Security Statement SmartSYNC

This security statement applies to SmartSYNC hosted customers. If a customer has chosen to host SmartSYNC locally they are responsible for the security of their servers although some of the security provisions we have built into the software will still apply.

General

As a software security provider, SmartTHING is committed to providing highly secure and reliable software. Our SaaS platform is built on Microsoft Azure VPS server hosting, which is compliant with a wide variety of industry-accepted security standards. Additionally, our engineers utilise proven and state-of-the-art security technologies and techniques in order to protect all systems, data, and information from unauthorised access in the best possible way.

If you have any questions or need additional information, please write to support@smartthing.org.

Further information is available on our privacy policy and web and product hosting agreement pages.

What data is stored?

SmartTHING stores data about you required to invoice, support and provide the SmartTHING product. This includes the following general data:

• Account name and address
• First and last name
• Email address
• Your organisation phone number
• Your product license details
• Records of any invoices and invoice payments (excluding credit card details)

For the SmartSYNC product, the following customer specific data is also stored including:

• Username and passwords to access the website (passwords are stored using one way hashes)
• Application details including access tokens (these are encrypted using user specific keys when stored in the database)
• Data logs of 7 days of transactions made via SmartSYNC
  • These can include sensitive data – it depends on the set up of the data flows which is under the users control.
  • NOTE: An exception to this is logs that result in an error. There may be further reviewed or re-run once the data has been updated. In these cases logs are retained for 30 days.

Where is my data stored?

For data storage, website provision and backups, we utilise Microsoft’s infrastructures and therefore shares several of their security standards. Our virtualized servers run in the US, AU, EU and UK azure regions.

You can find out more about Microsoft’s security arrangements on their website – they are one of the largest web providers in the world having over 715 million customers, 4 million servers and running millions of websites.

Who has access to my data?

Our privacy policy covers access to your data in general. Beyond this administrative access to customer data within SmartSYNC is restricted to a small number of closely managed SmartTHING administrators. Access to production systems and data follows the security standard of Least Privilege.

How is my data protected?

Network Security

• All traffic from and to our service is encrypted using the SSL/TLS protocol.
• We enforce the usage of strong TLS cipher suites.
• Data within our infrastructure is transmitted via encrypted VPNs.
• All systems are firewalled to a minimal number of access points.

Account Security

• Only the account owner can access his separated account data using his private password.
• We enforce a strong password policy.
• Passwords are stored using a one way hash.
• Two factor authentication is enforced (through email handshake).

System Security

• All operating systems are maintained according to best practices in the industry.
• All recommended patch levels are applied.
• All systems are constantly monitored.
• Our SmartSYNC servers use firewalls, exploit detection, code scanning, SPAM detection and intrusion prevention software.

Secure Data Storage

• Data is stored on a virtualized server on Microsoft VPS hosting.
• Database backups are stored on network and transmitted encrypted at all times.

Can I delete my data and what happens exactly?

When your SaaS account expires, all associated flow logs are deleted within 7 days automatically. Anonymised data, such as number of flows, general flow run information and other non-specific user data is kept for statistics.

If you wish us to delete your account please contact support@smartthing.org and we will aim to do this as quickly as possible for you.

When you delete your account, all associated data is permanently deleted. This includes all applications, flows, steps, users and any other associated data.