Secure and Private Data Policies
We don’t collect any data unless we’re authorized to do so by you. We don’t store any personally identifiable customer information without masking unless explicitly instructed by you to fulfill a particular use case. All data, whether at rest or in transit, is encrypted with state-of-the-art encryption policies.
Ongoing Security Testing & Certification
As part of our continual security review, we continuously monitor our applications and infrastructure and conduct periodic penetration testing and vulnerability scanning to ensure that we’re keeping your data safe and secure.
We do not host our own infrastructure; we’re instead deployed on major cloud platforms such as AWS, Google and Microsoft Azure. We are currently undergoing annual SOC 2 reviews, and will be certified under ISO 27001, the gold standard for security governance.
GDPR and PDPA Compliant – and Beyond
All our European customer data is hosted and run on servers in the EU, and it won’t leave EU borders. We’re fully GDPR compliant, which means we protect the personal data and privacy of EU citizens for transactions that occur within EU member states. We are also fully compliant with PDPA, the Singapore personal data protection act, as well as the UK Cyber Essentials requirements.
Netomi is hosted on Amazon Web Services (AWS). The AWS data centers have strict controls and undergo third-party audits to confirm security and compliance. Safeguards include:
- Physical security measures including security guards, fencing, security feeds, intrusion detection technology, among other measures
- AWS has back-up power equipment, HVAC systems and fire suppression equipment to help protect servers
- AWS deploys threat detection devices, video surveillance and system protocols
The location of the AWS servers where we run our infrastructure depends on where your AI is deployed.
Our platform runs on a tech stack that comprises of a combination of containers and serverless architecture running on industry-leading ISO 27001 certified cloud service providers across different regions. We use a combination of automated and manual penetration and vulnerability scanning to determine if new vulnerabilities are introduced in the software packages on our systems. Our Infrastructure team ingests security bulletins and prioritizes remediation according to our internal Security Vulnerability Identification documentation.
Logical Access Control
Netomi has full control over all its infrastructure on AWS, and only authorized Infrastructure Team members at Netomi have access to configure infrastructure when needed in order to add new functionality, or respond to incidents. All access required for control of infrastructure has mandated two-factor (2FA) authentication. The levels of authorization for infrastructure components is mandated by the principle of least privilege.
Data into System
Netomi provides an embeddable web window for use on our clients’ websites for users to interact with a client’s personal chatbot. This chat window will send data back to Netomi’s APIs over TLS 1.2 or greater. The chat window assets use a subresource integrity (SRI) check to ensure that the files fetched from our CDN are cryptographically verified to prevent Man-In-The-Middle attacks.
Data through System
Data is sent from end-user chat platforms to the Netomi backend via TLS 1.2. All data is AES-256 encrypted at rest.
Netomi’s latest SSL Labs Report can be found here.
Data out of System
Netomi maintains intelligent network firewall rules at the infrastructure level that limit the surface for data extraction. We scrutinize our preferred partners and integrations to ensure that they comply with necessary security regulations (GDPR, PCI, etc), before transferring data for processing.
Data Security and Privacy
All data in Netomi servers is automatically encrypted at rest using AWS EBS Encryption using Netomi’s master encryption key stored in AWS Key Management Service. All volumes are encrypted in AWS using the industry-standard AES-256 algorithm. Netomi only ever sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0.
Data may be retained after termination of service according to specification within our main customer contract. If data is kept after termination of service for machine learning training purposes Netomi will scrub all personally identifiable information (PII) from customer data. This includes, but is not limited to, usernames, emails, phone numbers, credit cards, IPs, etc.
PII and sensitive data masking
Netomi currently supports redaction of personal information and other sensitive information. If you would like to know more about this and how it is used in our bots, please contact your customer success team.
Netomi conducts a mandatory background check and reference check for all employees prior to joining our team.
Netomi enforces a mandatory security training program for all new and existing Netomi developers and other employees that must be completed annually. This security training covers topics that are relevant to our system architecture, current industry guidelines and industry standards such as the OWASP Top 10 in specific programming languages that the developer uses.
Business Continuity and Disaster Recovery
Every part of the Netomi service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. All our deploys are zero-downtime deploys using Kubernetes, and we implement gradual rollout and rollback of services in the case of deployment errors.
Netomi keeps continuous backups of our production databases using the MongoDB Atlas Fully Managed Backup Service. These backups are typically just a few seconds behind the operational system¹, allowing us to restore easily to any time in the last 24 hours in the case of data corruption or loss.
Netomi stores all infrastructure as code and as such is able to bring up complete copies of production and staging environments quickly (currently < 12 hours and always improving!). In the event of a complete region-wide outage, the Netomi Infrastructure Team will bring up a duplicate environment in a different AWS region.
Infrastructure and Network Security
Third-Party Audit of cloud service providers
Our cloud service providers undergoes third-party independent audits and certified for compliance controls in its infrastructure. This includes, but is not limited to, ISO 270001, SOC 2, and PCI.
Rigorous Penetration and Vulnerability Testing
Netomi is certified by reputed third party agency for successfully undergone with penetration and vulnerability tests. These penetration testings are conducted by an independent third-party agency on a regular basis. For grey box penetration testing, Netomi will provide the agency with an overview of application architecture and information about system endpoints. Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.
We utilize industry leading Intrusion Detection and Prevention systems (IDS/IPS) on each part of infrastructure that we our control. This notifies us on common alert channels whenever suspicious activity may occur. Our infrastructure team will check each alert, investigate the activity, and then respond accordingly.
In addition to password login, two-factor authentication (2FA) provides an added layer of security to Netomi via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data access from intruders. Netomi supports 2FA for all user accounts, which can be enabled for a user in the Profile section of the Netomi dashboard.
In the Settings page, we include an Activity section where dashboard Owners and Administrators can view the editing history of Agents. This is listed chronologically so you’ll have insight into the organization’s most recent activity within the Netomi dashboard.
Secure Application Development
Netomi practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in rapid sequence. A continuous delivery methodology, complemented by pull request reviews, continuous integration (CI), automated security scanning, and automated error tracking, significantly decreases the likelihood of a security issue and improves the mean response time to security vulnerabilities. Internally, Netomi enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed.
Netomi uses the NIST CyberSecurity Framework (CSF) to guide and manage our cybersecurity-related risks. The NIST CSF is a policy framework that was developed by the U.S National Institute of Standards and Technology to help private sector organizations assess and improve their ability to prevent, detect and respond to cyber attacks.
Netomi enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed. All code changes must go through a series of automated security scans before being deployed to production.
Netomi maintains internal security documentation which are updated on an ongoing basis and reviewed quarterly for gaps:
- Information Security Policy
- Data Policy
- Risk Management Framework
- Incident Response Plan
- Security Vulnerability Identification
In the event of a data breach, Netomi defers to GDPR regulations, and complies with its strict guidelines and all the measures shall be taken to identify, fix and notify the affected customers, where feasible. Netomi maintains a live report of operational uptime and issues on our status page.
Complaints or Questions
For any questions, please contact us at firstname.lastname@example.org and our data security team will follow up.
Data Protection Officer
To contact our data protection officer, please email email@example.com