Security

Do you follow the EU privacy laws?

PlaceOS is able to demonstrate compliance with the seven protection and accountability principles outlined in Article 5.1-2 upon request. (What is GDPR?)

Data

How does PlaceOS manage data, protect customer data and govern customer data?

Most data is not stored internally within the system. Sources of truth such as Office365 hold the data. Manipulated data is stored ephemerally in memory and access to any data requires authentication, authorisation to access is determined by the defined processes.

Can you please outline each type of datastore / database / data repository included in your system?

The PlaceOS Solution uses Couchbase as the primary database and datastore. The PlaceOS Engine Application does not store any data, all data is stored in Couchbase. Access to the Couchbase database can be arranged depending on client security for data modelling and/or extraction.

What type of data might you store?

All devices, device states, configuration and integrations are stored in the database. Secure items such as passwords are all hashed on entry and are not human readable (AES-256-GCM/Salted Scrypt).

What happens to data stored when customers terminate their usage of PlaceOS?

The server is most typically hosted and managed by the customer, when the service is terminated the customer can decide to destroy the machine and all data, extract backups and destroy the data or retain the data as is.

What cryptographic protocols are used to secure client data at rest?

256 bit AES using GCM ciphers are used to prevent tampering & environment variables on client servers data at rest.

Web Security & Authentication

Can you please describe how PlaceOS adheres to common security principles?

The system is secure by design. All requests are authenticated and authorised, applications and domains also need to be registered within PlaceOS to function with the API.Cookies are secure, HTTPS and only transmitted on the relevant paths upon request. A valid authentication token will be checked against the domain, application and user upon any request. All input is whitelisted and models validated before being saved to the database.

Do you undertake ongoing periodic information security testing activities such as; vulnerability testing, penetration testing, and source code reviews against industry best practice guides?

Yes, the platform is regularly tested for vulnerabilities both in and out of production. Customers are free to conduct necessary penetration testing on the software once in production as a part of their internal security standards and auditing processes. These reports are often provided to PlaceOS for review, to date no vulnerabilities or risks have been reported.

How does PlaceOS provide least privileged role based access control?

The platform, by default has three user levels, these are System Administrators, Tech Support and Staff Member (can authenticate against SSO). System administrators have full access and control over the system configuration (via Web UI only) while Tech Support can see the status of systems and devices. Once connected with an IAM Provider, users can be assigned the necessary level of access. If no access level is assigned users are unable to log into the back office, with exception to the Staff App where business rules dictate staff can access the app without authentication.

Infrastructure access is dictated by the customer.

Can you please outline how PlaceOS encrypts data at rest / in-motion, the key / certificate management technologies used?

Standard SSL/TLS is used for data in-motion. Data at rest is encrypted with 256 bit AES using GCM ciphers to prevent tampering If local accounts are created, passwords are salted then hashed using salted scrypt (SSO is preferred).

Can you please outline how PlaceOS encrypts data at rest / in-motion, the key / certificate management technologies used?

We use a range of standard tools for development including, but not limited too; GitHub, BitBucket, Jira and Confluence. All internal services are secured by SSO with 2-Factor Authentication enforced. No client or customer information, credentials or otherwise are stored locally on staff hardware. All internal access to code and client information is least privileged role/group based.

Infrastructure

Can you please outline how PlaceOS encrypts data at rest / in-motion, the key / certificate maIs media (i.e. HDD, SSD, USB, Tape, etc.) destroyed securely when it is no longer needed for business or legal reasons?nagement technologies used?

This is managed by the client under standard IT Practices, we do not store any client data outside the Production/UAT/DEV Environments.

Third Parties

What information, if any, does PlaceOS share with third parties?

This is managedPlaceOS the platform and business do not share any customer information with third parties. Any third party integration is made securely by the end user or customer. by the client under standard IT Practices, we do not store any client data outside the Production/UAT/DEV Environments.

What are the available interfaces in which PlaceOS can interact and/or connect with third party services?

PlaceOS can interact with other systems using API, SOAP, REST, Web Sockets, HTTPS and SSH. The platform favours secure protocol over others as such protocols like FTP are not used.

How does PlaceOS allow third party data visualization tools to interact with your datastore?

PlaceOS can pass data logs to data visualization tools such as Splunk or a web standard data visualization tool such as Power Bi or Google Analytics via API. Sample integrations are available for all the above third party services.