We take the security of your data seriously at GumGum. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security. We understand that you rely on GumGum’s services to deliver your optimal performance. We're committed to making GumGum a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for both failures of individual servers, and even entire data centers.
GumGum, Inc., including each of its subsidiaries, has implemented and/or will be responsible for ensuring each of its sub-processors implementation of and measures designed to:
GumGum follows these guiding principles when developing and implementing security controls:
We place strict controls over our employees’ access to the data you and your users make available via the GumGum services, as more specifically defined in your agreement with GumGum covering the use of the GumGum services (“Customer Data”). The operation of the GumGum services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the GumGum services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
GumGum conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing (annual) basis. In addition, at the time of hire, all employees are required to sign and adhere to our confidentiality agreements. We also include confidentiality obligations within all of our vendor and consultant agreements as well.
System access rights will be limited to only rights that are needed to perform the tasks (minimalistic principle). Once the tasks have been completed, the right of access will be deleted or blocked. Requests for access rights are subject to separation of duties. The allocation and management of rights will be documented. If access to personal data is not explicitly necessary, then access will not be allowed. User rights will be assigned allowing access only as required for a task or role i.e.; read, write, modify, etc. Access via external networks will be adequately protected (encryption, authentication, etc.). Secure password protocols based on the current state of technology will be implemented.
Pursuant to GumGum’s Standard Model Clause Agreement, GumGum does not process or store consumer data on-site and we have established clauses for the transfer and storing of data on various cloud-based servers:
With respect to GumGum’s corporate offices, physical access to the facilities will be controlled at both the perimeter and at building entry points by professional security staff, video surveillance, key card and alarm access to gain entry to the office floor during non-business hours. Authorized staff must have key card access to certain floors during business hours and all visitors and contractors are required to check-in with authorized staff.
Services are provided using industry standard and accepted encryption methods and products to protect Service Provider data and communications during transmission, including encrypting data in transit and encryption for data rest. Additionally, Service Provider data is encrypted during transmission between data centers for replication purposes. Virtually all data is maintained on a cloud server, and our robust Information Security Policy includes procedures for ensuring proper network security controls are in place which include network segregation and other measures to minimize risk due to security incidents, including data breaches due to malware, viruses, spyware, etc. Perimeter controls secure our network against external attacks. Firewalls, configured according to current technical standards and procedures, separate our trusted network from the internet or internet-facing environments.
Input, changes, and erasures of personal data are logged and regularly examined in terms of illegitimate data processing. Access logs will contain a record of every successful/unsuccessful attempt to log on that was initiated by the user or the system. All activities relevant to the security of the system that are performed using administrator rights will be logged. The log data will be stored in a manner that prevents tampering, makes them quickly available and complies with legal requirements. Only authorized users are permitted to access log data.
To reduce the risk of data loss, regular backups will be made. Moreover, data processing systems will be appropriately maintained and updated. The following security measures are implemented as part of the availability controls (not exclusively): (a) backup procedures (b) multi-site architecture; and (c) redundancy of critical systems.
GumGum maintains formal security incident management policies and procedures and shall notify vested parties (including, individuals, clients, vendors, partners, and if applicable regulatory agencies) without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Service Provider Data, including Personal Data, transmitted, stored or otherwise Processed by GumGum or its Sub-processors of which GumGum becomes aware (a “Service Provider Data Breach Incident”). GumGum shall make reasonable efforts to identify the cause of such Service Provider Data Incident and take those steps as GumGum deems necessary and reasonable in order to remediate the cause of such a Service Provider Data Incident to the extent the remediation is within GumGum’s reasonable control. The obligations herein shall not apply to incidents that are caused by Service Provider or Service Provider’s Users.
The environment will be protected from common threats using industry standard approaches including: (a) web application firewalls; (b) intrusion detection and prevention systems; (c) infrastructure vulnerability scanning, and (d) web application vulnerability scanning.
If you have additional questions regarding security, we are happy to answer them. Please write to our Global Compliance Officer at: firstname.lastname@example.org, and we will respond as quickly as we can.