Overview
At Tombot, we take Security and Data Protection very seriously.
Our business is automating intelligence and data, and doing that in the most safe and secure way is our motto.
As you continue to learn more about Tombot we recommend you also review our Terms of Use and Privacy Policy.
Best Practices
Incident Response Plan
- We have implemented a formal procedure for security events and have educated all our staff on our policies.
- When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
- After a security event is fixed we write up a post-mortem analysis.
- The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Build Process Automation
- We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
- We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.
Infrastructure
- All of our services run in the cloud. Tombot does not run our own routers, load balancers, DNS servers, or physical servers.
- All of our services and data are hosted in Amazon Web Services (AWS) facilities in the USA and EU, with data deployed across several regions depending on client requirements. Tombot services have been built with disaster recovery and automatic failover procedures carefully implemented.
- All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
- Tombot uses MongoDB’s MMS backup solution for datastores that contain customer data.
- All of Tombot's application and database storage is safely contained within Amazon Web Services’ (AWS) infrastructure, which is accredited by ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), and PCI Level 1. More information about AWS security can be found here.
- At TomBot, we carry out regular due-dilligence checks on all subcontractors and third-party providers.
Service Levels
We have uptime of 99.9% or higher for our Service Levels. For more information you can refer to our Service Level Agreement
Data
- All customer data is stored in the US or EU, depending on our client requirements.
- Customer data is stored in a federated and encrypted multi-tenant database and can only be accessed using encryption keys, login credentials, authorization, and access controls.
- Customer data is backed up every hour on our cloud-based storage system in case of a data loss event.
- All employees are trained with data loss prevention procedures and guidlines to prevent data loss events, and keep customer data safe at all times.
- All employees and subcontractors are bound to a non-disclosure agreement and will be suspended from the company if there is a breach in protocol.
Authentication & Authorization
- TomBot is served 100% over https.
- To access TomBot you must have login credentials (username and password) which are both encrypted and hashed.
- TomBot implements strict access controls with different sets of priviledges such as Admin, Read-Only, ect to ensure a higher-level of data protection and security.
Encryption
- All TomBot traffic is safely encrypted using NGINX reverse-proxy server.
- All TomBot user text message data is safely encrypted using AES-256 encryption standard.
Compliance
- TomBot complies with the GDPR Regulatory Authority.
- All employees are obligtated to run a reference and background checks as part of our Employee Screening Policy.
PCI Obligations
TomBot complies with all PCI obligations, including redaction of Credit Card and Social Security card information.
GDPR
- All PII (Personal Indentifiable Information) is safely encrypted or removed from our systems to ensure the highest standard of security and GDRP compliance.
- At TomBot we have an appointed Data Protection Officer, which you can e-mail him directly with inquieries related to Data Security at dpo@tombot.ai
- To make a Data Subject Rights Request, submit an e-mail to gdpr@tombot.ai
- To make a request for us to deliver any data of your personal data to you or a third party you may e-mail gdpr@tombot.ai
- In case of a data breach or compromise of any personal data we will report the breach to all relevant supervisroy authorities within 24 hours of the breach. We will also notify all effected customers, and act immediately to repair the breach.
- You may use any data sub-processors at your own discretion with the use of TomBot. If we make any platform changes which engage with a new sub-processor we will notify with a update to our Terms.