Customer Data Security Policy

What are the aims of this policy? To provide customers with assurance that the software services provided by Glean will be managed effectively, securely and responsibly.

1. Objective

What are the aims of this policy?

a. To provide customers with assurance that the information systems and software services provided by Sonocent Ltd trading as Glean of D1 Joseph's Well, Hanover Walk, Leeds, West Yorkshire, LS3 1AB, United Kingdom company number 06127874, will be managed effectively, securely and responsibly.

b. To provide assurance that the customer’s informational assets will be protected against all internal, external, deliberate and accidental threats.

2. Audience

Who is this policy for?

This policy is intended for use by prospective and existing customers of Sonocent services. A "customer" is:

a. An individual who pays for or trials access to Sonocent services and is the end user of the services.

b. An organisation that pays for or trials access to Sonocent services for use by individuals within that organisation.

3. Scope

What does this policy cover?

This policy applies to all customer data that Sonocent receives in the course of business. It applies to all information systems, networks, applications, infrastructure, services and locations of Sonocent technology or that which is supplied under contract to it.

Where there are links to enable a non-Sonocent organisation to have access to customer data, the organisation must confirm that the security policy it operates meets Sonocent’s security requirements, which includes the successful completion of Sonocent’s due diligence process. A copy of any relevant third party security policy will be obtained and retained with the contract or agreement.

4. Policy Compliance

Sonocent will ensure that its customers are aware of and understand the content of this policy.

Some aspects of data security are governed by legislation, the most notable UK Acts and European legislation are:

  • General Data Protection Regulation 2016/679

  • The Data Protection Act (2018)

  • Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC)

  • Privacy and Electronic Communications Regulations 2003 (SI 2003/2426)

  • Copyright, Designs and Patents Act (1988)

  • Computer Misuse Act (1990)

The most notable US Acts and legislation are:

  • California Consumer Privacy Act (2018)

  • California Online Protection Privacy Act (2004)

5. Key Persons

Key persons responsible for data security at Sonocent are:

a. Chief Operating Officer (COO)

b. Chief Technology Officer (CTO)

c. IT Infrastructure Manager

d. Legal and Compliance Officer (LCO)

The Board of Directors is ultimately accountable for data security at Sonocent.

All queries relating to information security should be directed to legal@glean.co, or, in writing to:

Sonocent Ltd trading as Glean
Hanover Walk, D1 Joseph's Well, Leeds, West Yorkshire, LS3 1AB UK

italic text

6. Responsibilities of Sonocent Staff

All Sonocent staff will comply with Sonocent’s data security procedures, including the maintenance of data confidentiality and data integrity. Failure to comply may result in disciplinary action. Each member of staff is responsible for the operational security of the information systems they use. The Board of Directors is ultimately accountable for information security at Sonocent.

7. Registration with the Information Commissioner's Office (ICO)

Sonocent Ltd is registered with the Information Commissioner’s Office, and renews annually. The ICO is the UK’s independent body set up to uphold information rights. It provides guidance and advice on data protection and outlines best practices for handling personal data in accordance with UK and EU privacy legislation.

8. Data security

Customer data collected, stored or processed by Sonocent will be classified according to the following classifications:

a. Unrestricted - data will be classified as unrestricted when the unauthorised disclosure, alteration or destruction of that information would result in little or no risk to Sonocent and its affiliates.

b. Confidential - by default, all customer data that is not explicitly classified as Restricted or Unrestricted will be treated as Confidential. Personal data such as an email address is classified Confidential.

c. Restricted - data protected by legislation and/or confidentiality agreements. The highest level of security controls will be applied.

A classification of an item of information may change over time.

9. Data Collections

A single data classification may be assigned to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements will be used. For example, if a data collection consists of a customer’s name, email address and telephone number, the data collection will be classified as Restricted even though the user’s name may be considered Unrestricted information.

11. Authority and Access Control

(i) General

Access to customer data is restricted to authorised Sonocent staff who have a legitimate business need to access it. Where possible, access will be further limited to the specific data set required to fulfil the task assigned to them.

The Sonocent COO and CTO are accountable for the authorisation of access to customer data. Access can be modified or revoked at any time by the COO, CTO, or, by a delegated member of the Operations team.

The IT Team maintains a list of applications and databases that hold customer data and their corresponding business owners.

(ii) Resource Access Logs

Sonocent maintains logs of all interactions between systems (Human and other software) within its infrastructure and architecture. This includes, but is not limited to:

a. Successful and unsuccessful login attempts to external public facing systems

b. Internal authorisation attempts between internal and third party systems

c. Activities performed by users (Administrators and Users)

Logs are typically retained for 90 days and then expire. User audit logs may be retained for a longer period of time in line with Sonocent’s Data Retention Policy and legal requirements.

(iii) Reporting Access Violations

The Engineering team maintains a process for providing reports and alerts for unexpected or malicious behaviour, such as multiple failed login attempts for a single account, which may be evidence of a systemic attack on services within Sonocent’s infrastructure. Where Sonocent identifies such behaviour, and believes a security incident that may impact customer data has occurred, Sonocent will contact the customer using the email address provided or confirmed by the customer.

(iv) Password Management

Sonocent adheres to password management industry best practices. All Sonocent staff use a password manager to ensure credentials are secure. All devices and systems used to access customer data are secured with strong passwords, and where applicable, use two-factor authentication. In the event that a member of staff leaves Sonocent, their passwords are deleted, access revoked and accounts disabled.

12. Physical and Environmental Security

Sonocent implements the following physical safeguards across all of its sites:

a. No Access to Unauthorised Personnel Policy

b. Visitor Sign-in

c. Lockable filing cabinets

d. Lockable personal storage

e. Fire suppression system

The following additional physical safeguards are in place at Sonocent’s UK Head Office site:

a. Building Security (operating 07:00 - 19:00, Monday to Friday)

b. CCTV

13. Data Support and Operations

(i) General

Sonocent externally hosted systems (cloud based) that are used to store customer data are protected in accordance with Sonocent’s professional standards and industry best practices.

Best practices include but not are limited to:

  • All data encrypted at rest and only transmitted over encrypted channels

  • All systems secured with role-based secure APIs

  • All software and operating systems are patched regularly; frequency will increase if security advisories indicate there is a vulnerability

(ii) Data Backup

Backups of customer data to cloud storage are performed daily according to an automated schedule. This includes personal customer data collected directly or indirectly from the customer, as detailed in the relevant privacy policy linked in section 18 of this document, and, user-generated content. Sonocent uses cloud storage provided by Amazon Web Services (AWS) and Google Cloud (GCP). Backups are automated and encrypted and are stored for up to one year. The data centres that store Sonocent customer data are located in the UK.

(iii) Data Transfer

Sonocent will never transfer customer data in an insecure format. However, Sonocent reminds customers that while every effort is made to protect customer data, no method of transmission over the internet, or, method of electronic storage, is guaranteed to be 100% secure or error-free.

14. Retention and Secure Deletion of Customer Data

(i) Retention

Sonocent will only retain customer data for as long as necessary to fulfil the purposes it was collected for; including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for customer data, Sonocent considers:

  • The amount, nature, and sensitivity of the data;

  • The potential risk of harm from unauthorised use or disclosure;

  • The purposes for which it processes the data and;

  • Whether Sonocent can achieve those purposes through other means, and the applicable legal requirements.

Personal Data

Full details of the types of personal data Sonocent collects, how it collects and uses it, and the purposes for collecting it, can be found in the relevant privacy policy linked in section 17 of this document.

In some circumstances, Sonocent may pseudo-anonymise personal data to safeguard customer privacy. Sonocent may also completely anonymise personal data for research or statistical purposes; in which case Sonocent may use the data indefinitely without further notice to the individual.

(ii) Deletion

In line with Sonocent’s Data Retention Policy and legislative requirements, Sonocent will initiate the process for deleting a customer's data when;

a. The relevant customer contract has expired or has been validly terminated;

b. Sonocent has satisfied any requirements detailed in point (i) of this section and has determined that the data does not need to be retained.

For information regarding the deletion of customer personal data, please refer to the relevant privacy policy linked in section 17 of this document.

Further information regarding Sonocent's Data Retention Policy is available on request from legal@glean.co.

15. Security Incident Response Plan

Sonocent’s Security Incident Response Plan details the procedural steps Sonocent follows in the event of a suspected or confirmed security breach of Sonocent’s systems or infrastructure, as well as third party services used by Sonocent. Upon identifying a security incident, Sonocent will initiate the following:

  1. Respond: assemble an internal incident response team;

  2. Validate: qualify the existence of the incident;

  3. Scope: assess the impact;

  4. Contain: limit the impact and potential damage and preserve evidence;

  5. Report:

  • Determine if regulatory or contractual reporting is required based on the nature of the incident. If reporting is required, Sonocent will ensure all appropriate parties are notified within 72 hours of identifying the incident. Sonocent will always notify affected customers in the event of a security incident that may compromise their data
  • If reporting is not required, Sonocent will ensure the reasoning is documented and stored appropriately
  1. Recover: restore normal service while continuing to analyse the incident, understanding any and all legal implications;

  2. Improve: perform root cause analysis, determine lessons learned and implement strategic remediation.

16. Testing and Risk Monitoring

Sonocent regularly tests key aspects of its information security management system to ensure they are implemented properly and are functioning effectively. Potential and existing information security threats, risks and vulnerabilities are identified, mitigated and managed as part of Sonocent’s wider risk management programme.

Independent third parties perform penetration testing periodically and more frequently as needed, based on the results of risk assessments and continuous monitoring of the threat landscape. Examples of the ways Sonocent monitors its systems, logs and events include:

a. Continuous monitoring of changes affecting systems handling authorisation and authentication;

b. Engaging independent third parties to perform vulnerability assessments and/or penetration testing;

c. Reviewing privileged access to Sonocent production systems

17. Links to Sonocent Privacy Policies

18. Contact

Queries, comments and feedback relating to this policy should be emailed to legal@glean.co

Last updated: 6 July 2020