Trust and Security Information

How to request access to our security documentation and answers to common security questions

Introduction

This guide contains answers to the most common questions you may be asked by your IT or Security teams in order to get approval for Sunsama.

This document was last updated September 16, 2025.

Accessing Security Documents

To request the full collection of documents referenced below, please send an email to [email protected] with the subject line Security Document Request.

Please send the email with your work email and brief description of why you need access.

Available Documents

Once your request if confirmed, you will receive an email response with:

  • Various Operational Policy Documents
  • Proof of Certifications (SOC2)
  • Pentest Reports
  • Application Details

Company Information

Company: Summay, Inc. Registered: Delaware, December 2013 Business Address: 5957 Earlston Ct, Alexandria Virginia 22315, United States Office: Fully remote team Security Contact: Ashutosh Priyadarshy, CEO, [email protected]

Corporate Structure: Summay, Inc. is an independent corporation with no parent companies or subsidiary relationships. The company operates as a single legal entity.

Product Description

What is Sunsama? Sunsama is a Daily Planner for Busy Professionals. Sunsama helps you plan your work day by pulling together your tasks, calendars, project management and task management tool all in one place.

Authentication and Access

How will our employees authenticate to the service?

Standard Accounts:

  • Email and password
  • Sign in with Google
  • Sign in with Microsoft

Enterprise Tier:

  • All standard authentication methods
  • SSO/SAML login through every major identity provider (powered by WorkOS)
  • Comprehensive enterprise identity management

Can you enforce a single authentication method (e.g., only Google Sign-In) for our organization? Yes, this is possible through our Enterprise tier. We can configure domain-based authentication enforcement to require all users from your organization to authenticate exclusively through your chosen identity provider (Google Workspace, Microsoft, or any major SSO/SAML provider supported by WorkOS).

Do you support Multi-Factor Authentication (MFA)? Sunsama does not currently provide native MFA. However, organizations using SSO through our Enterprise tier benefit from their identity provider's MFA policies, which are automatically enforced for all users.

Do you support differentiation between email address and user identifier? Yes. Users have unique _id identifiers separate from email addresses.

Encryption

Is sensitive data encrypted in transit? Yes. All data in transit is encrypted using industry-standard TLS 1.2+ protocols with strong cipher suites. This includes all client-server communication and internal service-to-service communication. Our TLS configuration follows security best practices and is regularly updated to maintain compliance with modern encryption standards.

Is sensitive data encrypted at rest? Yes. All data is encrypted at rest using MongoDB Atlas' encryption standards. This includes encryption of the database files on disk using the WiredTiger storage engine with AES-256 encryption in CBC mode, encryption of cloud provider backups, and encryption of database credentials and connection strings. The encryption keys are managed by MongoDB's Key Management Interoperability Protocol (KMIP) compliant key management service.

Application Security

Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC)? Yes, role-based access control (RBAC). Sunsama implements role-based access controls for institutional accounts, particularly through our Enterprise tier which provides comprehensive identity management via WorkOS integration.

Available Roles:

  • Workspace Members - Standard users with access to workspace tasks, calendars, and collaboration features
  • Workspace Administrators - Administrative control over workspace settings, user management, and integration configurations
  • Enterprise SSO Users - Users authenticated through institutional identity providers with access governed by the organization's SSO policies

Does the system provide data input validation and error messages? Yes. Sunsama implements comprehensive data input validation and error messaging across all system components. Our application uses modern web development frameworks and practices that include built-in input validation, sanitization, and structured error handling to prevent injection attacks and ensure data integrity.

Are you using a web application firewall (WAF)? Yes. Sunsama implements Google Cloud Armor Standard as our comprehensive web application firewall, providing advanced protection against web application attacks and malicious traffic.

WAF Configuration:

  • Platform: Google Cloud Armor Standard with "production-armor" security policy
  • Protection Coverage: Backend services protected across all microservices
  • Active Rules: 20 configured security rules including rate limiting, IP blocking, and behavioral analysis
  • Adaptive Protection: Layer 7 DDoS defense enabled with verbose logging

Does your application automatically lock the session or log-out an account after a period of inactivity? Yes, with session extension on activity. Sunsama automatically expires user sessions after 30 days of inactivity. However, active users have their sessions automatically extended to 30 days from their last activity, preventing logout during regular use. Sessions are managed through secure JWT tokens with nonce validation and HTTP-only cookies.

Are audit logs available that include login, logout, actions performed, and source IP address? Yes, internal access only. Comprehensive audit logs are available through our monitoring infrastructure and include login/logout events, user actions, and source IP addresses. These logs are currently accessible only to our internal team for security monitoring and compliance purposes, not directly available to end users. For Enterprise customers requiring self-service audit log access, we can implement user-accessible audit logging through WorkOS integration upon request.

Infrastructure and Data

Are any cloud providers used? Yes. Our servers and database are hosted on GCP. A full list of cloud providers is available in our subprocessors documentation and is available upon request.

Where is our data stored? All data is stored in the United States.

How do you segregate data across different customers? We use a logical data segregation model where each customer's workspace data is keyed by unique workspace IDs in our MongoDB database. While data is stored in shared collections, access controls and application logic ensure that customers can only access data associated with their specific workspace IDs.

How do you restrict and log accesses to customer data by employees within your organisation? We implement role-based access controls with the principle of least privilege, requiring manager and security team approval for critical production system access. All access changes are logged and monitored, with access logs retained for 90 days and regular access reviews conducted to ensure compliance.

Can the Institution extract a full or partial backup of data? Yes, with formal process. Institutions can request data extraction through Sunsama's documented data recovery process by submitting change requests to [email protected], or users can export all their data in JSON format through the application dashboard for self-service data extraction.

Do you monitor for anomalies that may represent a Security incident? Yes.

In the event of a security incident, how and under what conditions will you contact us? We will notify customers directly via email within 2-4 hours for any security incident that affects your data, account access, or service availability. For service-wide outages, we provide real-time updates through our StatusPage within 30 minutes of confirmation. Critical incidents requiring immediate customer action will be communicated via phone, and we maintain compliance with regulatory notification requirements including GDPR's 72-hour breach notification timeline.

Do you perform regular disaster recovery tests, including restorations from backups? Yes. See our Disaster Recovery Policy for details available upon request.

Have you had an unplanned disruption to this product/service in the past 12 months? Recent incidents and outages are viewable at https://sunsamastatus.com

Have you completed a penetration test? Yes.

Please provide details of how we can request destruction of our data held within the service. Deleting an account or workspace automatically deletes associated data. Backups persist only for 30 days after which time they too are deleted.

Compliance and Certifications

What compliance and regulations does your company meet?

  • SOC2 Type - In progress
  • SOC2 Type II - In progress

Current Certifications: None at this time.

Certifications In Progress: SOC 2 Type 2: Summay, Inc. is actively pursuing SOC 2 Type 2 certification and is currently engaged with an auditing firm. We have an active SOC 2 engagement letter and are in the process of completing our compliance assessment, which includes third-party penetration testing as part of the comprehensive security evaluation. We expect to complete certification within the current audit cycle.

Standards and Frameworks We Follow:

  • GDPR: We maintain GDPR compliance through appropriate data processing agreements and privacy safeguards, despite US-based hosting.
  • ISO 27001 Principles: Our security framework aligns with ISO 27001 principles, and we leverage cloud providers (AWS, GCP, MongoDB Atlas) that maintain ISO 27001 certifications for their infrastructure.

Not Supported/Completed:

  • Cloud Security Alliance (CSA) Self-Assessment/CAIQ
  • ISO 27001 Certification
  • NIST SP 800-171 or CMMC 2.0 Level 2 (CUI) standards - not applicable for SaaS productivity applications
  • HIPAA compliance - Sunsama is not designed for processing protected health information (PHI)
  • PCI DSS compliance - Sunsama does not directly process or store credit card information (handled by Stripe)

Data Residency and Hosting

Do you offer European data hosting/residency options? Currently, Sunsama does not offer European data residency options. All customer data is processed and stored exclusively in US-based data centers (US West regions) operated by our cloud infrastructure providers (Google Cloud Platform, MongoDB Atlas, AWS).

Can you provide European hosting for enterprise clients? While European hosting is not currently available, this could be considered for enterprise clients with specific data residency requirements. Please contact us to discuss potential options.

How do you handle GDPR compliance without EU hosting? Despite US-based hosting, we maintain GDPR compliance through appropriate data processing agreements and privacy safeguards. International data transfers are handled in accordance with applicable privacy regulations.

Security Policies and Procedures

Does your organization have a data privacy policy? Yes. Available on request.

Do you have a documented information security policy? Yes. Available on request.

Do you have a documented, and currently implemented, employee onboarding and offboarding policy? Yes. Available on request.

Do you have a documented change management process? Yes. Available on request.

Do you have a well-documented Business Continuity Plan (BCP) that is tested annually? Yes. Available on request.

Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied? Yes. Available on request.

Do you have the capability to respond to incidents on a 24 x 7 x 365 basis? Limited 24x7 coverage. As an 8-person remote team, Summay, Inc. does not maintain dedicated 24x7 staffing for incident response. However, we have automated monitoring systems that provide real-time alerting, and key personnel are available for critical incidents outside business hours. Our incident response procedures include escalation paths and external support resources for after-hours emergencies.

Do you carry cyber-risk insurance to protect against unforeseen service outages, data that is lost or stolen, and security incidents? Yes. Summay, Inc. maintains cyber liability insurance coverage to protect against unforeseen service outages, data breaches, security incidents, and related cyber risks. This insurance provides financial protection and coverage for incident response costs, business interruption, and potential liabilities related to cybersecurity events.

Are your systems and applications scanned with an authenticated user account for vulnerabilities prior to new releases? Yes. Sunsama performs vulnerability assessment with authenticated user accounts as part of our release process. This includes automated dependency vulnerability scanning via Dependabot with authenticated CI/CD testing, and manual testing with logged-in users before deployment. Vulnerabilities identified through dependency scanning are remediated through our standard pull request and review process.

Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices? Yes. Summay, Inc. maintains a comprehensive systems management and configuration strategy covering all infrastructure components. Our strategy includes Infrastructure as Code practices through GitHub Actions, automated deployment pipelines, cloud service configuration management, and device compliance monitoring for both company and employee-owned devices.

Employee Security

Do you perform background checks on employees? Yes.

Do you perform employee security training? Yes. All employees are required to perform annual security training with a focus on best practices relevant to our business: password management, phishing, and physical security of devices.

Do you have a dedicated Information Security staff or office? Information security responsibilities are managed by the CEO (Ashutosh Priyadarshy) who serves as the designated security officer for our 8-person team. While we don't have a separate dedicated security department, security management is a formal executive responsibility with defined policies and procedures in place.

Do you have a dedicated Software and System Development team(s)? Yes, with specialized roles across our 8-person team. While we're a lean organization, we have dedicated specialists for key development functions: Principal Engineers handle complete web application development and system architecture, a Mobile Lead manages iOS/Android development, a Growth Lead handles product marketing and customer acquisition, and a Product Expert manages customer support and quality assurance. Each role has clearly defined responsibilities and accountability areas.

Are access controls for staff within your organization based on structured rules, such as RBAC? Yes, role-based access control (RBAC). Summay, Inc. implements role-based access controls for internal staff access to production systems and customer data. Access is structured around defined roles with the principle of least privilege, requiring manager and security team approval for critical production system access. All access changes are logged and monitored, with regular access reviews conducted for compliance.

Internal Staff Roles: Founders (full administrative access), Principal Engineers (production system access), Other Staff (limited access based on job function), Support Staff (customer data access via Retool with full audit logging).

Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system? Yes. We maintain detailed system architecture diagrams and comprehensive data flow documentation that covers all components of our infrastructure. This includes high-level system architecture, detailed data processing flows for each service component, security controls, data classification levels, processing locations, retention policies, and compliance considerations. These are available on request.

Accessibility

What is your accessibility compliance status? Limited formal accessibility program with practical implementation. While Sunsama follows modern web development standards and frameworks that provide foundational accessibility support, we do not currently have formal accessibility compliance documentation (VPAT/ACR), dedicated accessibility feature documentation, documented verification processes, or a formal accessibility roadmap.

However, our practical approach includes: All major functions can be performed using only the keyboard, with comprehensive keyboard shortcuts documented at https://help.sunsama.com/docs/keyboard-shortcuts. Accessibility issues are found, triaged, and fixed as part of our standard bug tracking process. We expect staff to maintain current knowledge of modern web standards (which include accessibility considerations). We do not require special accessibility modes or alternate interfaces - accessibility features are integrated into the main application experience.

Supply Chain Management

Do you have a process and implemented procedures for managing your hardware supply chain? Limited formal process. As a fully remote 8-person SaaS company, Summay, Inc. has a limited hardware supply chain consisting primarily of employee devices (laptops, mobile devices). We maintain device compliance monitoring through our Mobile Device Management policy but do not have formal supply chain management procedures for hardware procurement that address national/regional regulations or export licensing requirements. We recognize the need to develop more formal hardware supply chain management procedures as the company grows.

Do you have a process and implemented procedures for managing your software supply chain? Yes. Sunsama implements comprehensive software supply chain management through industry-standard practices and tools. Our process includes dependency management, version control, automated deployment pipelines, and framework governance to ensure secure and reliable software supply chain operations. More details available upon request.

Physical Security and Media Handling

Do you have a media handling process that is documented and currently implemented that meets established business needs and regulatory requirements? Not applicable - no physical media handling required. As a fully remote cloud-native SaaS company, Summay, Inc. does not handle physical media that would require dedicated sanitization procedures. Our data storage is entirely cloud-based through certified providers (MongoDB Atlas, AWS S3) that handle media lifecycle and data sanitization according to industry standards. This architecture eliminates the need for traditional media handling processes.

Does your organization have physical security controls and policies in place? Not applicable - no physical facilities. Summay, Inc. is a fully remote company with no physical offices or data centers. All infrastructure is cloud-based through certified providers (GCP, MongoDB Atlas, AWS) who maintain their own SOC 2 certified physical security controls at their data centers. We do not operate physical facilities that would require dedicated physical security policies.


For additional information or specific documentation requests, please contact Ashutosh Priyadarshy at [email protected]