This page describes the technical and organizational security measures implemented by SpatialChat. These security measures may be updated from time to provide the best user experience. Any such updates and modifications do not result in the degradation of the overall SpatialChat services.

Security

Data centers

SpatialChat stores its data at the physically secure data centers in the Republic of Ireland. We use Amazon Web Services servers located in Dublin.

Amazon Web Services data centers have all relevant best practice compliance certificates.

Learn more about compliance at AWS

Physical security of data centers is ensured through several measures, including strict control of personnel access to the data center premises, as well as access control of third parties. Access to data centers is regularly reviewed, activities and incidents are monitored on a 24/7 basis, CCTV recordings of physical access points to server rooms are provided, and electronic intrusion detection systems are in place.

Office security

SpatialChat is a Cyprus-based company with HQ in Limassol. 

Access to all office spaces is regulated by an access control system and only employees and visitors who have registered or have temporary access cards are allowed to enter. Company policy requires that all visitors must be accompanied by responsible employees.

HR Security

Our employees and contractors are required to sign a non-disclosure agreement before starting work.

We provide security awareness training for all new employees, as well as annually for all employees. Training is carried out through an electronic platform and materials and posters displayed throughout our offices.

We provide training for our product developers following OWASP best practices for secure programming.

Operational Security

All our data is encrypted in transit and at rest. Our services are hosted with AWS to ensure the highest standards of security and reliability. TLS 1.2 is used for data in transit, data at rest is encrypted with AES-256.

We give access to our systems on a ‘need to know’ basis, access review is performed twice a year.

Application Security

We comply with modern industry standards regarding application security. Our production and development environments and networks are isolated. We perform code reviews, penetration testing, and automated code analysis.

Privacy

SpatialChat conducts due diligence before onboarding its contractors/vendors/employees. We maintain contractual relationships with all of our vendors. If the personal data is processed and/or transferred via a vendor located on US soil, we use DPA with SCCs.

In our daily activities with personal data, we use all reasonable and appropriate technical and organizational measures to adhere to applicable privacy laws. To protect personal data, we have enacted the following internal and external policies: General Data Protection Policy, Privacy Policy, Subject Access Request policy, employee procedures for handling subject access requests, data breach procedures, and other documents including as may be required by applicable legislation. Personal data is treated as confidential throughout processing.

We do not store personal data for longer than is required for the initial purpose of its collection. However, we may retain anonymized data for statistical and analytical purposes. Certain personal data is retained to the extent required and/or permitted by law to protect our legal interests.

Incident management

SpatialChat has designed its infrastructure to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. SpatialChat personnel, including security, are responsive to known incidents.

SpatialChat maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, SpatialChat takes appropriate steps to minimize user damage and unauthorized disclosure and to prevent future incidents.

If SpatialChat becomes aware of unlawful access to data stored within its services, we notify the affected users of the incident, provide a description of the steps that are being taken to resolve the incident and provide status updates to the user, as necessary.

Data Processing Agreement

If you wish to sign a DPA with us, below you can find the pre-signed from our side document:

SpatialChat_DPA (approved 220721) (1).pdf

Compliance certifications and attestations

SOC 2 Type II 
#gdpr #security #soc2typeII