Proper

Information Security Practices

1. Purpose

We’re committed to safeguarding our product and protecting the personal data and confidential information we keep.

The purpose of this document is to provide insight to our privacy and security practices. In line with that, we refer to companies who use Proper ApS (“Proper” or “we”, “us”, “our”) in this document as "you" and "your".

We make this document publicly available by publishing it on our website and we share it with all of our staff members (including any temporary workers and contractors).

Review of this document and of our information security framework is completed at least annually and needs approval by our CPO.

2. Our privacy and security organisation

2.1 Our engineering team

We have a highly skilled engineering team who govern our data protection and information security, and who are responsible for securing our product and services. When appropriate, we also engage external resources and experts.

Our CPO takes on the role of Chief Information Security Officer and leads our security initiatives.

If you have questions about the data processing activities that we carry out on your company’s behalf, you’re most welcome to contact us at privacy@helloproper.com.

3. Information security framework

We have security policies and other documents that form the basis of our information security framework. These policies and documents are reviewed on an annual basis.

The policies apply to everyone who works for us, including our staff members and freelancers, and everyone who works for us is educated and trained in our information security practices.

3.1 Information Security Policy

The goal of our Information Security Policy is to protect all the data we retain and process.

We align with current international regulatory and industry best-practice guidance, and we’ve designed our security program around best-of-breed guidelines for cloud security.

Further details of our Information Security Policy are confidential.

3.2 Data Incident Policy

In the event of a data incident, we have a documented policy and firm processes to guide our actions. Our Data Incident Policy outlines how we should document, investigate and report potential data incidents.

We comply with the GDPR and will notify you by email should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses registered in our product or as contact persons for your subscription with us.

3.3 Business Continuity Policy

We ensure the continuity and timely recovery of our critical business processes and services in the event of a disaster, and to ensure that our critical business processes operate at an appropriate level.

We design our product to be highly available, fault-tolerant and fault-resilient. To achieve this, we follow industry best practices which we continuously improve on and review. Our product is hosted in a proven serverless infrastructure, which helps us minimise incidents, hacking, downtime and recovery time of our services.

As a principle, all our processors and sub-processors are Software as a Service. This gives us multiple advantages in the event of an incident or disaster, such as having our teams work from anywhere and much faster being able to replace a (sub-)processor that is causing issues.

Further details of our policies and processes are confidential.

3.4 Contractual obligations

As our customer, your use of our services is governed by a Data Processing Agreement.

Our Customer Agreement sets out the rights and obligations for you and for us, including our obligation to keep your information and data confidential and thoroughly protected.

Our Data Processing Agreement is described in section 4.1.

3.5 Code of Conduct and anti-bribery

We expect those who use our product or do business with us to make decisions that reflect strong ethics and are consistent with our values. We therefore require our staff members, sub-processors and processors, and business partners to adhere to the principles set out in our Code of Conduct.

As set out in our Code of Conduct, we’re committed to maintaining a high ethical standard, and we require that our staff members and business partners comply with all the relevant anti-corruption laws of the countries that we do business in.

3.6 Human resources

All of our staff members need to know what they can and cannot do when handling confidential information and personal data. In addition to their obligation to follow our Code of Conduct, our staff members must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts and in our Employee Handbook.

The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract.

If a staff member breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.

3.6.1 Hiring

As part of our recruitment process for hiring new staff members, we carry out reference checks where relevant. We perform criminal checks on all roles.

3.6.2 Training

Our new staff members go through a new hire program that includes education and training about how to protect and handle information. New hires learn about our commitment to information security and data privacy, our Code of Conduct, and our requirements for protecting and safeguarding information.

3.6.3 Confidentiality

In addition to upholding their employment contract, our staff members must read and comply with our Code of Conduct.

3.6.4 Leaving

When staff members leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 6.2.

4. Privacy

4.1 Data Processing Agreement

We use the terms “data controller”, “processor” and “sub-processor” below. The terms are defined in Article 28 of the EU’s General Data Protection Regulation (“GDPR”), where the data controller and the processor, and the processor and the sub-processor, are required to have a “data processing agreement” (“DPA”) in place that documents the data processing activities being carried out.

Our DPA meets the requirements outlined in the GDPR and is part of our Services Subscription Agreement. You can find a copy of our DPA on our website here. We recommend that you keep a copy of our DPA on file in case you need to show that you comply with Article 28 of the GDPR.

4.2 Personal data

We consider any data relating to an identified or identifiable person as “personal data”; examples:

  • Basic identity information such as name, address, email address, and Id numbers, other HR related data that identifies the individual
  • Financial information that identifies the individual
  • Voice, transcript text and video data that identifies the individual
  • Web data such as location, IP address, cookie data and other technologies serving similar purposes, and device identifiers

We process sensitive data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product.

When we build products, Privacy by Design is part of our product development process so we ensure that we have legitimate purpose when we process specific personal data, limit our processing of data, and retain data securely and only for as long as the purpose legitimates.

For details on the personal data we keep, and why and how we and our processors and sub-processors retain and delete this data, please see Section 4.4 and 4.5.

4.3 Processors and Sub-processors

We use specialised companies to assist us with delivering our services to you, such as hosting our platform. Pursuant to the GDPR, these companies are, depending on our own role, called “processors” or “sub-processors”.

Before we engage a processor or a sub-processor, we perform a thorough security and privacy risk assessment of the company’s services. The risk assessment aligns with the Data Protection Impact Assessment (“DPIA”) process and is a requirement of the GDPR. As part of this process, we evaluate the company’s privacy and security practices, we carry out a risk assessment of the personal data that we would be sharing with the company, and we review the company’s DPA. We follow this process to determine whether the company is competent to process personal data in line with the legislation and meets our requirements and standards. We will only share personal data of your users with a company provided that these requirements are in place.

We monitor the performance and applicability of our processors and sub-processors on an ongoing basis, and we review the DPIA’s on an annual basis. We may find it necessary to add or replace a company as a processor or sub-processor, and if we do, we will notify you through the email we have registered as the owner of your account.

When we stop using a company as a processor or sub-processor, we will remove the company from our product and infrastructure, and we will request the deletion of all personal data about you and your users retained by the company.

Data to and from our processors and sub-processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum. All of our websites use TLS 1.2, and we only support data sent via web submissions that use HTTPS.

Access to our processors and sub-processors is protected by secure multi-factor authentication to the extent possible. We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.

We secure the emails we send through our product with TLS 1.2, SPF and DKIM. If the receiving email server doesn’t support TLS, we automatically use the next most secure protocol supported by the receiving email server.

The emails we send to you and your users are sent from domains that we own and manage.

4.4 Protecting the personal data about your users

When you share personal data about your users with us, your company acts as data controller and we act as processor.

We process this data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product.

4.4.2 Our sub-processors

You can see the list of the sub-processors we use to process personal data about your users here.

4.5 Protecting your personal data

We process your personal data for the purpose of providing the various functionalities of our product to you.

Employees in your account are created, managed and deleted by you within our product or by writing to our support team. If you do not delete an employee, or have one of your colleagues do it, or ask us to delete it on your behalf, we will retain the employee for as long as you retain your account with us. We do not store not keep passwords which are handled by a secure third party provider as their speciality.

In our Privacy Policy, we set out what types of information we process as a data controller related to our website and product, including information about our cookies, and how we process personal data.

4.5.1 Data Subject Rights

We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.

5. Our Product

5.1 Infrastructure

Our infrastructure is hosted with Amazon Web Services (AWS). The IT infrastructure that AWS provides is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies (by November 2022):

  • SOC 1/ISAE 3402, SOC 2, SOC 3
  • FISMA, DIACAP, and FedRAMP
  • PCI DSS Level 1
  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

Our proven serverless infrastructure provides us with best practice in many areas, such as availability, scalability, security, data input controls, protection against externally and internally generated attacks, and development process.

Temporary files are retained only for as long as they are needed, then deleted by means of automation.

We host our production environment, our staging environment and our test environment on AWS, where we keep our production environment, and the data therein, strictly separate from the staging and test environments.

Our product provides a sandbox environment to Software Engineers for testing.

5.2 Security

We consider security concepts, assessments and techniques fundamental to the development, reliability, and overall improvement of our product and services.

We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need. We monitor and align this continuously.

We pass all software changes through a formalised code review process prior to being released into isolated environments. We test all changes. Upon successful testing and quality assurance, and after removing any debugging and test code elements, the changes are promoted into production.

We do not rely on outsourced development - all of our development is in-house.

Encryption keys are securely stored. Regular reviews are conducted to maintain the integrity of key management.

You are welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval. We need the pre-approval solely because your scans and tests could trigger monitoring anomalies on our side that we would like to react appropriately to.

5.3 Malicious code management

Our backend infrastructure is automatically built by code using GitHub Actions and follows infrastructure-as-code principles, which means that our infrastructure is frequently rebuilt to ensure that it’s always complete, lean and clean. Our serverless setup has the benefit that we don’t need to use antivirus or anti-malware software as that is handled by our platform provider.

We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.

5.4 Software patch management & malware

We have a formal process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to info@helloproper.com. When we have identified the vulnerability as legitimate and requiring remediation, we log it as an issue, prioritise it according to severity, assign an owner and address it according to priority. We track the vulnerabilities and we follow up frequently until we can verify that the vulnerability has been remediated.

Our commitment to software security is paramount. We ensure our software remains resilient through rigorous patch management:

  • Shared Responsibility Model: AWS takes care of Security of the Cloud, while we handle Security in the Cloud.
  • Reduced Downtime and Overhead: Serverless on AWS means there's no manual patching cycles or planned outages. All updates occur seamlessly in the background, ensuring our services remain continuously available.
  • In-house Vigilance: Beyond infrastructure, we actively monitor our software dependencies, ensuring that our code libraries and frameworks are always updated, especially concerning security patches.
  • Testing: We employ continuous integration to thoroughly test all patches before deployment.

In addition to patch management, our hosting environment on AWS, combined with our use of Mac computers, enhances security by design, as these systems are regularly updated and maintained.

5.5 Logging

Our logs are confidential and unavailable outside our company.

Our logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed.

We retain our logs until they are no longer needed, after which the logs are deleted.

Examples of activities we log are:

  • Application exceptions
  • Stack trace
  • Traffic statistics
  • Backend changes and deployments
  • Malicious activity and exceptions

5.6 Data backup

We use point-in-time recovery to manage our database backups. Point-in-time recovery provides continuous backups.

We perform backup recovery tests regularly.

Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed.

We retain our backups for a maximum of 35 days, after which a backup is deleted.

All user data is fully encrypted at rest, ensuring the highest level of data security. Our data backups also employ encryption to safeguard sensitive information.

6. Our IT

Our Engineering Team manages our internal accounts, password security, access to systems and data, and IT assets - covering both hardware and software.

6.1 Provisioning of access

All our staff members are granted an individual @helloproper.com personal user account. We don’t allow any two staff members to share or use the same personal user account.

Access permissions for individual services and user roles are granted from our role-based access control model using least privilege first principles and granted according to work-related needs. Before we grant access, the internal owner of the respective service must approve the assignment of access rights and roles. We require a segregation of duties between the person requesting access and the person approving.

We maintain a detailed access log which is continually monitored. In cases of inappropriate access or red flags, we have mechanisms in place to promptly block users from accessing our system.

6.2 Review and removal of access

Access rights to our services and data are reviewed at least annually, and staff member access is removed or downgraded when it is longer required to carry out duties and responsibilities.

When a staff member leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the staff member remains valid after they leave our employment.

6.3 Passwords

All internal user accounts are protected with a password and saved in a password manager which must meet the rules described in our password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST).

We only grant access for authorised staff members with work-related need access.

6.4 Office networks

We rely on the principle of “working from anywhere”, where our staff are free to work from wherever they are located.

Our office networks therefore do not provide any protection or security specific to our product, and our product considers our office networks as any Internet connected network.

To enable this, no application or file storage services are provided by our office networks, and we instead make use of our processors and sub-processors, which can all be accessed securely from anywhere.

6.5 Assets

We broadly define our network equipment, stationary devices, mobile devices, software, and removable media as IT assets.

We identify, register, and assign owners for all our IT assets.

6.5.1 Devices

We make sure to install all required software updates, security patches and firmware upgrades.

Our Operations Team ensures that disk encryption and screen lock timeout is enabled on all devices that we use to access our technical environment.

Our staff members are instructed not to carry out unauthorised downloads, store or share personal data, copyrighted or intellectual property material, or install or run unauthorised, untested, or unlicensed software without prior approval from our CPO.

After use, our devices and other hardware are recycled. Our Operations Team collects and dismantles everything, including wiping hard drives.

6.6 Physical security

Our office cannot be accessed directly from the street and entry into our office requires access to a keycard or similar.

6.7 Paper documents

We maintain a paper-free environment and documents are not printed unless necessary. We do not unnecessarily retain paper documents.

When disposed of, all paper documents containing personal data are shredded.

We have a clean desk policy and data is not stored on on-premise media.

7. Company information

Proper ApS was established in 2017 by our two founders, and is located in Copenhagen. Our company registration number is DK39016869.

8. Contact us

If you have any questions or concerns about our privacy or security practices, you’re welcome to send an email at privacy@helloproper.com.