isLucid and Your data security – highest priority
At isLucid, we understand that our services’ confidentiality, integrity, and availability are the highest order of priority for our customers, partners, and for us as a company.
isLucid, as most companies, started from the idea. The next thing founder Vytenis Pakėnas did was writing a manifesto – a list of principles, how the company shall be formed, run, and how it will filter out do’s and don’ts based on the company values. Among the listed core values, Data Privacy was one of the most important.
It is a shared understanding among all isLucid employees that our clients trust us their private sensitive information. Furthermore, employees of our clients are trusting us with their personal data. And this trust brings a huge responsibility.
Last edit: March 18th, 2021
Human factor and related errors
We understand that computers are not making mistakes humans do. To mitigate potential risks in design, implementation, review, and maintenance processes, we take into account the risks arising from human error.
As part of our employees’ onboarding process, we bring training on how to handle private information. Training is prepared internally after lengthy consultations with high qualified cyber security specialists to ensure that when we create software and maintain, all personnel involved would be aware of:
– generally accepted security standards;
– internal procedures for information reviews, decision making;
– internal policies on data access and management;
– social engineering attack vectors.
As we are NOT STORING any clients’ sensitive data, these policies and procedures ensure our code (automated algorithms, bots, streams being processed) and data on the go is not altered by harmful third parties or internal employees with potentially bad intentions.
Your data is transferred only using a secure layer and is always encrypted. We use secure TLS encryption for all the data traveling between different services locally and in/out of our cloud environment.
Encryption at rest provides data protection for stored data (at rest). Usually, attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. Later the attacker would put the hard drive into a computer under their control to access the data.
Encryption of all isLucid data at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is enabled at our organization.
When data is not moving – we apply Encryption at Rest. Encryption at Rest is the encoding (encryption) of data when it is persisted. The Encryption at Rest designs in cloud services we use, use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
A symmetric encryption key is used to encrypt data as it is written to storage. The same encryption key is used to decrypt that data as it is readied for use in memory.
Data may be partitioned, and different keys may be used for each partition.
Carefully selected and secure infrastructure
We use Microsoft infrastructure for all core services. Usage of Microsoft Azure cloud brings you and us the advantage of multi-layered security provided by Microsoft across physical data centers, infrastructure, and operations in Azure. State-of-art security delivered in Azure data centers globally.
We rely on a cloud that is built with customized hardware, has security controls integrated into the hardware and firmware components, and added protections against threats such as DDoS. Foundation based on security best practices for Azure solutions helps us focus on the application security and ensure that your data is safe with the top infrastructure provider.
Containerization and data separation
Azure services, including Microsoft Teams, by default, run in separate containers for each tenant. It means that everything that happens in your MS Teams call is either sent to our bot (for transcription, data processing purposes) or, for most of the activities, is left for your company (tenant) account.
For our Software as a Service (SaaS) customers, within isLucid software, we separate all confidential data for each client, including different streams/channels, tasks, and summaries identified. This information is stored in dedicated containers for each user. It is made by design that there wouldn’t be any space left for accidental unauthorized access of other customer information.
After isLucid bot registration, the audio stream is sent to transcription service. Transcription service is enabled only when user enables the service within the call (clicks Start transcription). After data processing, we are not storing any information associated with our clients and/or identified as private. Data processing consists only of doing the transcription, assigning transcription to a specific user, sending it back to isLucid Teams application for demonstration and storing (transcript) within the dedicated for client container.
There is no mechanism behind the scenes to store audio, data is transferred encrypted and in small chunks. A possible Man in the Middle attack vector is prevented by Azure service and within Azure configured services access policy, allowing to interact only with trusted sources.
Customers owning a deployed solution have all the services on their tenant account. Only information requests for external resources – licensing management information requests to isLucid subscription service.
isLucid service is made by JSC Lucid Agreements, private company registered in Lithuania, European Union. Company meets GDPR regulations together with consumer data privacy laws coming from United States federal laws and general standards set by Microsoft corporation for Independent Software Program (ISV) vendors.
isLucid is strictly and without any compromises follow user notification protocols on their data being processed. All meeting participants from the moment they join are informed about the audio stream being used for transcription. As isLucid bot joins conversation immediately when the call is started, nevertheless if the transcription is started or not, we inform all users about the gained access to the audio stream.
For the date of this statement, there is no other method company knows which would enable Teams Applications to get access to audio stream and to provide needed quality as off chosen. As a data processor (isLucid acts as one for your company) we are not creating risks for you as a data controller (factual owner) to get complaints from users of not being informed of transcription happening within the call.
Factual risks exists that user might not notice the privacy notice shown only when you start transcription. This might happen due to participants locking phones, sharing users’ screen, internet glitches or some other malfunction of the software (Microsoft Teams and/or isLucid). This unnoticed recording – transcription – would be a serious user rights breach under the general data privacy regulations. To avoid that we inform users from the moment they join the call nevertheless if the transcription is running or not.
For deployed isLucid we can customize the flow according to the customer’s internal policies and regulations.
How we treat your data?
You own your data. Audio data, once transcribed, is destroyed. We do not store any recordings. This limitation is not negotiable, even if you would insist us making this. It is due to the facts of privacy and Microsoft regulations. In case those policies change, you will be informed in advance to decide whether to agree with the new policies or not.
Transcription result – text information is again transmitted over the secure (TLS) bridge and is stored in your tenant environment. We do not store transcription results at our side, leaving you having only a copy of a full transcript. MS Teams by default stores attachments for apps (as isLucid is treated) based under the storage and access policy of your organization. These policies generally should be created by your organizational admins. Policies define if call/chat information stored is accessible only to the participants or to other people within your organization. The same as data, these options/configuration is owned you.
Tasks that participants create are stored in your selected tasks management environment. Those tasks are transferred using TLS and Rest API requests to Atlassian Jira (currently) using the same method a native Jira integration for MS Teams does. If Atlassian (the organization behind Jira) considers the process secure, why should we doubt it?
If you don’t doubt our partners – all good. But we tend to doubt and question every status quo. That’s why we asked 3rd party white hat hackers (good guys) to analyze our service’s security. They tried to break through different layers of our software in creative and crazy ways. isLucid got a confirmation that in the software we created, there were found 0 exploits. And if anything is found, we will inform you on day 1.
Ethical hacking rewards
Our software is continuously being developed, updated. New features, integrations, and so on, obviously, create changes in our codebase. With opensource solutions, we use there are also constant development changes. In addition to internal procedures to keep up with the change, we maintain a fund of $100,000.00.
This fund is allocated to reward Ethical hackers for finding and reporting vulnerabilities in our systems. With the growth of company, we will increase the reward pull, but even for now, this is a significant amount to motivate people to find and report bugs instead of finding and exploiting. If you found a security challenge, please drop an email to [email protected], and our representatives will contact you.
Still have questions? Contact our sales rep. and get a dedicated session with our system engineers to answer all questions you might have.