This guide contains questions to the most common questions you may be asked by your IT or Security teams in order to get approval for Sunsama.
Please start by reviewing our "Security Status Page" at https://security.sunsama.com to get an overview of our security programs, policies, and posture.
Sunsama is a daily planner for busy professionals. It helps you plan a calm and focused work day by walking you through a guided daily planning routine that combines your tasks, calendars, and emails.
Do you have a designated security/privacy lead who manages your security program? Provide contact information.
Yes. Ashutosh Priyadarshy, CEO, [email protected]
Do you have publicly published privacy and security policies? Provide public links to your Privacy and Security policies.
Do you have a data access control policy with monitoring? List the roles in the organization who have access to sensitive data.
We are a team of six people and everyone on the team does customer support and product. All teammates can get access to "sensitive data" when resolving customer issues.
Do you have a 3rd party vendor assessment and data access policy? List the roles of any 3rd party to the organization who may have access to sensitive data and under what circumstances.
See the Integrations and Privacy to understand how we use data from third party services e.g. integrations
Yes. All data is encrypted in transit and at rest.
We use the standard encryption of MongoDB which is where all our data is stored (from the documentation):
If encryption is enabled, the default encryption mode that MongoDB Enterprise uses is the AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) via OpenSSL. AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt text. MongoDB Enterprise for Linux also supports authenticated encryption AES256-GCM (or 256-bit Advanced Encryption Standard in Galois/Counter Mode). FIPS mode encryption is also available.
Do you have a customer information possession policy? Describe your policy and the conditions for returning sensitive data and destroying the data once the service is terminated.
Can you commit to keeping customer information at a strict minimum amount of time after customer stops use?
We delete all information when a customer requests to delete their information. We do maintain that data inside backup for up to 30 days, at which point it's entirely deleted.
We can export customer data to a CSV upon termination of service if requested by a customer.
Do you retain customer information in backups after a customer has deleted (or requested deletion of) the data?
Yes. However all backups expire after thirty days. So there is a thirty day window where we continue to have customer data stored in encrypted backups.
Describe how your organization enables data subjects’ rights of access, rectification, erasure, blocking and objection.
Describe the server logs that your organization keeps and monitoring and auditing on an ongoing basis.
We store logs temporarily (for no more than 7 days), in Solar Winds Papertrail and GCP. The nature of the logs does not contain any sensitive information, only technical details for us to identify potential errors or problems trying to perform actions in the app, connected to a user or workspace. We may temporarily enable logs that will store some integration information, which can include sensitive information, with user consent, when trying to debug some problem in customer support.
Do you have a vulnerability scanning policy? Describe vulnerability assessments implemented and their frequency.
Yes, we do a broad yearly security assessment via NCC group as part of having our application approved for use of sensitive Google OAuth scopes.
Do you have a server software update policy? Describe the update and patching mechanisms for operating systems and software to ensure that these are kept up to date.
Yes, we do regular updates of the operating systems and packages that we use.
Can you provide evidence for your security and privacy program to demonstrate that policies and controls are appropriate?
Do you have an incident response policy? How does your organization define a security incident and personal information data breach.
We handle this on a case by case basis. We're a small team so we don't have a formal policy.
Describe how customers will be informed of personal data and data security breaches affecting a customer’s data processed by you and your subcontractors and within what timeframe.
They will be informed via email by someone on our team.
Do you have a process to restore your service in the event of catastrophic failure? Describe the process and expected recovery times.
We can provide a Letter of Assessment that demonstrates that we've passed a security audit by a third party firm that is approved by Google (as part of their requirements for us to provide a Gmail integration). Please reach out to [email protected] to ask for it.
The product is a web app, it updates when we push new versions.
Do you manage your own datacenter and servers? Identify the physical precautions used to protect the data center.
Do you use an independent certification authority to monitor and or audit logs in order to ensure that measures are implemented in an ongoing basis?
Yes. Google and Microsoft OAuth.
Updated 3 months ago