Introduction
Sanifu is committed to providing state-of-the-art unstructured data processing services by leveraging advanced and emergent AI technologies as well as integrating with internal systems like emails and ERPs/CRMs for end-to-end automation. While these integrations offer unparalleled functionality, they also mean that we are constantly in touch with client internal data - most of which might be considered private. This document outlines a comprehensive technical security plan, designed by Sanifu’s security team, to align with industry standards with regards to data protection and privacy including SOC 2, ISO 27001, GDPR as well as Kenya’s Data Protection Act 2019.
1. Compliance and Data Sovereignty
- Global Data Protection: We adhere to global data protection regulations such as SOC 2, ISO27001 and GDPR as well as local policies such as The Data Protection Act, 2019 of Kenya, ensuring our clients' data is handled in compliance with the laws of the countries in which we operate.
- Data Sovereignty: Measures are in place to ensure data is processed and stored in accordance with the data sovereignty laws of the originating country.
2. Data Encryption Strategies
2.1 Encryption at Rest
- Implementation: We utilize Advanced Encryption Standard (AES) with a 256-bit key, the gold standard, for encrypting any data temporarily stored on our servers. This includes all forms of persistent data storage, such as databases, file systems, and backups.
- Key Management: Encryption key management practices are aligned with ISO 27001, ensuring secure generation, storage, and rotation of encryption keys.
- Compliance: This approach adheres to the ISO 27001 standard for data confidentiality and integrity, as well as SOC 2's focus on security, availability, and confidentiality.
2.2 Encryption in Transit
- Implementation: All data transmitted between our servers and client systems is protected using Transport Layer Security (TLS) 1.3, the most secure protocol for safeguarding data in transit.
- Mutual TLS (mTLS): For heightened security, we employ mTLS, requiring both the client and the server to authenticate each other, ensuring a two-way verification process.
- Compliance: These practices meet the SOC 2 and GDPR requirements for secure data transmission, ensuring data privacy and integrity during transit.
3. Access Control and Authentication
3.1 Role-Based Access Control (RBAC)
- Implementation: Access to sensitive data and critical systems is governed by RBAC, ensuring users have access only to the data and resources necessary for their roles.
- Periodic Review: Access privileges are reviewed and updated regularly, in accordance with ISO 27001's continual improvement framework.
3.2 Multi-Factor Authentication (MFA)
- Implementation: MFA is enforced for all system access, adding an additional layer of security beyond just passwords.
- Compliance: This aligns with SOC 2's focus on security and ISO 27001's access control requirements.
3.3 Regular Audits
- Implementation: Regular audits of access controls are conducted to identify potential vulnerabilities and ensure compliance with our access control policies.
- Compliance: These audits are crucial for maintaining SOC 2 and ISO 27001 compliance, ensuring continuous improvement in access management.
4. Secure Email Processing
- Secure Authorization with OAuth 2.0: For accessing Microsoft Graph API, we use OAuth 2.0, a robust protocol for secure authorization
5. Data Retention and Disposal
5.1 Real-time Processing
- Emails and attachments are processed in real-time without being stored on our servers, aligning with GDPR's data minimization principle.
- When necessary, secure and encrypted temporary storage is utilized, with automatic purging post-processing.
5.2 Temporary Data Storage
- Implementation: Sanifu adopts a strict policy of storing data only for the duration necessary for processing. This approach aligns with the principle of data minimization and ensures that data exposure risks are significantly reduced.
- Data Lifecycle: The lifecycle of each data element is closely monitored. Data is stored temporarily during its processing by our AI systems, and its status is continually assessed to determine its necessity.
5.3 Permanent Data Deletion
- Policy on Deletion: Post-processing, any data that is not essential for ongoing operations or compliance purposes is identified and permanently deleted from our systems. This deletion process is irreversible, and the data is not archived.
- Compliance with Regulations: This practice is in line with GDPR's right to erasure ('right to be forgotten') and ensures that we do not retain personal data longer than necessary. It also aligns with ISO 27001's requirements for data lifecycle management and SOC 2's focus on data privacy.
5.4 Automated Data Management
- Automated Systems: To manage this process efficiently and reduce the risk of human error, we employ automated systems that are programmed to delete data upon the completion of its processing. These systems are regularly audited to ensure their effectiveness and compliance with our data retention policies.
- Regular Review and Updates: The data retention and disposal policies are reviewed regularly to align with the latest legal requirements and best practices in data management and security.
6. Data Minimization and Anonymization
- Data Processing Limits: In accordance with GDPR's data minimization principle, we process only the data necessary for each specific task.
- Anonymization: Where possible, data is anonymized to remove personal identifiers, reducing the risk of privacy breaches.
- Compliance: These practices align with GDPR requirements, enhancing user privacy and data protection
7. Data Transfer and Storage
- Direct Client System Integration: We explore direct integration options with clients' systems, such as SharePoint, to securely process data without moving it off-premises.
- Encrypted Channels: All data transfers to and from client systems are conducted over secure, encrypted channels and depending on what the client systems support.
8. Security Audits and Compliance Checks
- Regular Security Audits: Conducting regular security audits helps us identify and address potential vulnerabilities in our systems.
- Compliance Checks: Regular reviews are performed to ensure ongoing compliance with evolving data protection laws and standards, such as SOC 2 and ISO 27001.
9. Incident Response and Management
- Incident Response Plan: A comprehensive incident response plan is in place, detailing procedures for managing security incidents effectively.
- Staff Training: Regular training sessions are conducted to educate our staff on security best practices and incident response protocols.
10. Client Education and Transparency
- Documentation: Clients are provided with detailed documentation outlining our security measures, enhancing trust and transparency.
- Data Processing Practices: We maintain transparency about our data processing practices and third-party integrations, in line with GDPR's transparency requirements.
11. Continuous Monitoring and Improvement
- System Monitoring: Continuous monitoring of all systems is implemented for timely detection and response to security threats.
- Security Updates: We regularly update and improve our security measures based on new threats and advancements in technology.
Conclusion
Our comprehensive technical security plan, including the critical addition of temporary data storage and permanent data deletion, showcases Sanifu's commitment to the highest standards of data security and privacy. By adhering to best practices and regulations set forth by SOC 2, ISO 27001, GDPR and Kenya’s Data Protection Act 2019, we provide our enterprise clients with the assurance that their data is not only secure but also handled responsibly and ethically. Regular updates, continuous monitoring, and a proactive approach to data lifecycle management further reinforce the trust and reliability that are the cornerstones of our services.