Table of Contents

Sumday is ISO27001 & SOC2 Type II certified.

ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS).

Conformity with ISO/IEC 27001 means that Sumday has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

Sumday has received a SOC 2 Type II report demonstrating that over a period of time, it has maintained the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.

A SOC 2 Type II report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Sumday. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA).

Our Pen testing follows a consistent and structured approach, and represents a point in time assessment of the nature and extent of potential or existing exposures that could potentially lead to a compromise.

Testing is based on best practice methodologies in combination with our other in-house developed processes and methodologies.

All payments made to Sumday are securely processed via Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

Sumday is hosted on Microsoft Azure, with ISO 27001 / SSAE 18 compliant data centers located in several major Azure regions globally. Our servers are hosted in data centres located in Australia.

Physical Security: Sumday defers all data centre physical security controls to Microsoft Azure.

Specific Requirements: For businesses with specific data sovereignty requirements, Sumday is able to be hosted within most regions globally, ensuring that your data remains within your specified geographical boundaries. You can contact us to discuss these options.

We recognise the importance of maintaining the highest standards of security in order to protect our team, our assets, and our customers. Here's an overview of our security practices:

We utilise both technical and organisational measures to ensure the security of the personal data we manage.

SSO: Enterprise users can configure an SSO integration with Azure Active Directory, Okta or any other identity provider that supports OpenID Connect. Enterprise customers also have the ability to enforce SSO for all users in the workspace and disable other log in methods.

Password management: Sumday employs industry-standard techniques for password management, encryption, storage, complexity, and reset.

Password managers: Sumday encourages customers to leverage a password manager to support strong passwords when using Sumday.

Sumday classifies data based on it’s sensitivity, value, and criticality to the organisation, and the appropriate level of access and protection is applied accordingly.

We install endpoint security software on all staff computers. This software is proactive and performs routine checks to ensure all devices are encrypted, firewalls enabled, active screen locks, and free from threats, viruses, or malicious software.

Every potential Sumday employee undergoes comprehensive police, identification, qualification and work history checks.

Every new member joining Sumday is introduced to our security culture during onboarding. We also keep our existing staff up to date with regular security training sessions and annual policy acknowledgments.

Data erasure: Sumday customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements. Subscription cancellation: Following the cancellation of a Sumday subscription, you will have at least 30 days to download your customer data. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Sumday is dedicated to implementing all commercially viable precautions to protect your customer data. We champion transparency in our security procedures, bolstering your trust in our robust infrastructure, meticulous processes, sophisticated tools, and stringent policies that are all geared towards the safeguarding of your data.

Sumday has not had a data breach since starting. If a data breach does happen, Sumday is ready to act with a response plan that ensures we limit any damage and help any customers who might be affected, ensuring they meet their legal obligations.

If sensitive data is acquired, accessed, used, or disclosed in a manner not permitted under the privacy law or in a manner that compromises the security or privacy of the sensitive data (personal data or PHI), it may be considered a Breach

Sumday will notify customers promptly without any undue delay upon becoming aware of a data breach. Customers will be contacted via email and phone (if provided), followed by regular updates throughout the day to address progress and impact.

As an Australian-based business, Sumday is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Sumday must notify individuals about an eligible data breach when:

Sumday maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.

All code is deployed and tested in a staging (development) environment that is functionality equivalent to production environments. Sumday performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Sumday employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Sumday code base and insulates Sumday from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved before it can be merged. Linting and vulnerability checks are automatically run with each pull request, and all tests must pass before a code change can be merged.

Sumday maintains a robust privacy compliance program and is dedicated to collaborating with its customers and vendors on privacy compliance initiatives.

At Sumday, our team is committed to creating and implementing data privacy processes and safeguards that align with industry standards and best practices. We provide ongoing training to our team to keep them updated with legislative changes and crucial privacy and security practices.

Every Sumday employee and contractor agrees to non-disclosure terms to ensure the confidentiality and security of your data. Similarly, Sumday requires any vendors handling personal data to uphold the same data management, security, and privacy practices and standards as we do.

The terms of our Privacy Policy outlines how we collect and uses your account information.

If you have any questions about our privacy practices, please contact us at: support@sumday.io