GUMGUM SECURITY PRACTICES
LAST UPDATED: DECEMBER 23, 2019
We take the security of your data seriously at GumGum. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security. We understand that you rely on GumGum’s services to optimally perform. We're committed to making GumGum a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers.
GumGum, Inc., including each of its subsidiaries, has implemented and/or will be responsible for ensuring each of its sub-processors implementation of, measures designed to:
- Deny unauthorized person’s access to data-processing equipment used for processing Personal Data (equipment access control).
- Prevent the unauthorized reading, copying, modification or removal of data media containing Personal Data (media control).
- Prevent unauthorized inspection, modification or deletion of stored Personal Data (storage control).
- Prevent the use of automated data-processing systems by unauthorized persons using data communication equipment used to process Personal Data (user control).
- Limit access to Personal Data by persons authorized to use an automated data-processing system to the scope and duration of their access authorization (data access control).
- Enable verification of the individuals to whom Personal Data has been transmitted or made available using data communication equipment (communication control).
- Enable verification of which individuals input Personal Data into automated data-processing systems and when (input control).
- Prevent the unauthorized reading, copying, modification or deletion of Personal Data during transfers of that data or during transportation of data media (transport control).
- Enable restoration of installed systems used to process Personal Data in case of interruption (recovery).
- Ensure that the functions of the system used to process Personal Data perform, that the appearance of faults in the functions is reported (reliability) and prevent stored Personal Data from corruption by means of a malfunctioning of the system (integrity).
GumGum follows these guiding principles when developing and implementing security controls:
- GumGum strives to protect the confidentiality, integrity, and availability of its information assets and those of its clients.
- We will comply with applicable U.S. and international privacy and data protection laws.
- We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk.
- Using appropriate (encrypted) authentication measures, we will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and with the lowest level of privileges necessary to perform their assigned functions.
- Recognizing that an astute workforce is the best line of defense, we will provide security training and resources to help individuals understand and meet their information security obligations.
We place strict controls over our employees’ access to the data you and your users make available via the GumGum services, as more specifically defined in your agreement with GumGum covering the use of the GumGum services (“Customer Data”). The operation of the GumGum services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the GumGum services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
GumGum conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing (annual) basis. In addition, at the time of hire, all employees are required to sign and adhere to our confidentiality agreements. We also include confidentiality obligations within all of our vendor and consultant agreements as well.
System access rights will be limited to only rights that are needed to perform the tasks (minimalistic principle). Once the tasks have been completed, the right of access will be deleted or blocked. Requests for access rights are subject to separation of duties. The allocation and management of rights will be documented. If access to personal data is not explicitly necessary, then access will not be allowed. User rights will be assigned allowing access only as required for a task or role i.e.; read, write, modify, etc. Access via external networks will be adequately protected (encryption, authentication, etc.). Secure password protocols based on the current state of technology will be implemented.
Pursuant to GumGum’s Standard Model Clause Agreement, GumGum does not process or store consumer data on-site and we have established clauses for the transfer and storing of data on various cloud-based servers:
- USA ( Virginia and Oregon) for AWS
With respect to GumGum’s corporate offices, physical access to the facilities will be controlled at both the perimeter and at building entry points by professional security staff, video surveillance, key card and alarm access to gain entry to the office floor during non-business hours. Authorized staff must have key card access to certain floors during business hours and all visitors and contractors are required to check-in with authorized staff.
Services are provided using industry standard and accepted encryption methods and products to protect Service Provider data and communications during transmission, including encrypting data in transit and encryption for data rest. Additionally, Service Provider data is encrypted during transmission between data centers for replication purposes. Virtually all data is maintained on a cloud server, and our robust Information Security Policy includes procedures for ensuring proper network security controls are in place which include network segregation and other measures to minimize risk due to security incidents, including data breaches due to malware, viruses, spyware, etc. Perimeter controls secure our network against external attacks. Firewalls, configured according to current technical standards and procedures, separate our trusted network from the internet or internet-facing environments.
Input, changes, and erasures of personal data are logged and regularly examined in terms of illegitimate data processing. Access logs will contain a record of every successful/unsuccessful attempt to logon that was initiated by the user or the system. All activities relevant to the security of the system that are performed using administrator rights will be logged. The log data will be stored in a manner that prevents tampering, makes them quickly available and complies with legal requirements. Only authorized users are permitted to access log data.
To reduce the risk of data loss, regular backups will be made. Moreover, data processing systems will be appropriately maintained and updated. The following security measures are implemented as part of the availability controls (not exclusively): (a) backup procedures (b) multi-site architecture; and (c) redundancy of critical systems.
GumGum maintains formal security incident management policies and procedures and shall notify vested parties (including, individuals, clients, vendors, partners, and if applicable regulatory agencies) without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Service Provider Data, including Personal Data, transmitted, stored or otherwise Processed by GumGum or its Sub-processors of which GumGum becomes aware (a “Service Provider Data Breach Incident”). GumGum shall make reasonable efforts to identify the cause of such Service Provider Data Incident and take those steps as GumGum deems necessary and reasonable in order to remediate the cause of such a Service Provider Data Incident to the extent the remediation is within GumGum’s reasonable control. The obligations herein shall not apply to incidents that are caused by Service Provider or Service Provider’s Users.
The environment will be protected from common threats using industry standard approaches including: (a) web application firewalls; (b) intrusion detection and prevention systems; (c) infrastructure vulnerability scanning, and (d) web application vulnerability scanning.
If you have additional questions regarding security, we are happy to answer them. Please write to our Global Compliance Officer at: firstname.lastname@example.org, and we will respond as quickly as we can.