Information Security Policy
Reliability & availability
AI Rudder strives for a high uptime and performance. Systems, people, processes and policies are designed to meet and exceed this. Engineering, Customer Success, Security, Maintenance & Operations Center (MOC) and Solution Architect operate in unison to make sure our customers have the best online experience.
Backups run daily, encrypted in transit and at rest. Backups are kept "off-site" in AliCloud OSS, which stores files on multiple highly available Data Centers and physical devices.
Backup recovery tests are performed periodically to ensure the availability of backup files.
AI Rudder reviews its Business Impact Analysis (BIA) and Business Continuity Plan (BCP) on an annual basis. Recovery strategies are designed to provide well-defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Incident management & responses
AI Rudder maintains ongoing documentation and verification of its incident response policy and procedures. We apply a 6-step approach that drives consistency and ongoing improvements to our responses process: Preparation, Identification, Containment, Eradication, Recovery and Tracking.
We practice multidisciplinary, blameless post-mortem analysis, and seek to grow our people, processes, and systems in the aftermath of failure.
At the same time, we organize regular troubleshooting meetings among relevant experts so as to reduce the recurring risk and speed up the response time.
Data centres are located in multiple availability zones in multiple locations around the globe. For more information about AliCloud capabilities and compliance, please refer to the AliCloud Information page.
Infrastructure & network security
AI Rudder continuously monitors its infrastructure and network security via a 24/7/365 Maintenance & Operations Center (MOC). Our infrastructure is scanned continuously for security vulnerabilities and medium and above severity findings are prioritized and addressed.
AI Rudder maintains all production systems in a dedicated Virtual Private Cloud (VPC) within AliCloud. Production data never leaves the dedicated VPC, and communication and access to it are restricted by firewalls and access control mechanisms. AliCloud Cloud Security Center (CSC) monitors and alerts our 24/7/365 Maintenance & Operations Center (MOC) whenever unusual behaviour or traffic is detected.
Vulnerability and patch management
Systems are scanned regularly for common vulnerabilities. Servers are patched automatically on a regular schedule, with critical and high severity patches applied with the highest priority.
Distributed Denial of Service mitigation is provided via AliCloud Shield.
We believe security must be “baked” into the product, processes and people. Software developers and engineers are required to go through an annual training on security and pass a rigorous exam. Static and dynamic security scans are built into the development and QA processes via automated tools that perform on-demand and ongoing code scans. Matches with security vulnerabilities or deviations from best practices generate automated alerts and code is promptly corrected.
AI Rudder penetration testing team conducts annual tests. Medium and higher severity findings are remediated and reports are available upon request and under NDA.
All stored data, session cookies, backups and other sensitive data, is encrypted for additional security. Account passwords are salted and hashed using reliable algorithms and approaches, which are routinely audited. No humans, our staff included, can ever view your passwords.
Encryption in transit
All communication between customer systems and AI Rudder is performed using high levels of encryption (HTTPS and SHA256 with RSA signature algorithms).
Role-based access control
AI Rudder administrators can set user roles according to the principle of least privilege. Users only see what they need in order to perform their job.
Compliance & certifications
Our customers span a wide range of industries. AI Rudder is committed to meet and exceed levels of compliance with those standards.
AI Rudder undergoes annual audits with external vendors to ensure its products and processes follow the strictest norms.
AI Rudder has passed the SOC2 audit, the report may be shared upon request.
All employees participate in annual general security training.
Information security policies & procedures
AI Rudder uses the ISO 27001 framework as the foundation for its policies and procedures.
All employees acknowledge their responsibilities in protecting customer data as a condition of employment.
AI Rudder offices are secured by Fingerprint access and we make sure there is 24/7/365 monitoring via video cameras. Although our products have no dependencies on our company’s offices or other facilities other than AliCloud data centres, our office has redundant UPS, network devices and firewalls.
Employee laptops are secured with DLP, Antivirus and advanced malware detection with central management and control.
All devices are managed via a central, cloud based Mobile Data Management (MDM) system.
All middle and top-level hires undergo background checks prior to starting their careers at AI Rudder.
AI Rudder was built within the cloud and, our employees operate regularly from different locations globally with little to no dependency on office resources.
AI Rudder has a Business Continuity Plan (BCP) to ensure business continuity.
AI Rudder's data protection policy follows national data security laws and references the EU GDPR requirements. General Data Protection Regulation (GDPR) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It is the most comprehensive EU data privacy law in decades and has been in effect since May 25, 2018.
Besides strengthening and standardizing user data privacy across the EU nations, new or additional obligations on all organizations are required to handle EU citizens’ personal data, regardless of where the organizations themselves are located.
GDPR is intended to offer protections for you or any identifiable natural person (the “Data Subject”) regarding your information (your “Personal Data”). You, as a Data Subject, have broad rights, whether you are identified directly or indirectly through interaction context in which your information was captured.
AI Rudder’s Commitment to Protecting Your Personal Data
AI Rudder is committed to partnering with its customers and users to ensure that AI Rudder is fully compliant with the requirements of the Data Protection Regulations. AI Rudder recognizes your rights under GDPR and will ensure that these rights are honoured, and your Personal Data is protected. AI Rudder’s product and security teams are working diligently to bring AI Rudder’s product offerings and contractual commitments in line. Hence, our customers, prospects, users and others that interact with AI Rudder are compliant.
Measures to achieve this include:
- Additional investments in our security infrastructure
- New clarity on procedures for consent, data portability and privacy preference enquiries
We’ll also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and will adjust our plans accordingly if it changes. We’ll provide you with regular updates along the way so that you’re always current.
Our Security Infrastructure and Certifications
Protecting our customer's information and their user's privacy is extremely important to us. As a cloud-based and AI-based company entrusted with some of our customer's most valuable data, we’ve set high standards for security. AI Rudder has passed the SOC2 audit, the report may be shared upon request.
International Data Transfers: Contractual Terms
To comply with individual Data Protection Laws around international data transfer mechanisms, AI Rudder establishes data storage standards based on the relevant requirements of each country to meet the adequacy and security requirements of our customers who operate locally.
AI Rudder as Data Processor
Your personal data may enter AI Rudder’s processing scope in multiple ways, while AI Rudder is the Data Processor. This section describes AI Rudder’s role as a Data Processor, and explains how you can interact with AI Rudder.
Role of AI Rudder as a Data Processor
We process end user's Personal Data on behalf of end user's vendor/organization, and end user may submit a request and AI Rudder will forward the request to end user's vendor/organisation. The vendor/organization (the Data Controller) will need to approve any final action on the request. AI Rudder will assist the Data Controller in expeditiously completing the request.
When AI Rudder processes and displays end user's personal data, that data was acquired from our customer that the end user interacts. If it is personal data that the end user submitted to our customer, the end user provided consent to our customer to use that data for their business purposes. If it is personal data that AI Rudder obtained in the process of conducting business with end user or end user's vendor/our customer, they rely on end user's consent to use the data for business purposes.
To withdraw an earlier consent that the end user provided, contact end user's vendor/our customer or the organization to which the end user provided the original Personal Data. AI Rudder will not be able to alter end user's consent, as we are the Data Controller.
For data processed by AI Rudder, we will forward end user's request to end user's vendor/organization (the Data Controller), who will then initiate a request to provide that information. Since AI Rudder’s role is only that of a Data Processor, AI Rudder will not be able to provide end user's Personal Data directly.
Data Breach Notification
In the event of a data breach, AI Rudder, as a Data Processor, is required to notify end user's vendor/organization that there was a data breach. End user's organization will then notify the end user regarding the breach, its impact and potential remedies. AI Rudder will not notify the end user directly.
Data Erasure, Accuracy and Portability
To request an export or erasure or update of Personal Data held by AI Rudder, we will forward end user's request to end user's vendor/organization, who will then initiate a request by AI Rudder to complete the request. Since AI Rudder’s role is only that of a Data Processor, AI Rudder will not be able to perform these actions directly.
Filing a complaint
For filing a complaint related to personal data processed by AI Rudder, use the complaint portal/form of end user's vendor or organization (the Data Controller). AI Rudder will assist the Data Controller in resolving the complaint, but will not take any action until and unless such action is authorized by the Data Controller.
List of Sub-Processors
AI Rudder as a Data Processor has engaged the services of the following sub-processors. Some or all of your personal data may be transferred to them. All such transfers are governed by Master Service Agreements and GDPR agreements (via Data Processing Addendum) that establish the scope of processing as well as legal basis for such processing. AI Rudder requires its sub-processors to perform the specified processing only for the purposes of delivering the services that are part of the agreement. To learn more about the GDPR initiatives of our sub-processors, please visit the web pages listed here.
|AliCloud||SG||Service Provider||Provides cloud-based hosting, storage and processing services|
|AWS||Global||Service Provider||Provides cloud-based hosting|
|GCP||Global||Service Provider||Provides cloud-based hosting|
|Azure||Global||Service Provider||Provides cloud-based hosting|
|Twilio||USA||Service Provider||Enables SMS to customers in order to send link to download mobile app|
AI Rudder will update this document if we add any new sub-processors to the list above.