Review and approval by IT and Security

Answers to common questions about Sunsama's security and privacy policies.

Introduction

This guide contains questions to the most common questions you may be asked by your IT or Security teams in order to get approval for Sunsama.

Security Status page

Please start by reviewing our "Security Status Page" at https://security.sunsama.com to get an overview of our security programs, policies, and posture.

FAQ

Description of your product or service

Sunsama is a daily planner for busy professionals. It helps you plan a calm and focused work day by walking you through a guided daily planning routine that combines your tasks, calendars, and emails.

Do you have a designated security/privacy lead who manages your security program? Provide contact information.

Yes. Ashutosh Priyadarshy, CEO, [email protected]

Do you have publicly published privacy and security policies? Provide public links to your Privacy and Security policies.

Privacy Policy
Terms of Service

Do you have a customer information policy?

Privacy Policy

Data protection role (controller, joint-controller, processor or sub-processor of sensitive data?)

Controller

Do you have a data access control policy with monitoring? List the roles in the organization who have access to sensitive data.

We are a team of six people and everyone on the team does customer support and product. All teammates can get access to "sensitive data" when resolving customer issues.

Do you have a 3rd party vendor assessment and data access policy? List the roles of any 3rd party to the organization who may have access to sensitive data and under what circumstances.

See the Integrations and Privacy to understand how we use data from third party services e.g. integrations

Encryption

Is sensitive data encrypted in transit? Do you have an encryption protocol policy?

Yes. All data is encrypted in transit and at rest.

Is sensitive data encrypted at rest? What encryption protocols are utilized?

Yes.

We use the standard encryption of MongoDB which is where all our data is stored (from the documentation):

If encryption is enabled, the default encryption mode that MongoDB Enterprise uses is the AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) via OpenSSL. AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt text. MongoDB Enterprise for Linux also supports authenticated encryption AES256-GCM (or 256-bit Advanced Encryption Standard in Galois/Counter Mode). FIPS mode encryption is also available.

Data retention, backups, and policies

Do you have a customer information possession policy? Describe your policy and the conditions for returning sensitive data and destroying the data once the service is terminated.

See privacy policy and term and conditions.

Can you commit to keeping customer information at a strict minimum amount of time after customer stops use?

We delete all information when a customer requests to delete their information. We do maintain that data inside backup for up to 30 days, at which point it's entirely deleted.

Do you have a procedure for returning personal data in a format allowing data portability?

We can export customer data to a CSV upon termination of service if requested by a customer.

Do you retain customer information in backups after a customer has deleted (or requested deletion of) the data?

Yes. However all backups expire after thirty days. So there is a thirty day window where we continue to have customer data stored in encrypted backups.

Describe how your organization enables data subjects’ rights of access, rectification, erasure, blocking and objection.

N/A

Describe the server logs that your organization keeps and monitoring and auditing on an ongoing basis.

We store logs temporarily (for no more than 7 days), in Solar Winds Papertrail and GCP. The nature of the logs does not contain any sensitive information, only technical details for us to identify potential errors or problems trying to perform actions in the app, connected to a user or workspace. We may temporarily enable logs that will store some integration information, which can include sensitive information, with user consent, when trying to debug some problem in customer support.

Internal security programs

Does your organization have a security and privacy program and policies?

Yes

Do you have a vulnerability scanning policy? Describe vulnerability assessments implemented and their frequency.

Yes, we do a broad yearly security assessment via NCC group as part of having our application approved for use of sensitive Google OAuth scopes.

Do you have a passwords policy?

Yes.

Do you have a system access control policy with monitoring?

Yes.

Do you have a server security policy and how is data integrity maintained?

N/A

Do you have a server software update policy? Describe the update and patching mechanisms for operating systems and software to ensure that these are kept up to date.

Yes, we do regular updates of the operating systems and packages that we use.

Can you provide evidence for your security and privacy program to demonstrate that policies and controls are appropriate?

Yes

Can you provide evidence for implementation of your security and privacy controls?

Yes

Incident response and reporting

Do you have an incident response policy? How does your organization define a security incident and personal information data breach.

We handle this on a case by case basis. We're a small team so we don't have a formal policy.

Describe how customers will be informed of personal data and data security breaches affecting a customer’s data processed by you and your subcontractors and within what timeframe.

They will be informed via email by someone on our team.

Can customer data be retrieved in the event of a disaster or your organization closes?

Yes

Do you have a process to restore your service in the event of catastrophic failure? Describe the process and expected recovery times.

Yes

Compliance and Certification

List any security or privacy certifications or frameworks that you have or can attest to.

We can provide a Letter of Assessment that demonstrates that we've passed a security audit by a third party firm that is approved by Google (as part of their requirements for us to provide a Gmail integration). Please reach out to [email protected] to ask for it.

Is your product SOC-2 Certified?

No.

Is your product HIPAA Compliant?

No.

Miscellaneous

What are the update mechanisms for vendor software?

The product is a web app, it updates when we push new versions.

Do you manage your own datacenter and servers? Identify the physical precautions used to protect the data center.

No.

Do you use an independent certification authority to monitor and or audit logs in order to ensure that measures are implemented in an ongoing basis?

No

Does your organization support Single Sign-On Services?

Yes. Google and Microsoft OAuth.