Security Statement SmartSYNC

This security statement applies to SmartSYNC-hosted customers. If a customer has chosen to host SmartSYNC locally, they are responsible for the security of their servers, although some of the security provisions we have built into the software will still apply.

General

As a software security provider, SmartTHING is committed to providing highly secure and reliable software. Our SaaS platform is built on Microsoft Azure VPS server hosting, which is compliant with a wide variety of industry-accepted security standards.

Additionally, our engineers use proven, state-of-the-art security technologies and techniques to protect all systems, data, and information from unauthorised access as best they can.

If you have any questions or need additional information, please get in touch with support@smartthing.org.

Further information is available on our privacy policy and web and product hosting agreement pages.

What data is stored?

SmartTHING stores data about you that are required to invoice, support, and provide the SmartTHING product. This includes the following general data:

• Account name and address
• First and last name
• Email address
• Your organisation’s phone number
• Your product license details
• Records of any invoices and invoice payments (excluding credit card details)

For the SmartSYNC product, the following customer-specific data is also stored includes:

• Username and passwords to access the website (passwords are stored using one-way hashes)
• Application details, including access tokens (these are encrypted using user-specific keys when stored in the database)
• Data logs of 7 days of transactions made via SmartSYNC
  • These can include sensitive data – it depends on the set-up of the data flows under the user’s control.
  • NOTE: An exception to this is logs that result in an error. Once the data has been updated, it may be reviewed or re-run. In these cases, logs are retained for 30 days.

Where is my data stored?

We use Microsoft’s infrastructure for data storage, website provision, and backups and, therefore, share several of its security standards. Our virtualized servers run in the US, AU, and UK Azure regions.

You can find out more about Microsoft’s security arrangements on its website. Microsoft is one of the largest web providers in the world, with over 715 million customers and 4 million servers, and it runs millions of websites.

What happens to the data we, the client, choose to share?

As part of our provided services, you may decide that you wish to use external data providers and processors.

That is at your choice and by doing so you are choosing to use them as your data processor.

This makes sense in many use cases, such as linking systems together via a synchronisation tool: You cannot sync data without sharing it with the systems in question.

However, you should review the service providers’ data processing statements before utilising their service and ensure your data processing statements and terms cover such usage. 

Who has access to my data?

Our privacy policy covers general access to your data. Administrative access to customer data within SmartSYNC is restricted to a small number of closely managed SmartTHING administrators. Access to production systems and data follows the security standard of Least Privilege.

How is my data protected?

Network Security

• All traffic from and to our service is encrypted using the SSL/TLS protocol.
• We enforce the usage of strong TLS cypher suites.
• Data within our infrastructure is transmitted via encrypted VPNs.
• All systems are firewalled to a minimal number of access points.

Account Security

• Only the account owner can access his separate account data using his private password.
• We enforce a strong password policy.
• Passwords are stored using a one-way hash.
• Two-factor authentication is enforced (through email handshake).

System Security

• All operating systems are maintained according to best practices in the industry.
• All recommended patch levels are applied.
• All systems are constantly monitored.
• Our SmartSYNC servers use firewalls, exploit detection, code scanning, SPAM detection and intrusion prevention software.

Secure Data Storage

• Data is stored on a virtualized server using Microsoft VPS hosting.
• Database backups are stored on the network and transmitted encrypted at all times.

Do you have any accreditations for data security?

SmartTHING is proud to be ISO 27001 and ISO 9001 accredited. These are international standards for data security and quality management. 

Can I delete my data, and what happens exactly?

When your SaaS account expires, all associated flow logs are automatically deleted within seven to thirty days. Anonymised data, such as a number of flows, general flow run information, and other non-specific user data, is kept for statistics.

If you wish us to delete your account, please contact support@smartthing.org. We will aim to do this as quickly as possible.

When you delete your account, all associated data is permanently deleted. This includes all applications, flows, steps, users, and other associated data.