How We Secure Your Data

We recognize that as a customer, you entrust us with your most valuable asset—your customers' data and, ultimately, their trust in you as a provider. That’s why we work systematically with our information security throughout the entire software development lifecycle, from the initial concept of a new feature to its deployment.

‍

Our processes

We work with a risk-focused approach in accordance with ISO-27001, with the goal of delivering a service with world-class security and continuously improving our security every day:

• Our management and CISO conduct a risk analysis every six months, which forms the basis for our security objectives and key results (OKRs).
• We follow up on our security work and controls at the management level in recurring Information Security Management Review meetings.
• All employees and consultants are trained in our IT security policy as part of their onboarding process.
• We have information security as a standing item in our team meetings every other week.
• We have clear processes for handling data securely when employees leave or customers terminate their subscriptions.

Our Security Team:

• Works based on our security OKRs to continuously improve our security.
• Ensures compliance with our security policies.
• Monitors our software supply chain to detect vulnerabilities.
• Prioritizes and recommends upgrades and patching based on CVSS (Common Vulnerability Scoring System).
• Monitors and evaluates privileged access to systems.
• Evaluates our suppliers.
• Regularly security tests our IT infrastructure and coordinates external penetration tests during major changes.

Our operations team:

• Works based on our operations OKRs and our Operations Runbook to ensure compliance with our SLAs.
• Monitors security incidents and reports and documents deviations.
• Monitors operational incidents and reports and documents deviations.
• Upgrades and patches third-party software.
• Tests our disaster recovery (DR) process annually and documents the results.

Our Development Team:

• Works holistically with security from a development perspective, e.g., based on OWASP Top 10.
• Upgrades and patches our own software.

‍

Our platform

Our platform is built from the ground up to ensure that your data is always secure.

• All your data in Senseworks applications is completely segregated from other customers, from authentication to storage and processing. Data is stored physically separately for each customer, both in databases and object storage.
• All our applications use unique usernames and passwords to minimize the blast radius, following the principle of least privilege.
• Our services have multiple layers of access control (RBAC), where the Customer can manage which employees have which rights in the Service. Our services also implement User-Managed Access (UMA), allowing the Customer to determine which users have access to specific data.
• All administrative accounts use two-factor authentication (2FA).
• All access to all systems is personally identifiable and logged.
• We continuously scan for vulnerabilities in the software we use, as well as deviations and anomalies in our environments (IDS).
• We use the smallest possible base images for all services to minimize attack surfaces.
• We continuously patch our software based on Static Application Security Testing (SAST) in our pipelines, as well as Software Composition Analysis (SCA) and image scanning for CVEs during runtime.
• All access to internal services is done via VPN (Q1 2024) and through strict whitelisting.
• All data is encrypted using TLS when transmitted between services or to end users (encryption-in-transit).
• Data is encrypted as often as possible at rest (encryption-at-rest) — for example, all passwords are stored encrypted in Azure Key Vault, and all data in databases and object storage is encrypted using AES 256.
• We use Azure's DDoS protection to prevent denial-of-service attacks.
• Backups are performed daily, encrypted, and stored for 7 days.
• Our Recovery Time Objective (RTO) is 4 hours for a complete restoration of applications and data.
• Our Recovery Point Objective (RPO) is to be able to restore data from at least 24 hours ago.

‍

You are welcome to contact our Chief Information Security Officer (CISO) to learn more: ciso@senseworks.io

‍

How we protect your personal data

We see our responsibility to protect your personal data and privacy in a good way as a potential competitive advantage. We are aware of the challenges of doing so in today's changing legal landscape.

‍

Our goals are to deliver our services in accordance with:

• EU:s GDPR
• EU:s ePrivacy Directive
• EU:s Digital Services Act

‍

We have invested to ensure that our platform is flexible and cloud-agnostic. Our software runs in Microsoft's Swedish data centers but can, with modifications, also be delivered from other IaaS platforms. All operations, except those managed by Microsoft, are handled by Senseworks' Swedish staff. All data is stored in Sweden, including both databases and object storage.

‍

Our guidelines are to:

• Always use Swedish or European suppliers when possible; secondly, use open-source solutions with the ability to host them on Swedish or European suppliers.
• Always minimize the amount of personal data we handle (Art. 5 - data minimization).
• Always encrypt personal data when it is transmitted (encryption-in-transit).
• Encrypt personal data when stored as often as possible (encryption-at-rest).
• Always educate our employees and consultants on the proper handling of personal data when they start.

The American subcontractors we use to deliver our services are:

• Atlassian, US (support - DPA, sub-processors)
• Google LLC, US (support, email - DPA, sub-processors) 
• Hotjar, US (usability - DPA, sub-processors)
• Microsoft Corporation, US (cloud, communication - DPA, sub-processors)
• Sentry, US (support - DPA, sub-processors)
• Slack, US (communication - DPA, sub-processors)

‍

We use the Standard Contractual Clauses (SCCs) mechanism with these suppliers to transfer personal data to third countries. The data being transferred does not fall under the category of sensitive personal data according to the EU's definition but may include:

• Authentication details (e.g., usernames, passwords, audit trails)
• Contact information (e.g., email, phone numbers, links to social media accounts)
• Commercial data (e.g., subscription history, payment history)
• Usage data
• User profile data (first name, last name, email)
• Any personal data in user comments in our applications

‍

You are welcome to contact our Data Protection Officer (DPO) to learn more:‍

dpo@senseworks.io