Security

Intro

Umano’s software is based on and relies on analysing data extracted from 3rd-party software products as well as user-supplied configuration and delegated credentials. Customer data is the foundation of Umano and is treated as the most critical part of Umano’s business. This policy governs the treatment of that data through its lifecycle, from acquisition to use, archival and disposal.

What Data Umano collects

Umano Customer Information. This is data pertaining to the relationship between Umano and its customers. It includes customer names, contracted services, payment details and associated personally identifiable information(PII) for points of contact.

Third-party Customer Credentials & Configuration. This is data provided by a customer to enable connectivity between Umano and customer third-party tools. Credentials include API tokens and Username:Password credentials. Third-party Customer Configuration includes data such as the location and subsections of interest of third-party tools e.g. a nominated project in JIRA.

Customer Data. This is data collected from third-party customer tools, along with any derived or computed versions. It covers the content and meta-data required for the computation of Umano products’ models and associated contextual data.

Anonymised Customer Data. This is processed from Customer Data. Anonymised Customer Data is used broadly in Umano products as a foundation dataset for training Machine Learning models, for providing global/industry/sector performance benchmarks, as well as being used for marketing purposes.

Definitions

Live Data This is a term used to denote Umano Customer Information, Third-party Customer Credentials & Configuration all Customer Data collectively.

All Data. This is a term used to denote Live Data and Customer Anonymised Data collectively.

Personally Identifiable Information (PII). This means information that can be used solely or in conjunction with other information to identify, locate or contact an individual or individuals; or information that can in context do similarly. It includes things like names, e-mails, addresses, survey responses, digital fingerprints(e.g. browser, location, user device), IP Addresses, geo-location or other device identifiers.

Umano Data Officer.This is a position held by an Umano employee that has the responsibility for reviewing and approving data access processes. This position is also accountable for delegated access and grants individual access requests.

How does Umano collect data

Umano needs to be able to access the customer third-party tools servers to collect the Customer Data used in the models to produce insights. Umano does this by accessing third-party tools APIs with delegated credentials. The communication with these APIs is done over a secure protocol that ensures all data is encrypted during transfer. Transport encryption uses the best industry standards.

How does Umano store data

Umano uses Amazon AWS platform and adheres to its security standards. To find out about AWS Security standards, please visit aws.amazon.com/security

All Data is stored by Umano in a combination of Postgres databases and S3 storage. This ensures all data collected is encrypted at rest. Communications between logical and/or physical hosts/containers within Umano infrastructure is also encrypted in transit. In addition, Third-party Customer Credentials & Configuration is stored encrypted in memory and is only unencrypted for the purpose of establishing secure channels of communication to third-party tools.

Anonymised Customer Data including company, sector/industry and other meta-data associated with an anonymised dataset is stored separately for increased security.

How does Umano access data

Umano defines two different forms of data access: On-Demand data access and Delegated data access.

On-Demand data access Access to All Data is granted in the least privilege manner. Defaults are no access. Access is requested on a one-by-one basis, where a Umano Data Officer receives the request and explicitly grant or deny access for the specific request.

Delegated data access. Umano Data Officer can nominate a Umano employee or contracted service provider with Delegated Data access for the purposes of providing the contracted SaaS services. This covers debugging, maintenance and requests to provide support.

Both forms of data access are logged and auditable. Data can only be accessed using secure work environments. No data is exported out of the controlled environment other than aggregated data, i.e. no individual datums leave the controlled environment.

On-Demand data access to Live Data is considered a break-glass situation and follows a specific process according to industry best practices.

How does Umano anonymise data

Anonymised Customer Data does not contain free-form text present in the Customer Data. Text is scored or used for training on import, but no text data is stored. Scoring includes but is not limited to grammatical analysis, common word frequency counts, or other types of natural language processing.

The Anonymised Customer Data cannot be located in time. Temporal relationships are maintained, but absolute dates are normalised to a common baseline.

The Anonymised Customer Data cannot be geographically located. Any geographically identifiable information be it location coordinates or equivalent, or spatially correlated data such as IP Addresses is not present in the final dataset.

How does Umano respond to incidents

Over and above legal and regulatory requirements, Umano adheres to the following obligations.

Data Breach Incident - Umano will contact all potentially affected customers within 24hrs of the discovery of the breach, which will be followed by a detailed post-mortem response within 1 week.

Data Loss incident - Umano will contact all potentially affected customers within 24hrs of the discovery of the data loss incident, which will be followed by a detailed recovery response within 72hrs.

How does Umano maintain Security standards

Training - Umano ensures and requires employees and associated service providers are aware of this Policy. Other policies and practices related to Security are also ensured such as Secure Development Process, Data Access Process, Data Handling Process and Data Privacy Policy.

Regular Review - Umano conducts regular reviews of this and other associated policies to maintain compliance with regulatory requirements and industry best practices.

Customer Obligations

Considered Disclosure. Customers are expected to exercise judgement when defining what access-level to their data to delegate to Umano, as well as what subsections of interest are made available to Umano’s SaaS products. Responsibility for regulatory compliance for the disclosure of customer data lies with the customer. For more information or to answer questions about controls over what data is disclosed contactus at data@umano.tech

Credential Management. Customers are responsible for the active management of their delegated credentials. This includes revoking, rotating and enforcing other credential management policies that are important for their company.

Concerns or complaints

Umano maintains industry-standard information and data protection practices and goes beyond that where possible. Handling your data with the highest standards is part of our culture and central to everything we do. If you think we are falling short of that we want you to let us know using the contact details below We take your complaints and feedback seriously and will investigate and respond as quickly as we can. If you are not satisfied with our response then you can refer your concern with the Office of the Australian Information Commissioner (OAIC) – call 1300 363 992 or go to oaic.gov.au.

Contact Details

Umano Pty. Ltd.

data@umano.tech

Level 8, 11-31 York St Sydney 2000