Home » Framery security and compliance

Framery smart pods & workplace technology

Data, intellectual property and other confidential information are the basis for our & our business partners’ success. That’s why we care about information security and take it seriously. We have established an information security management system (ISMS) to implement, operate, monitor, review, maintain and improve information security. Our ISO 27001 certified ISMS enables us to safeguard our assets, comply with regulatory requirements, maintain trust, and stay resilient in the face of evolving cyber threats.

Personnel Security

We have implemented security controls for employees and contractors before, during and after their term.

Onboarding & Training

Employees and contractors are made aware of our security culture and their responsibilities during the praised onboarding process. All developers complete a cyber security course once a year and newly hired developers must complete the course within 3 months from employment start date. Also all our employees complete Security training during their onboarding.

While working for Framery

Security awareness training is an ongoing process throughout employment. As the threat landscape evolves constantly, we want to keep our employees on top of the threats and help them to understand their responsibilities over data protection. This includes for example awareness campaigns against phishing and cybersecurity news feeds.

Access Management

Our access management is based on role-based access control (RBAC) and The Principle of Least Privilege. When assigning access rights to a person, the person managing access rights should consider security and risks of the object as well as other possible restrictions, such as required VPN use or access only from Framery’s network. Individuals should be given only those privileges needed for it to complete its task. This applies to applications, information, data, networks and other applicable objects.

Confidentiality

All employment contracts include a confidentiality agreement. Also all our subcontractors are required to sign Non-Disclosure Agreement (NDA).

Cloud architecture & security

AWS Well-Architected Framework

Why reinvent the wheel? That’s what we thought as well. Wherever feasible, we employ the AWS Well-Architected Framework to design and operate cloud-based systems that are reliable, secure, efficient, cost-effective, and sustainable.

Physical security & Data hosting

We run our workloads on Amazon Web Services (AWS) data centers in Europe. Most of the services and data are hosted in AWS facilities in Germany, Frankfurt (eu-central-1). In addition, AWS SES (Simple Email Service) is hosted in Ireland, Dublin (eu-west-1) data center.

Framery does not have physical access to data centers. We leverage AWS’ robust physical security controls, meaning access to data centers is highly restricted. In addition, we have implemented physical security controls in our own office. With this strategy we aim to preserve the confidentiality, integrity and availability of our services from physical threats.

Failover and Disaster Recovery

Framery Connect and its related infrastructure & data are spread across 3 AWS availability zones, in other words 3 individual data centers. Should one of those data centers fail, our infrastructure and service will continue to work. The AWS Data Center controls page describes controls implemented for AWS’ Availability Zones.

Permissions and authentication

Access to the production environment and customer data is limited to authorized employees according to our Identity and Access Management (IAM) policy and The Principle of Least Privilege, i.e. only to employees whose job responsibilities require it. We are using Single Sign-on (SSO) wherever possible and multi-factor authentication (MFA) is enforced for all users.

DDoS Mitigation

Our infrastructure is protected against all known infrastructure (Layer 3 and Layer 4) attacks with AWS Shield Standard.

Network access

Access to the Framery Connect production network is strictly restricted. Access is granted according to our Identity and Access Management (IAM) policy and The Principle of Least Privilege.

Virtual Private Cloud

All Framery servers are within our own virtual private cloud (VPC). We use network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Backups

Production data is backuped daily. All backups are encrypted at the same level as the live data and access to backups is restricted only for a very limited audience.

Monitoring

We monitor each server and service in the Framery Connect environment for health metrics to track availability and spot issues. These metrics include standard items such as network connectivity, CPU utilization, memory utilization, storage utilization and service status. Failures generate alerts that are pushed to our operations staff through prioritized channels.

Data security

Encryption at rest

Encryption at rest is encryption that is used to help protect data that is stored on a disk or backup media. All your data and metadata stored at rest is encrypted using the Advanced Encryption Standard (AES) algorithm, AES-256.

Encryption in transit


Data transmitted to or from Framery Connect undergoes encryption in transit, employing 256-bit encryption for enhanced security.

By employing OpenVPN tunnels, we guarantee the utmost security and privacy in the communication between pods and Framery Connect. Rest assured, your data travels through these tunnels shielded from prying eyes, ensuring confidentiality and integrity every step of the way. Trust in our commitment to fortifying your connections and safeguarding your information with the robust protection offered by OpenVPN technology.

Pentests & Vulnerability Scanning

Penetration testing, also known as ethical hacking, is the proactive approach we take to identify vulnerabilities in our systems before malicious actors can exploit them. We collaborate with selected, esteemed cybersecurity companies, which perform penetration tests annually or more often if there are major changes in our environment.

Another proactive approach we use is vulnerability scanning, which is a crucial process that involves systematically identifying and assessing potential security vulnerabilities in software applications during various stages of development.

Incident management

While we want to be proactive, we also want to ensure we are effectively reactive when it is needed. In the unfortunate case of an incident, our well-structured incident management process enters the game. Our response methodology is focused on minimizing downtime and business disruption. Through proactive planning and efficient execution, we aim to restore our critical systems and services to full functionality, ensuring seamless operations. We keep you informed throughout the incident management process, providing transparent updates on the situation, progress, and recommended actions. After containing the incident, we conduct thorough post-incident analysis and documentation, called postmortem. This analysis helps identify areas for improvement in your security measures and prepares your organization to better defend against future threats. We will provide root cause information within 14 days after the incident has been formally closed.

Application security

Secure Development Life Cycle (SDLC)

Framery’s Secure Development Life Cycle (SDLC) is meticulously crafted to minimize security risks during the software development process while ensuring the delivery of robust software functionality. Framery’s software development adheres to stringent and well-defined processes to ensure security at every stage.

Requests for new features, bug reports, and code enhancements undergo triage and are subject to threat modeling and risk analysis. Before final commitment and validation through quality assurance (“QA”), the developed code undergoes both peer and security reviews. Additionally, all developed code is required to have accompanying unit test code for testing purposes. Framery’s QA team carries out automated testing to verify the integrity of unit, regression, performance, and stress tests, as well as conduct web and mobile application penetration testing.

Development practices

We train our developers continuously on secure development practices. In our development process, we incorporate several essential practices, including architecture reviews, pull request (PR) reviews, version control procedures, change management, and a well-defined release process.

We make use of contemporary and secure open-source frameworks, integrating effective security controls to mitigate risks associated with OWASP Top 10 security vulnerabilities. By implementing these inherent controls, we significantly minimize our susceptibility to threats like SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among other potential risks.

Quality Assurance

Our applications undergo comprehensive reviews and testing by our Quality Assurance (QA) team. Each release candidate is tested by using automated testing and manual testing. We have developed internal tools to generate test data – your and other customers’ data is not used in testing.

Separate environments

All the development and testing activities happen in separated environments. Our QA-team performs only smoke testing in the production environment after the release to verify successful deployment.

Framery Connect Security Controls

Password and credential storage

Our application uses AWS Cognito as a user database and Secure Remote Password (SRP) protocol for authentication. By design, user’s password is not stored to Cognito, only verifier and salt. Verifier is encrypted with AES 256 encryption.

Framery App

Sign in to Framery App happens by using your organization’s Microsoft or Google account. Instead of creating a new username and password for each service, users can simply use their existing Microsoft/Google account to access Framery App. Both, Microsoft Entra ID and Google Sign-In follow industry-standard security protocols, including OAuth 2.0 and OpenID Connect, to ensure the safety of user credentials and data.

Framery App employs simplified REST architecture, focusing on a limited set of well-structured features. The App does not utilize many self-made user-supplied parameters, and utilizes robust external Microsoft Graph and Google Calendar APIs, thereby minimizing potential attack vectors.

Privacy & Data Protection

Data gathered from the workplace environment

Framery smart pods & Framery Connect sensor gathers anonymous occupancy data, measuring how much & when the pod is used. Framery One has an ultrasonic sensor, whereas Framery One Compact, Four and Six have a mmWave radar. The Framery Connect sensor detects occupancy based on movement sensor. The data is transferred via built-in 4G connectivity, or additionally via WiFi on Framery One Compact, Four and Six.

Data gathered from the users

Framery workplace technology products gather only the minimum amount of personal data, such as username, timestamp of the login and behavioral data of how the Framery Connect web portal and Framery App are being used.

Regarding the calendar connection the smart pod’s touchscreens showcase the upcoming reservations. Access to the user’s Microsoft/Google calendars is required for creating a reservation to the smart pods’ calendars. After the reservation has ended Framery stores metadata related to reservation for analytics purposes. Data related to calendar events is stored for 14 days and will be automatically removed after that.

Framery workplace technology products are GDPR compliant. Framery does not sell your personal data. We have employed various technical and organizational security measures to safeguard your personal data from unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures align with our internal security protocols, encompassing the storage, destruction, and access control of personal data. Access to systems containing personal data is limited to employees with a legitimate need to process it for the specified purposes. You can always find the up-to-date information regarding privacy related matters from Framery Connect terms & conditions.

Privacy Policy

Our privacy policy contains a comprehensive outline for your reference.

Data Processing Agreement

Data Processing Agreement (DPA) is part of Framery Connect Terms of Service. You can find it here

Contact details regarding privacy issues

If you need to get in touch with us regarding privacy issues, contact our Data Protection Officer by email from below