Effective: May 18, 2018
Your customer-facing communications can be sensitive and proprietary — for all participants. Frame takes its commitment to safeguard these communications seriously, making it a top priority in product design, system architecture, and internal processes. We want our customers to feel confidence that their information is safe, their interactions are secure, and both their businesses and their clients are protected.
All Frame services are hosted at AWS data centers which meet (and set!) highest standards for cloud security. A sensitive alerting scheme is built into each of our component services, and our engineering team is on call 24/7 to respond to security alerts and events.
Frame's web application and system integrations are engineered to minimize attack surface and maximize applications of established standards for authentication and cryptographically safe exchange. We periodically audit our system designs with external security professionals, and are scheduled to conduct our first annual penetration test later in 2018.
Frame's authentication systems are designed to mesh with those of your existing customer communication tools using oAuth 2.0, making it easy to centrally manage authentications an permissions. All interchange with third-party systems is conducted using HTTPS, and Frame fully implements all additional supported security measures including verification of shared secrets and IP whitelisting.
As a data processor, we aim to help our customers easily meet all requirements posed by their own regulatory and customer environments. For customers facing GDPR requests, we will promptly produce records of stored information and respond to requests for data deletion with minimum disruption to ongoing services. For further protection, custom data retention policies are available as part of enterprise engagements.
|Facilities||Frame's services are hosted at AWS' ISO 27001 compliant facilities. Our system architecture logically isolates each customer dataset, and strict single-tenancy is available for enterprise customers. Data center facilities maintain strict physical security and redundant power supplies.|
|Physical Security||AWS maintains a strict physical security policy, permitting access only by authorized employees, under surveillance, with incident-specific approval for each physical access.|
|Monitoring||All Production Network systems, networked devices, and circuits are constantly monitored by both Frame staff and automated incident detection systems. Infrastructure errors are monitored by AWS and alert our engineering team.|
|Location||Frame's application is served from the US-East region, but deployment into other regions or VPCs is available as part of enterprise contracts.|
|Data Security and Privacy|
|Encryption in Transit||Communications between Frame and all remote clients and services are encrypted according to industry best-practices HTTPS and Transport Layer Security (TLS). Where possible, we implement shared secrets and IP whitelists to further reduce the available attack surface.|
|Encryption at Rest||Frame segments its data storage into short term operational stores and long term persistent storage. Data in short-term storage is accessible only within our own cloud, and is regularly purged. All data in long term storage, including all Personally Identifiable Information, is encrypted at rest.|
|Developer and Support Access||Data logs are divided into three tiers, separating aggregate system information, communication metadata, and communication contents. This allows our internal permissions and tools to expose only data relevant for a specific task|
|Data retention and usage||Frame considers itself to be a custodian, and not owner, of all conversations and annotations we process on behalf of customers. We do not use conversational data for any purposes other than providing services to our customers. Data deletion is available upon any termination of paid service, and custom retention policies are available with enterprise plans.|
|GDPR compliance||Frame has been built from the ground up to support end user data rights, including our responsibilities as a data processor under GDPR. Upon receipt of a GDPR request directly from an end user, we will endeavor to identify any clients for whom we have processed data on behalf of that user, and forward said request to them. In conjunction with any GDPR request received by a customer, we will coordinate to export or delete end user data as needed.|
|Third-Party Review||Frame engages external security professionals to periodically review our architecture, and are scheduled to conduct our first annual penetration test later in 2018.|
|DDoS Mitigation||Exposed Frame IPs are protected by AWS Web Gateway's DDOS protection framework, designed to scale with significant attacks.|
|Employee Access and Training||Employees are granted granular permissions according to the Least Access principle, so that they may only read and write system data and configuration relevant to their active projects. All employees are trained and sign on acceptance of security policies during onboarding.|
|Security Incident Response||In case of a system alert, events are escalated 24/7 to our operations team. Employees are trained on security incident response processes, including communication channels and escalation paths.|
|Third Party Services||Frame vets all third party services and configures them to meet at or above our own security standards.|
If you have any questions about this Security Statement, please contact us at firstname.lastname@example.org.