This document is an overview of Purple’s Wayfinding security and data protection policies, intended to answer customers’ commonly asked questions in a transparent and user-friendly way.
Data in transit
All public facing portals and websites are encrypted with TLS (Transport Layer Security). TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Purple supports TLS 1.2 as a minimum.
Purple regularly reviews TLS ciphers offered in line with NIST guidance, and removes ciphers that are no longer considered to meet minimum security requirements.
Data at rest
All Purple-hosted data is hosted within Microsoft Azure, our SOC compliant Cloud Service Provider, and all disks hosting data are encrypted (AES-256) using the security controls available with those cloud providers.
All passwords are encrypted with the bcrypt hashing function, with a minimum complexity exceeding current recommended guidelines.
Data protection
Purple hosts and handles data in a way consistent with the standards of the EU’s GDPR regulations.
All data purposes and rights are explained clearly and transparently to the end user in Purple’s EULA and privacy policy, which are presented in concise and user-friendly terms.
Users can email the Purple Data Protection Officer (via dpo@purple.ai) with any queries, for any changes to their data or to exercise their right to be forgotten.
Data is only used for the stated purposes, and Purple do not collect more data than is strictly needed (although the individual customers decide their own data uses and configure the portal to collect the information required by themselves, as well as uploading their own additional EULAs and privacy policies where required, consent of which is tracked individually).
Purple has a declared data retention period of 13 months of inactivity, after which any PII data about a customer are destroyed.
Data Capture
The Wayfinding solution is purposefully architected so as to capture as minimal data as possible. With the exception of the optional kiosk solution where we give the end-user the ability to email themselves their directions if they choose to do so, we do not handle, store, transmit, or share any end-user Personal Data.
The data we do collect and use is the minimal amount needed for the solution to function. This is laid out in the table below.
By default, all data collection and processing occurs on the client device, and any data collected from the client mobile device is only collected when a user submits a review (for debug purposes). This data is automatically removed after 12 months.
Wayfinding Positioning Engine Data Collection
Data Storage
Email addresses are not stored within our solution, and are only used for processing. Other data may be stored for debug purposes for a period of up to 12 months.
Data Flow
The data inbound to the phone from the cloud is map data and web request responses and is transmitted over https (TCP 443)
The data outbound is also transmitted over https (TCP 443) when the user completes their journey and submits a review, at that point it also transmits the journey metadata back to the cloud for debug purposes, and included in this data is the x/y coordinate and timestamp data and client wifi mac address as a unique identifier (which the phone itself anonymises). The phones also read the status of local services and post that to the cloud anonymously (https/TCP 443)
All other data is the phone’s passive scanning of information (BLE beacon signal strength, wifi networks seen (android only), accelerometer, barometer and magnetometer data) but all of that data processing is done on the phone and doesn’t leave the phone.
Personally identifiable information and Personal Health Information (PII & PHI)
Our Wayfinding solution is purposefully architected so as to not capture Personally Identifiable (PII) or Personal Health Information (PHI) as defined by GDPR and HIPAA respectively.
The exception to this is our kiosk solution which is an optional extra solution. If you choose to deploy our kiosk solution, physical kiosks will be deployed at your location on which end-users can enter their email address to send themselves their directions.
Note that this feature is optional for customers and end-users, and data is not stored in our solution. Our email service provider stores the email address and email metadata for a period of one month for debug purposes, after which it is automatically removed.
Additionally, Purple Wayfinding can collect other data that is categorised as being potentially personally identifiable when combined with other data: client/device MAC, journey start and end.
Payments
Purple’s Wayfinding solution does not handle or store any user financial data.
ISO compliance
Purple as a business is ISO 9001 compliant for business practice, and is ISO 27001 compliant and certified for information security practices, and also CyberEssentials+ certified. The business is audited annually by accredited third party companies to check that we remain compliant. This is in addition to our own in-house interim audits and management reviews. Certification can be supplied upon request.
Data sovereignty
All data gathered by the Purple Wayfinding platform resides in one of the North America Azure data centres. In general these are split out as follows:
- Illinois – Wayfinding Reports and production environments
- California – Dev environments
- Virginia – Staging environments and backups
- Texas – Geo replication data
Purple is compliant with regional data storage/privacy requirements where implemented, to retain data within the geographical boundaries determined by local legislation.
Data Retention
All user data is not tied to any personally identifiable information as is solely used in an aggregated form in order to monitor the service and deliver improvements and support. In general, Purple has a 13 month data retention period for all PII data, but no data processed or stored in Wayfinding services reaches this threshold.
Data storage and backup
All of our databases are replicated to a secondary instance in a different Zone. The replication is real time. In the event of planned database maintenance, DB instance failure, or a zone failure, the affected cloud service will automatically failover to the standby. This means that we do not have a single point of failure.
Purple runs daily snapshots on all databases, which means we have the ability to restore our database quickly should the need arise. These snapshots are cloud-based and encrypted, and automatically replicated to other zones to avoid data loss.
Data ownership/controller
The customer will have access to the end-user data and share ownership of this data with Purple as a third party, in order to provide the solution. In this scenario you are also considered the Controller of this data and Purple is the Processor. We are required to treat this data in accordance with the same regulations as Purple and any local legislation concerning the safe storage of data. At present the solution is centrally hosted.
Application components
Admin portal
We provide a secure administration portal for the administration of your solution. The portal is protected by a web application firewall to prevent distributed denial of service. Users are authenticated with username and password with passwords hashed and lasted.
Location / presence data collection
Purple’s Wayfinding solution is powered by the combination of different sources in order to facilitate our location based services. In order to facilitate the service we provide, the user’s device collects information on surrounding BLE beacon strength, WiFi networks seen, and data collected from device sensors such as magnetometer, accelerometer and barometer. This information collected is not tied to any Personal Information that could be tied to an individual user and is stored only for aggregated reports such as unique visitors for the day, most navigated destinations, types of devices used, etc. If a review is submitted, the geolocation data used to position users within a building is anonymised and shared with our partner Indoor Atlas for the main purpose of troubleshooting and analytics and is deleted after 12 months.
Mobile and Web
Our mobile and web user interface for end-users is facilitated by API endpoints built using Azure’s App Services to transfer the risk of hardware patching requirements to the SOC compliant hosting provider. Our API endpoints are delivered via Azure’s Front Door Functionality to mitigate the threat of DDoS.
Our Android and iOS code is scanned for vulnerabilities monthly and pen tested annually. Code changes are subject to testing prior to release to production.
Kiosk
The kiosk solution is an optional hardware screen located within a Purple venue that allows end-users to navigate to a given endpoint. The security of this hardware is managed by Purple and patched inline with our security SLAs. The software itself is regularly reviewed for application security vulnerabilities and will be patched remotely by a remote administration tool of your choice. In order to facilitate these we require network connectivity into the host.
The kiosk solution offers functionality to allow end-users to email themselves their journey link to their phone. This is the only area in which we potentially handle Personal Data and it is important to note that this feature can be disabled upon request.
Personnel Management, Procedures and Policies
Staff access
Access to the Purple Wayfinding system within Azure is strictly limited to key members of staff, which is reviewed on a regular basis to ensure only appropriate staff have accounts.
Contractors and outsource companies are occasionally retained to do development work. All code produced is subject to the same peer review as any code created by our internal team. Our outsourced development team based in India are contractually held to the same personnel and data security requirements we hold for our business. Development teams undergo secure development training around the OWASP Top Ten at least annually.
Staff access roles are clearly defined and reviewed quarterly and on contract change. Access to data and applications is established on a least privilege basis, with users only being granted access to what they need to fulfil their role for as long as they need it. Staff have minimal access rights while on their three month probation period, and non-employees (e.g. contractors) have no access to any customer data, live services or code repositories.
All staff are subject to background reference checks and staff with administrative access as part of their role are subject to basic DBS checks.
Development and testing procedures are clearly defined in our secure development policy. All code is submitted via pull request and peer-reviewed by the team and at least two senior developers prior to merge. It then goes through regression testing processing with our QA team who create and maintain standardised test sheets. Unit testing is used throughout the code base, and test-driven development encouraged. UAT may be carried out with selected partners prior to the release of large new features in the form of betas/trials.
Releases
Deployments occur at least weekly for general maintenance and bug fixes are deployed as required. Large releases follow a quarterly deployment schedule. All deployments go via Purple’s test platform for final sign-off by our QA team.
Vulnerability/threat management
Purple carries out monthly automated vulnerability/threat analysis tests of all of our applications and infrastructure, and on every significant change (large code releases, infrastructure/architecture changes or after software upgrades). Software patches are applied at least monthly. Should a vulnerability be found during these tests, the threat will be assessed for level of impact and patched immediately should it be deemed necessary or have the fix rolled into the next release.A full third party penetration test/audit is performed by our security partner as required and at least once per year.
Incident response
We implement a Security Incident Reporting Policy that gives staff clear guidelines to protect the integrity of data collected by Purple. This ensures that security incidents, or potential incidents, are identified, brought to the attention of the Information Security Manager and dealt with in a manner appropriate to the urgency and impact of the breach.
Staff termination
Purple has a clear procedure for staff termination. Requests to remove access to systems and recall hardware are logged as change requests on the in-house service desk. Our development partners are subject to the same personnel policies as our team.
Access is granted in line with our role based access control matrix. Access is regularly audited throughout the year. We have a joiners, movers and leavers process which includes a review of access permissions in the event of any member of staff changing roles.
