Framery smart pods & workplace technology

Employees and contractors are made aware of our security culture and their responsibilities during the praised onboarding process. All developers complete a cyber security course once a year and newly hired developers must complete the course within 3 months from employment start date. Also all our employees complete Security training during their onboarding.

Security awareness training is an ongoing process throughout employment. As the threat landscape evolves constantly, we want to keep our employees on top of the threats and help them to understand their responsibilities over data protection. This includes for example awareness campaigns against phishing and cybersecurity news feeds.

Our access management is based on role-based access control (RBAC) and The Principle of Least Privilege. When assigning access rights to a person, the person managing access rights should consider security and risks of the object as well as other possible restrictions, such as required VPN use or access only from Framery’s network. Individuals should be given only those privileges needed for it to complete its task. This applies to applications, information, data, networks and other applicable objects.

All employment contracts include a confidentiality agreement. Also all our subcontractors are required to sign Non-Disclosure Agreement (NDA).

Why reinvent the wheel? That’s what we thought as well. Wherever feasible, we employ the AWS Well-Architected Framework to design and operate cloud-based systems that are reliable, secure, efficient, cost-effective, and sustainable.

We run our workloads on Amazon Web Services (AWS) data centers in Europe. Most of the services and data are hosted in AWS facilities in Germany, Frankfurt (eu-central-1). In addition, AWS SES (Simple Email Service) is hosted in Ireland, Dublin (eu-west-1) data center.

Framery does not have physical access to data centers. We leverage AWS’ robust physical security controls, meaning access to data centers is highly restricted. In addition, we have implemented physical security controls in our own office. With this strategy we aim to preserve the confidentiality, integrity and availability of our services from physical threats.

Framery Connect and its related infrastructure & data are spread across 3 AWS availability zones, in other words 3 individual data centers. Should one of those data centers fail, our infrastructure and service will continue to work. The AWS Data Center controls page describes controls implemented for AWS’ Availability Zones.

Access to the production environment and customer data is limited to authorized employees according to our Identity and Access Management (IAM) policy and The Principle of Least Privilege, i.e. only to employees whose job responsibilities require it. We are using Single Sign-on (SSO) wherever possible and multi-factor authentication (MFA) is enforced for all users.

Our infrastructure is protected against all known infrastructure (Layer 3 and Layer 4) attacks with AWS Shield Standard.

Access to the Framery Connect production network is strictly restricted. Access is granted according to our Identity and Access Management (IAM) policy and The Principle of Least Privilege.

All Framery servers are within our own virtual private cloud (VPC). We use network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Production data is backuped daily. All backups are encrypted at the same level as the live data and access to backups is restricted only for a very limited audience.

We monitor each server and service in the Framery Connect environment for health metrics to track availability and spot issues. These metrics include standard items such as network connectivity, CPU utilization, memory utilization, storage utilization and service status. Failures generate alerts that are pushed to our operations staff through prioritized channels.

Encryption at rest

Encryption at rest is encryption that is used to help protect data that is stored on a disk or backup media. All your data and metadata stored at rest is encrypted using the Advanced Encryption Standard (AES) algorithm, AES-256.

Encryption in transit

Data transmitted to or from Framery Connect undergoes encryption in transit, employing 256-bit encryption for enhanced security.

By employing OpenVPN tunnels, we guarantee the utmost security and privacy in the communication between pods and Framery Connect. Rest assured, your data travels through these tunnels shielded from prying eyes, ensuring confidentiality and integrity every step of the way. Trust in our commitment to fortifying your connections and safeguarding your information with the robust protection offered by OpenVPN technology.

Penetration testing, also known as ethical hacking, is the proactive approach we take to identify vulnerabilities in our systems before malicious actors can exploit them. We collaborate with selected, esteemed cybersecurity companies, which perform penetration tests annually or more often if there are major changes in our environment.

Another proactive approach we use is vulnerability scanning, which is a crucial process that involves systematically identifying and assessing potential security vulnerabilities in software applications during various stages of development.

While we want to be proactive, we also want to ensure we are effectively reactive when it is needed. In the unfortunate case of an incident, our well-structured incident management process enters the game. Our response methodology is focused on minimizing downtime and business disruption. Through proactive planning and efficient execution, we aim to restore our critical systems and services to full functionality, ensuring seamless operations. We keep you informed throughout the incident management process, providing transparent updates on the situation, progress, and recommended actions. After containing the incident, we conduct thorough post-incident analysis and documentation, called postmortem. This analysis helps identify areas for improvement in your security measures and prepares your organization to better defend against future threats. We will provide root cause information within 14 days after the incident has been formally closed.

Framery’s Secure Development Life Cycle (SDLC) is meticulously crafted to minimize security risks during the software development process while ensuring the delivery of robust software functionality. Framery’s software development adheres to stringent and well-defined processes to ensure security at every stage.

Requests for new features, bug reports, and code enhancements undergo triage and are subject to threat modeling and risk analysis. Before final commitment and validation through quality assurance (“QA”), the developed code undergoes both peer and security reviews. Additionally, all developed code is required to have accompanying unit test code for testing purposes. Framery’s QA team carries out automated testing to verify the integrity of unit, regression, performance, and stress tests, as well as conduct web and mobile application penetration testing.

We train our developers continuously on secure development practices. In our development process, we incorporate several essential practices, including architecture reviews, pull request (PR) reviews, version control procedures, change management, and a well-defined release process.

We make use of contemporary and secure open-source frameworks, integrating effective security controls to mitigate risks associated with OWASP Top 10 security vulnerabilities. By implementing these inherent controls, we significantly minimize our susceptibility to threats like SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among other potential risks.

Our applications undergo comprehensive reviews and testing by our Quality Assurance (QA) team. Each release candidate is tested by using automated testing and manual testing. We have developed internal tools to generate test data – your and other customers’ data is not used in testing.

All the development and testing activities happen in separated environments. Our QA-team performs only smoke testing in the production environment after the release to verify successful deployment.

Framery smart pods & Framery Connect sensor gathers anonymous occupancy data, measuring how much & when the pod is used. Framery One has a heat-based sensor, whereas Framery One Compact, Four and Six have a mmWave radar. The Framery Connect sensor detects occupancy based on movement sensor. The data is transferred via built-in 4G connectivity, or additionally via WiFi on Framery One Compact, Four and Six.

Framery workplace technology products gather only the minimum amount of personal data, such as username, timestamp of the login and behavioral data of how the Framery Connect web portal and Framery App are being used.

Regarding the calendar connection the smart pod’s touchscreens showcase the upcoming reservations. Access to the user’s Microsoft/Google calendars is required for creating a reservation to the smart pods’ calendars. After the reservation has ended Framery stores metadata related to reservation for analytics purposes. Data related to calendar events is stored for 14 days and will be automatically removed after that.

Framery workplace technology products are GDPR compliant. Framery does not sell your personal data. We have employed various technical and organizational security measures to safeguard your personal data from unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures align with our internal security protocols, encompassing the storage, destruction, and access control of personal data. Access to systems containing personal data is limited to employees with a legitimate need to process it for the specified purposes. You can always find the up-to-date information regarding privacy related matters from Framery Connect terms & conditions.

Our privacy policy contains a comprehensive outline for your reference.

Data Processing Agreement (DPA) is part of Framery Connect Terms of Service. You can find it here