White paper
v2.0 - 15/11/2023
Introduction
This paper outlines UMA’s approach to security and compliance for UMA Cloud, UMA Products and UMA Services. This whitepaper focuses on security including details on organizational and technical controls regarding how UMA protects your data.
UMA Security
ISO 27001 Accreditation and Compliance
UMA is proud to announce that we are ISO 27001 accredited, demonstrating our commitment to the highest standards of information security management. This international standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organisation. Our adherence to ISO 27001 standards ensures that we manage the security of assets such as financial information, intellectual property, employee details, and information entrusted to us by third parties with utmost diligence.
Employee Background Checks
Before a member joins our team, UMA will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labour laws or statutory regulations permit, UMA may also conduct criminal, credit, immigration, and security checks. The extent of these background checks are dependent on the desired position.
Security Training for all Employees
All UMA employees undergo security training as part of the onboarding process and receive ongoing security training throughout their UMA working careers. During the onboarding phase, new employees agree to our Code of Conduct, which highlights our commitment to keeping customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the Information Security and Development team instructs new engineers on topics such as: secure coding practices, product design, and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a security newsletter that covers new threats, attack patterns, mitigation techniques, and more.
Internal Security and Privacy Events
UMA regularly hosts internal conferences to raise awareness and drive innovation in security and data privacy which are open to all employees. Employees are regularly subjected to fake phishing emails to ensure the training received is understood and strengthens the awareness.
Dedicated Security Team
UMA employs security and privacy professionals who are part of our Platforms Engineer and Operations team. This team is tasked with maintaining the company’s systems from vulnerabilities, developing security review processes, building a security infrastructure, and implementing UMA’s security policies. UMA’s Security Team actively scans for security threats using commercial tools, penetration tests, quality assurance (QA) measures and software/platform security reviews.
Internal Audit & Compliance Specialists
UMA has a dedicated internal audit team that reviews compliance with security laws and regulations around the world.
Operational Security
Annual Penetration Testing and Testing Post-Major Updates
To further bolster our commitment to security, UMA conducts annual penetration tests on our environment. These tests are designed to identify and fix vulnerabilities, ensuring the integrity, confidentiality, and availability of our customer's data. Moreover, following any major updates or significant changes to our systems, we conduct additional penetration testing. This approach helps us to immediately address any potential security issues introduced by new system functionalities or updates, thereby maintaining a robust security posture consistently.
Vulnerability Management
UMA administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and external audits. The vulnerability management team (Security Team) is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner.
Monitoring
UMA’s security monitoring system is focused on information gathered from internal network traffic on our Platform, employee actions on systems, and outside knowledge of vulnerabilities. Within each of our Region’s traffic is inspected for suspicious behaviour, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of tools and services available within Amazon AWS. Inbound security reports are regularly monitored, and changes are audited.
Incident Management
We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation.
Data Usage
Our Deal
In accordance with our commitment to protect your privacy and manage your data responsibly, we will retain the personal and operational data collected through our services only for as long as necessary to fulfil the purposes outlined in this agreement, or as required by applicable law. All data will be securely deleted from our systems every three years, unless a shorter retention period is applicable. Additionally, upon the termination of your contract with us, we will delete all your data in full, ensuring that no residual copies remain in our backups or storage systems beyond a period necessary for the deletion process. This policy is designed to ensure compliance with data protection regulations and to safeguard your information against unauthorized access or use.
Data Access & Restrictions
Administrative Access
To keep data private and secure, UMA logically isolates each customer’s data from that of other customers and users, even when it is stored on the same virtual host hosted in AWS. Only a small group of UMA employees have access to customer data. For UMA employees, access rights and levels are based on their job functions and role, using the concepts of least privilege and need-to-know to match access privileges and defined responsibilities. Requests for additional access follow a formal process that involves a request and approval from a data or system owner, manager, or other executives, as dictated by UMA's security policies. Approvals are managed by workflow tools that maintain audit records for all changes.
Customer Administrators
Within customer organisations, administrative roles and privileges for UMA Cloud are configured and controlled by the Project/Facilities owner. This means that individual team members can manage certain services or perform specific administrative functions related to that organisation only without gaining access to all settings and data.
Law Enforcement Data Requests
The customer, as the data owner, is primarily responsible for responding to law enforcement data requests: however, like other technology companies, UMA may receive direct requests from government and courts around the world about how a person has used the company’s services. We take measures to protect customers' privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data you store with UMA remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and UMA policies. For us to comply, the request must be made in writing, signed by an authorized official of the requesting agency, and issued under an appropriate law.
Third-Party Suppliers
UMA directly conducts virtually all data processing activities to provide our services. However, UMA may engage some third-party suppliers to provide services relating to UMA, UMA Vision, UMA Book, UMA Sense, UMA C-19 and UMA Air. Prior to onboarding third-party suppliers, UMA conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.
Conclusion
The protection of your data is the primary design consideration for all UMAs Infrastructure, products, and personnel operations. Data protection is more than just security, UMAs strong contractual commitments make sure you maintain control over your data and how it is processed, including the assurance that your data is not used for advertising or any purpose other than to deliver UMA Cloud Services to you.
Last updated