. Stored sensitive data that is no longer required is properly deleted in accordance with our business objectives, applicable laws and regulations, and relevant third-party agreements. The deletion process is designed to render the data unrecoverable, and is classified as a permanent deletion. A record of such deletion is kept. We capture requests for deletion of personal information and information related to the requests is appropriately deleted.
Q: How is access to personal data is limited to only those employees who require access for the performance of their function?
A: We have policies in place to limit access to personal data to only those employees who need it for their job functions. This includes defining roles and responsibilities, managing identities, and controlling access rights. We also have physical, electronic, and managerial procedures to safeguard and secure personal information from unauthorized access and misuse.
The principle of 'Least Privilege' is applied in our organization to authorize access to information resources, including data and the systems that store or process sensitive data.
Q: What training is provided to employees to ensure they are aware of your obligations as a Data Processor under data protection laws?
A: All our employees and contractors are required to undertake annual security awareness training. This comprehensive training program includes courses on Cyber Security, Phishing, and SOC2.
The Cyber Security course educates our team on the importance of data security, potential threats, and best practices to protect sensitive information. The Phishing course trains our team to identify and respond appropriately to phishing attempts, a common cyber threat.
The SOC2 course provides an understanding of the SOC2 standards for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
This training ensures that our team is well-equipped to uphold our obligations as a Data Processor under data protection laws, and reinforces our commitment to maintaining the highest standards of data security.
Q: What obligations are your employees and contractors (if applicable) under to maintain the confidentiality of all information provided to them?
A: Our employees and contractors are under strict obligations to maintain the confidentiality of all information provided to them. They are required to sign a confidentiality agreement that outlines their responsibilities and obligations to protect sensitive information. This includes personal data and any other confidential information they may have access to in the course of their work.
We also have a security awareness program that includes regular training and awareness sessions for all employees and contractors. This program ensures they understand their responsibilities in maintaining data security and confidentiality.
In addition, we have a policy that prohibits IT vendors from accessing our information security assets until a contract containing security controls is agreed to and signed by the appropriate parties. All IT vendors, including contractors, must comply with the security policies defined and derived from our Information Security Program.
Q: Is SmartSpace.ai certified to any recognised information security standards (such as ISO 27001) or an approved code of conduct?
A: We are not currently certified to any recognized information security standards such as ISO 27001 or an approved code of conduct. However, we have a comprehensive data protection policy in place that outlines our commitment to protecting personal data and our compliance with data protection laws and regulations. We also have a breach notification policy that establishes the requirements and procedures for reporting a breach of sensitive information, in compliance with various regulations including NZ Privayc Act (2020), GDPR, HIPAA, and CCPA. Furthermore, we conduct an annual review of our privacy policy to ensure that personal information is used in conformity with the purposes identified in the privacy notice.
We are actively working towards achieving ISO27001 and SOC2 accreditations using the SaaS compliance platform Drata. Our current progress stands at 25% for ISO27001 and 19% for SOC2. These certifications will further strengthen our commitment to data protection and compliance with international information security standards.
Q: What processes you have in place for regularly testing and evaluating the effectiveness of your data security measures?
A: We have processes in place for regularly testing and evaluating the effectiveness of our data security measures. We conduct regular security reviews to identify vulnerabilities and assess the overall effectiveness of the security controls in place. We also have a security awareness program that includes regular training and awareness sessions for all employees to ensure they understand their responsibilities in maintaining data security. Furthermore, we conduct an annual review of our privacy policy to ensure that personal information is used in conformity with the purposes identified in the privacy notice. Our Disaster Recovery Plan is tested annually to ensure that it is effective and that data can be recovered in the event of a loss.
Testing and Evaluation Processes include:
Annual penetration testing – Scheduled for Q3 2024
Annual access reviews – To ensure proper authorizations are in place commensurate with job functions. Scheduled for Q1 2025.
Vulnerability scanning – undertaken as part of our regular development cycle
Annual security policy review of the following - Backup Policy; Software Development Life Cycle Policy; Risk Assessment Policy; System Access Control Policy; Vulnerability Management Policy; Change Management Policy; Information Security Management System (ISMS) Plan 2022. Scheduled for Q1 2025
Q: What ability you have to restore the availability and access to personal data in the event of an incident?
A: We have a disaster recovery plan in place for SmartSpace.ai
Using SmartSpace.ai in the client's infrastructure, it is up to the client to configure data recovery and backup.
Q: What are the steps you take to ensure the ongoing confidentiality, integrity, availability and resilience of systems which you use to process personal data?
We have implemented measures to ensure the confidentiality, integrity, availability, and resilience of systems processing personal data. This includes physical, electronic, and managerial procedures to safeguard personal information, antivirus and anti-malware tools for data integrity, a Disaster Recovery Plan for system availability, and cybersecurity insurance for resilience. We also conduct regular security reviews and annual privacy policy reviews.
Q: What are the technical and organisational measures you take to ensure the security of any personal data?
A: SmartSpace operates differently from a typical SaaS solution. Instead of being hosted on our own infrastructure, our product is installed directly from the Azure Marketplace into a client's Azure environment. This means that our personnel do not have administrative or backdoor access to the installed product, or any customer data - personal or business-related - that is connected to a SmartSpace dataspace.
SmartSpace requires minimal, read-only access to Clients Entra ID tenant for SSO purposes. This access can be easily granted and revoked through the Enterprise Application in your Entra ID settings. The authentication process involves a Microsoft App Registration within the SmartSpace tenant, which is then registered in your tenant as an Enterprise Application. This allows you to manage user access and control what SmartSpace can access in your tenant.
The limited personal data we do collect for use, such as names, email addresses, and phone numbers of our partner and client key contacts and prospects, is held in our third-party SaaS CRM platform, HubSpot. This data is held in accordance with our Data Retention Policy.
We selected HubSpot as our CRM platform due to its reputation and secure platform. It holds ISO27001 and SOC2 & 3 certifications, ensuring the security and trustworthiness of the personal data we collect.
No comments to display
No comments to display