Data Security and Privacy at Sumday
Table of Contents
Compliance
Sumday is ISO27001, SOC2 Type II and GDRP certified.
ISO27001
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS).
Conformity with ISO/IEC 27001 means that Sumday has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
SOC 2 Type II
Sumday has received a SOC 2 Type II report demonstrating that over a period of time, it has maintained the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.
A SOC 2 Type II report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Sumday. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA).
Penetration testing
Our Pen testing follows a consistent and structured approach, and represents a point in time assessment of the nature and extent of potential or existing exposures that could potentially lead to a compromise.
Testing is based on best practice methodologies in combination with our other in-house developed processes and methodologies.
PCI DSS
All payments made to Sumday are securely processed via Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Data Storage
Sumday is hosted on Microsoft Azure, with ISO 27001 / SSAE 18 compliant data centers located in several major Azure regions globally. Our servers are hosted in data centres located in Australia.
Physical Security: Sumday defers all data centre physical security controls to Microsoft Azure.
Specific Requirements: For businesses with specific data sovereignty requirements, Sumday is able to be hosted within most regions globally, ensuring that your data remains within your specified geographical boundaries. You can contact us to discuss these options.
Data protection
We recognise the importance of maintaining the highest standards of security in order to protect our team, our assets, and our customers. Here's an overview of our security practices:
Data Security
We utilise both technical and organisational measures to ensure the security of the personal data we manage.
- Data Leak Prevention (DLP) tools: Monitors and restricts potential data leaks.
- Data Masking: Limits the visibility of sensitive data internally and externally.
Passwords
SSO: Enterprise users can configure an SSO integration with Azure Active Directory, Okta or any other identity provider that supports OpenID Connect. Enterprise customers also have the ability to enforce SSO for all users in the workspace and disable other log in methods.
Password management: Sumday employs industry-standard techniques for password management, encryption, storage, complexity, and reset.
Password managers: Sumday encourages customers to leverage a password manager to support strong passwords when using Sumday.
Data Classification
Sumday classifies data based on it’s sensitivity, value, and criticality to the organisation, and the appropriate level of access and protection is applied accordingly.
Endpoint Security
We install endpoint security software on all staff computers. This software is proactive and performs routine checks to ensure all devices are encrypted, firewalls enabled, active screen locks, and free from threats, viruses, or malicious software.
Staff Screening
Every potential Sumday employee undergoes comprehensive police, identification, qualification and work history checks.
Security Training
Every new member joining Sumday is introduced to our security culture during onboarding. We also keep our existing staff up to date with regular security training sessions and annual policy acknowledgments.
Data Retention
Data erasure: Sumday customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements. Subscription cancellation: Following the cancellation of a Sumday subscription, you will have at least 30 days to download your customer data. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.
Data Breach Notification
Sumday is dedicated to implementing all commercially viable precautions to protect your customer data. We champion transparency in our security procedures, bolstering your trust in our robust infrastructure, meticulous processes, sophisticated tools, and stringent policies that are all geared towards the safeguarding of your data.
Sumday has not had a data breach since starting. If a data breach does happen, Sumday is ready to act with a response plan that ensures we limit any damage and help any customers who might be affected, ensuring they meet their legal obligations.
Data breach definition
If sensitive data is acquired, accessed, used, or disclosed in a manner not permitted under the privacy law or in a manner that compromises the security or privacy of the sensitive data (personal data or PHI), it may be considered a Breach
Notification
Sumday will notify customers promptly without any undue delay upon becoming aware of a data breach. Customers will be contacted via email and phone (if provided), followed by regular updates throughout the day to address progress and impact.
Australian Privacy Act
As an Australian-based business, Sumday is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Sumday must notify individuals about an eligible data breach when:
- there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that Sumday holds
- this is likely to result in serious harm to one or more individuals, and
- Sumday hasn't been able to prevent the likely risk of serious harm with remedial action
Software development life cycle
Sumday maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.
Development environments
All code is deployed and tested in a staging (development) environment that is functionality equivalent to production environments. Sumday performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.
Version control
Sumday employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.
All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Sumday code base and insulates Sumday from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.
Code review
Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved before it can be merged. Linting and vulnerability checks are automatically run with each pull request, and all tests must pass before a code change can be merged.
Privacy
Sumday maintains a robust privacy compliance program and is dedicated to collaborating with its customers and vendors on privacy compliance initiatives.
How we handle your data
At Sumday, our team is committed to creating and implementing data privacy processes and safeguards that align with industry standards and best practices. We provide ongoing training to our team to keep them updated with legislative changes and crucial privacy and security practices.
Every Sumday employee and contractor agrees to non-disclosure terms to ensure the confidentiality and security of your data. Similarly, Sumday requires any vendors handling personal data to uphold the same data management, security, and privacy practices and standards as we do.
What is Customer Data?
- Sumday defines Customer Data as any data that a customer stores in the Sumday platform, like your transactions and activity data you import to do the accounting.
- Customer data does not include analytics data or Account Information.
What is Account Information?
- Account information is the information that our customers provide to us so that we can create and administer their customer accounts.
- For example, account information includes names, usernames, passwords, email addresses, support communications, billing information, and usage information associated with your Sumday account.
- The terms of our Privacy Policy apply to any personal information included in Account Information.
Who owns and controls Customer Data?
- You own your Customer Data, including any data you submit or upload to Sumday.
- You determine what content and data to upload to Sumday. Once uploaded, you manage access to your account by assigning user logins.
- You also oversee the administration of the Customer Data by managing permissions and user credentials under your control.
How does Sumday use my Account Information?
The terms of our Privacy Policy outlines how we collect and uses your account information.
Who should I contact if I have any questions about Sumday’s data protection practices?
If you have any questions about our privacy practices, please contact us at: support@sumday.io
Last updated on Invalid Date