Data Security Policy
(last updated Aug 9, 2023)
1. Purpose
This Data Security Policy outlines the security measures and procedures in place to protect user data stored in AWS and third party systems by Lace’s Services (”Services”). The objective of this policy is to ensure the confidentiality, integrity, and availability of our user data, as outlined in Lace Terms of Service, the Lace Privacy Policy and other agreement documents (collectively “Agreement”) and to comply with all applicable laws and regulations.
2. Scope
This policy applies to all data that we collect, store and manage on behalf of our customers, which is stored in AWS or using third party systems, and to all employees, contractors, consultants, and other workers at our organization who have access to these systems.
3. Roles and Responsibilities
Everyone in the organization has a responsibility for data security. Specific roles include:
- The Data Protection Officer (DPO) oversees the implementation of this policy and ensures compliance.
- All employees and contractors must comply with this policy and report any suspected data breaches to the DPO.
4. Data Classification
Our user data is classified into two categories:
- Confidential: This includes any sensitive user information, such as personal details, notes, summaries, action items, etc.
- Public: This includes any data that is freely available to the public.
5. Data Storage, Transmission, and Disposal
- All confidential data in AWS RDS and AWS S3 will be encrypted at rest using AWS KMS and SSE-S3 respectively. All confidential data stored in Firebase Authentication will be encrypted at rest.
- All data transmitted over the network will be encrypted in transit.
- Access to third party vendor data will be controlled and monitored.
- Data disposal will be in accordance with AWS's secure data disposal procedures.
6. Sub-processors
- Lace may engage with third party service providers (”Sub-processor”) to process customer data on behalf of the customer under the supervision or instruction of Lace and under the provisions defined in Agreement. The sub-processors which Lace uses are as follows:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud data storage and compute | USA |
| Google Firebase | User account management | USA |
| Recall.ai | Automated meeting recording | USA |
| Open AI | Language transcription and generative AI | USA |
| Liveblocks.io | Real-time collaboration, including on rich text documents | USA |
| Jitsi as a Service (JaaS) | Live meetings | USA |
| Sentry | Error monitoring | USA |
| Mixpanel | Product usage analytics | USA |
7. Access Controls
- Access to AWS and third party system accounts and data will be controlled based on the principle of least privilege.
- All access to systems will be logged and regularly audited.
8. Incident Response
- Any suspected data breaches must be immediately reported to the DPO.
- We have an Incident Response Team (IRT) (security@lace.ai) that will handle data breaches in accordance with our Incident Response Plan.
9. Policy Enforcement and Penalties
- Compliance with this policy is mandatory.
- Any violation of this policy will be subject to disciplinary action, up to and including termination of employment or contract.
10. Regular Review and Updates
- This policy will be reviewed and updated annually or as needed to adapt to changes in our systems or the regulatory environment.
11. Training and Awareness
- All employees and contractors will receive regular training on this policy and data security best practices.
By following this policy, we aim to maintain the trust of our users and protect their data from any threats. It's the responsibility of all individuals who have access to our AWS and third party systems to read, understand, and follow this policy.
This policy will be enforced by management and violations will result in disciplinary action.