See the steps we ensure your privacy and protection with Ideanote
Ideanote relies on your trust. Without you, there is no us. Innovation and idea sharing can contain highly confidential information and should always be kept safe from harm. For that reason we have put in place extensive security and control processes that help ensure information safety. Ideanote takes pride in providing Enterprise security for everyone.
Your data is safe with us because we care about knowing that you can rest easy as you build your innovation community with Ideanote. Below we are giving answers on some of the most common questions we have received from Customers - to give you a fast overview and specific answers.
Ideanote persistently stores Customer data on the Google Cloud Platform with servers located in the EU, Frankfurt and Dublin. Customer Content (Ideas, Comments etc.) is not stored by any other third-party provider. In addition to this, we have signed Data Processing Addendums (DPAs) with any Sub-Processors of customer data. You can view a full list of Our Sub-Processors at ideanote.io/terms#sub-processors.
The Google Cloud Platform data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Access to Google's data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics.
Only approved employees with specific roles may enter. Additionally, Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Google meticulously tracks the location and status of all equipment within their data centers from acquisition to installation to retirement to destruction, via barcodes and asset tags. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data center floor without authorization.
If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.
Our datacenter provider is of course SOC2 compliant, and you’re always welcome to contact us if you’d like us to provide you with their compliance report. To expedite the process we kindly ask that you include sufficient contact information along with a reason for requesting it.
All client data is fully backed up on a daily basis to multiple data centers within the EU, Frankfurt, and Dublin.
Currently, customer data can be deleted with a written request to Ideanote by the customer. In connection with our GDPR compliance efforts, we will be updating our data deletion abilities to make them part of the user interface.
Google is our production hosting provider. Google hard drives leverage technologies like FDE(full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.
Ideanote allows customers to export their raw data at any time in the industry-standard JSON format with a written request from the customer. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with Ideanote's internal data retention policies.
All sensitive Customer data is only accessible after the successful exchange of a session token from our API that carries with it varying degrees of access rights to a specific Customer’s data depending on multiple factors such as the settings of the Space, the specific user trying to access the resource, as well as the operation that is attempted to be performed on that resource. This provides logical separation between data belonging to multiple customers. Customer Data resides on database systems which house data belonging to multiple Customers, but our logical authentication and authorization controls separate one Customer’s data from another Customer’s data.
Our product supports Single Sign-On (SSO). We support the SAML standard, including integration with the Active Directory (AD) protocol.. You can set up the SSO yourself under /space-settings/sso.
When a user visits a website or application with Ideanote instrumented, the details of their interactions are captured and sent to Ideanote over HTTPS. All data transferred over HTTPS s encrypted. Ideanote only allows connections over HTTPS exclusively to ensure data is encrypted in transit. Ideanote uses NIST Suite B compliant cipher suites to secure data in transit and at rest.
The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption
Keys for encryption of customer data at rest are managed by our cloud provider, Google. You can find additional information about Google's key management procedures here:https://cloud.google.com/kms/. We use public/private keys to secure access to code repositories. Keys used by staff are generated by Ideanote employees on an individual basis and stored on local machines). Access to the repositories can be provisioned or revoked by senior engineering staff.
Yes. Passwords are hashed using the industry-standard Blowfish block cipher cryptographic algorithm which is an adaptive hash function that is based on a technique called Key Stretching, that is recommended by NIST.
We use Google G-Suite as our corporate single sign-on platform. This application controls our access to the various applications that Ideanote uses. Ideanote uses multi factor authentication to gain access to the system. With regards to the password policy specifically, they are set as follows: (a) passwords must be a minimum of 8 characters; (b) they must contain some lower case letters, and they cannot contain part of the username; and (c) users are locked out after 10 failed login attempts. To learn more about the security of G-Suite as identity provider, please see static.googleusercontent.com/media/gsuite.google.com/en/security/g-suite-security-ebook.pdf
We run background checks on all incoming employees, or contractors who will be working in any Ideanote office, before starting at the company. Additionally, all employees sign confidentiality agreements to protect customer information.
Ideanote uses third-party vendors to provide our services, namely the Google Cloud Platform to persistently store customer data. Ideanote additionally uses vendors to monitor the performance of Our Services and for communication purposes after they have been vetted and signed the appropriate contractual protections to handle customer data. In connection with our GDPR compliance, we are disclosing Our full list of Sub-Processors at ideanote.io/term#sub-processors.
Ideanote’s customers can customize and decide what information to send into our database, with certain restrictions as governed in our agreement with a Customer. This may include personal information, but whether there is personal information sent is ultimately determined by the Customer and their decisions on what data to send to Ideanote to process.
When customers send data to the Ideanote platform, Ideanote is the data processor, as defined in the GDPR, for purposes of the services provided; the Customer is the data controller.
Yes. You can find more information in the Ideanote DPA at ideanote.io/legal/dpa
Yes, we have in place written Data Processing Agreements (“DPA”) with all of Our Sub-Processors. Ideanote imposes data protection terms on each Sub-Processor regarding their security controls and applicable regulations for the protection of personal data. Before engaging a Sub-Processor, we perform extensive due diligence, including detailed security and legal analysis. We do not engage a Sub-Processor unless our quality standards are met.
We perform regular, automated, vulnerability scans on our external and internal networks. Further, security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.
Access to the audit trail is restricted to our development team but remains immutable to change. Audit trail records are kept for at least 1 year. Ideanote extensively logs activity by its development team and all Users of the Service automatically as they happen with Google’s inbuilt StackDriver audit logging monitoring. All logs remain immutable, time synced, filterable and exportable. We work with Customers on the Enterprise plan to fulfill any audit trail inquiries and reasonable requests for audit trail exports in a timely manner.
Our production servers run Linux, where we achieve security by making all of our services sandboxed in containers that are entirely recycled for each deployment. This prevents malware from gaining a persistent foothold, and ensures that there is a minimal window in which malware could stay memory-resident. In our view, this approach is more robust than relying on a detective approach to preventing malware compromise.
The Ideanote Service features 4 security levels of accounts: Owner, Admin, Member and Guest. The Owner Account (one per Space) has full access to all Space settings and billing. Admins have full access to create, and delete content, missions and teams as well as invite people and manage member roles. Members and Guests have the ability to create content based on access levels given by Admins.
When you claim an Ideanote Space, it’s yours and yours alone. All access to the datastore is restricted to only a select few to keep security high and risk low.
Well, whenever a customer runs into a bug or an error, we either request direct access to the Space in question, make use of screen-sharing software or simply run tests using a development environment. You’ll never have to grant access to anything if you don’t want to. It’s that easy. Data is kept in a highly secure environment that can only be accessed with 2FA. Ideanote will never, for any reason or under any circumstances, sell your data to third parties.
Ideanote does not own, control or direct the use of any data stored or processed by our customers as they use our service. This extends to access, retrieval and direct use of such data. We are generally unaware of what is being stored or otherwise internally made available within a Space.
Ownership of Content remains with Customer and its Users. As described in Our Terms of Service, Ideanote and its employees are at no point permitted to view Customer Content unless We are given explicit consent by the Customer for valid support purposes or if We are compelled by a law or a valid legal or government request. At no point are we allowed to Use Customer Content for Our own purposes.
Ideanote employees, such as our support staff, do not as a standard have access to customer Space. Access to Spaces is only given to employees on the basis of valid urgent support requests and employees are trained on appropriate access, and access is monitored for inappropriate use.
While Customer Content is not accessed, generalized Customer data in the form of events and usage statistics is collected and used for the purposes of general user experience improvements and product feedback. Any direct product feedback given to Customer Support staff is not considered Customer Content and can also be used to improve our Services.
In the event of a security breach, Ideanote will notify you of any unauthorized access to your customer data within 72 hours after first having become aware of the breach. However unlikely such an occurrence is, we have thorough incident management policies and procedures in place to handle such an event with utmost care and efficiency. As part of GDPR compliance we will also have to report such an incident to the responsible local government authorities, the Danish Data Protection Agency.
We do store all data for up to 10 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, within 60 days. Information regarding legal transactions between customers and Ideanote will be stored for up to 10 years.