Security Questionnaire

Ideanote relies on your trust. Without you, there is no us. Innovation and idea sharing can contain highly confidential information and should always be kept safe from harm. For that reason we have put in place extensive security and control processes that help ensure information safety. Ideanote takes pride in providing Enterprise security for everyone.

Your data is safe with us because we care about knowing that you can rest easy as you build your innovation community with Ideanote. Below we are giving answers on some of the most common questions we have received from Customers - to give you a fast overview and specific answers.

Data center features

Where is customer data stored?

Ideanote persistently stores Customer data on the Google Cloud Platform with servers located in the EU, Frankfurt and Dublin. Customer Content (Ideas, Comments etc.) is not stored by any other third-party provider. In addition to this, we have signed Data Processing Addendums (DPAs) with any Sub-Processors of customer data. You can view a full list of Our Sub-Processors at ideanote.io/terms#sub-processors.

What security features do Ideanote’s data centers provide?

The Google Cloud Platform data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Access to Google's data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. 

Only approved employees with specific roles may enter. Additionally, Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Google meticulously tracks the location and status of all equipment within their data centers from acquisition to installation to retirement to destruction, via barcodes and asset tags. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data center floor without authorization. 

If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.

Is Ideanote SOC2 compliant?

Our datacenter provider is of course SOC2 compliant, and you’re always welcome to contact us if you’d like us to provide you with their compliance report. To expedite the process we kindly ask that you include sufficient contact information along with a reason for requesting it.

How is Customer data backed up?

All client data is fully backed up on a daily basis to multiple data centers within the EU, Frankfurt, and Dublin.

Can Ideanote delete Customer data on request?

Currently, customer data can be deleted with a written request to Ideanote by the customer. In connection with our GDPR compliance efforts, we will be updating our data deletion abilities to make them part of the user interface. 

Does Ideanote have the ability to sanitize computing resources of client data if a customer leaves Ideanote?

Google is our production hosting provider. Google hard drives leverage technologies like FDE(full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.

Does Ideanote keep customer information after termination?

Ideanote allows customers to export their raw data at any time in the industry-standard JSON format with a written request from the customer. Additionally, customer data can be deleted upon request  at termination or will be deleted in accordance with Ideanote's internal data retention policies.

Data security and management

Does Ideanote keep one Customer's data separated?

All sensitive Customer data is only accessible after the successful exchange of a session token from our API that carries with it varying degrees of access rights to a specific Customer’s data depending on multiple factors such as the settings of the Space, the specific user trying to access the resource, as well as the operation that is attempted to be performed on that resource. This  provides  logical separation  between  data  belonging  to  multiple  customers. Customer Data resides on database systems which house data belonging to multiple Customers, but our logical authentication and authorization controls separate one Customer’s data from another Customer’s data.

Does Ideanote support single sign-on and multifactor authentication? 

Our product supports Single Sign-On (SSO). We support the SAML standard, including integration with the Active Directory (AD) protocol.. You can set up the SSO yourself under /space-settings/sso. 

Encryption and password management

Does Ideanote encrypt customer data?

When a user visits a website or application with Ideanote instrumented, the details of their interactions are captured and sent to Ideanote over  HTTPS. All data transferred over HTTPS  s encrypted. Ideanote only allows connections over HTTPS exclusively to ensure data is encrypted in transit. Ideanote uses NIST Suite B compliant cipher suites to secure data in transit and at rest. 

The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs  are  encrypted  with  (or  “wrapped” by)  a  key  encryption  key  (KEK). For  more  information,  please  see https://cloud.google.com/security/#dataencryption

What are Ideanote’s procedures for password management?

Keys  for encryption of customer data at rest are  managed by our cloud provider, Google.  You can find additional information about Google's key management procedures here:https://cloud.google.com/kms/. We use public/private keys to secure access to code repositories. Keys used by staff are generated by Ideanote employees on an individual basis and stored on local machines). Access to the repositories can be provisioned or revoked by senior engineering staff. 

Are customer passwords encrypted?

Yes. Passwords are hashed using the industry-standard Blowfish block cipher cryptographic algorithm which is an adaptive hash function that is based on a technique called Key Stretching, that is recommended by NIST.

What are Ideanotes corporate password requirements?

We use Google G-Suite as our corporate single sign-on platform. This application controls our access to the various applications that Ideanote uses.  Ideanote  uses  multi  factor  authentication  to  gain  access  to  the  system. With  regards  to  the  password  policy specifically, they are set as follows: (a) passwords must be a minimum of 8 characters; (b) they must contain some lower case letters, and they cannot contain part of the username; and (c) users are locked out after 10 failed login attempts. To learn more about the security of G-Suite as identity provider, please see static.googleusercontent.com/media/gsuite.google.com/en/security/g-suite-security-ebook.pdf

HR and corporate policies

Does Ideanote run background checks on its employees?

We run background checks on all incoming employees, or contractors who will be working in any Ideanote office, before starting at the company. Additionally, all employees sign confidentiality agreements to protect customer information.

Does Ideanote subcontract any of its services?

Ideanote uses third-party vendors to provide our services, namely the Google Cloud Platform to persistently store customer data. Ideanote additionally uses vendors to monitor the performance of Our Services and for communication purposes after they have been vetted and signed the appropriate contractual protections to handle customer data. In connection with our GDPR compliance, we are disclosing Our full list of Sub-Processors at ideanote.io/term#sub-processors.

GDPR

Does Ideanote process personal information?

Ideanote’s customers can customize and decide what information to send into our database, with certain restrictions as governed in our agreement with a Customer. This may include personal information, but whether there is personal information sent is ultimately determined by the Customer and their decisions on what data to send to Ideanote to process. 

Is Ideanote data controller or processor?

When customers send data to the Ideanote platform, Ideanote is the data processor, as defined in the GDPR, for purposes of the services provided; the Customer is the data controller.

Does Ideanote comply with the GDPR?

Yes. You can find more information in the Ideanote DPA at ideanote.io/legal/dpa

Do Ideanote Sub-Processors comply with GDPR?

Yes, we have in place written Data Processing Agreements (“DPA”) with all of Our Sub-Processors. Ideanote imposes data protection terms on each Sub-Processor regarding their security controls and applicable regulations for the protection of personal data. Before engaging a Sub-Processor, we perform extensive due diligence, including detailed security and legal analysis. We do not engage a Sub-Processor unless our quality standards are met.

Audit

Does Ideanote conduct regular security audits?

We perform regular, automated, vulnerability scans on our external and internal networks. Further, security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.

Does Ideanote log events with an audit trail?

Access to the audit trail is restricted to our development team but remains immutable to change. Audit trail records are kept for at least 1 year. Ideanote extensively logs activity by its development team and all Users of the Service automatically as they happen with Google’s inbuilt StackDriver audit logging monitoring. All logs remain immutable, time synced, filterable and exportable. We work with Customers on the Enterprise plan to fulfill any audit trail inquiries and reasonable requests for audit trail exports in a timely manner. 

Threat and vulnerability management

Does Ideanote have anti-malware programs installed?

Our production servers run Linux, where we achieve security by making all of our services sandboxed in containers that are entirely recycled for each deployment. This prevents malware from gaining a persistent foothold, and ensures that there is a minimal window in which malware could stay memory-resident. In our view, this approach is more robust than relying on a detective approach to preventing malware compromise.

How does account management work at Ideanote?

The Ideanote Service features 4 security levels of accounts: Owner, Admin, Member and Guest. The Owner Account (one per Space) has full access to all Space settings and billing. Admins have full access to create, and delete content, missions and teams as well as invite people and manage member roles. Members and Guests have the ability to create content based on access levels given by Admins. 

Is my Data kept private?

When you claim an Ideanote Space, it’s yours and yours alone. All access to the datastore is restricted to only a select few to keep security high and risk low.

Well, whenever a customer runs into a bug or an error, we either request direct access to the Space in question, make use of screen-sharing software or simply run tests using a development environment. You’ll never have to grant access to anything if you don’t want to. It’s that easy. Data is kept in a highly secure environment that can only be accessed with 2FA. Ideanote will never, for any reason or under any circumstances, sell your data to third parties.

Does Ideanote staff access or use Customer data or Content?

Ideanote does not own, control or direct the use of any data stored or processed by our customers as they use our service. This extends to access, retrieval and direct use of such data. We are generally unaware of what is being stored or otherwise internally made available within a Space.

Ownership of Content remains with Customer and its Users. As described in Our Terms of Service, Ideanote and its employees are at no point permitted to view Customer Content unless We are given explicit consent by the Customer for valid support purposes or if We are compelled by a law or a valid legal or government request. At no point are we allowed to Use Customer Content for Our own purposes.

Ideanote employees, such as our support staff, do not as a standard have access to customer Space. Access to Spaces is only given to employees on the basis of valid urgent support requests and employees are trained on appropriate access, and access is monitored for inappropriate use. 

While Customer Content is not accessed, generalized Customer data in the form of events and usage statistics is collected and used for the purposes of general user experience improvements and product feedback. Any direct product feedback given to Customer Support staff is not considered Customer Content and can also be used to improve our Services.

Incident management at Ideanote

In the event of a security breach, Ideanote will notify you of any unauthorized access to your customer data within 72 hours after first having become aware of the breach. However unlikely such an occurrence is, we have thorough incident management policies and procedures in place to handle such an event with utmost care and efficiency. As part of GDPR compliance we will also have to report such an incident to the responsible local government authorities, the Danish Data Protection Agency.

How long is data kept?

We do store all data for up to 10 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, within 60 days. Information regarding legal transactions between customers and Ideanote will be stored for up to 10 years.