This document is an overview of Purple’s Wayfinding security and data protection policies, intended to answer customers’ commonly asked questions in a transparent and user-friendly way.
Data in transit
All public facing portals and websites are encrypted with TLS (Transport Layer Security). TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Purple support TLS 1.2 as a minimum.
Purple regularly review TLS ciphers offered in line with NIST guidance, and remove ciphers that are no longer considered to meet minimum security requirements.
Data at rest
All Purple-hosted data is hosted within Microsoft Azure, our SOC compliant Cloud Service Provider, and all disks hosting data are encrypted (AES-256) using the security controls available with those cloud providers.
All passwords are encrypted with the bcrypt hashing function.
Data protection
Purple host and handle data in a way consistent with the standards of the EU’s GDPR regulations.
All data purposes and rights are explained clearly and transparently to the end user in Purple’s EULA and privacy policy, which are presented in concise and user-friendly terms.
Users can email the Purple Data Protection Officer (via dpo@purple.ai) with any queries, for any changes to their data or to exercise their right to be forgotten.
Data is only used for the stated purposes, and Purple do not collect more data than is strictly needed (although the individual customers decide their own data uses and configure the portal to collect the information required by themselves, as well as uploading their own additional EULAs and privacy policies where required, consent of which is tracked individually).
Purple have a declared data retention period of 13 months of inactivity, after which any PII data about a customer are destroyed.
Data Capture
The Wayfinding solution is purposefully architected so as to capture as minimal data as possible. With the exception of the optional kiosk solution where we give the end-user the ability to email themselves their directions if they choose to do so, we do not handle, store, transmit, or share any Personal Data.
The data we do collect and use is the minimal amount needed for the solution to function. This is laid out in the table below:
Data type | Example | Categorisation | Collected from | Used for |
---|---|---|---|---|
Email Address | dan.smith@gmail.com | Personal | Company’s authenticated email account | Sending emails containing the personalised link from the kiosk (optional) |
Access point MAC address | 00-00-00-00-00-00 | Internal | Network controller or vendor location engine | Positioning |
Client WiFi MAC address (may be randomised, i.e. not the client’s real WiFi MAC address) | 00-00-00-00-00-00 | Personal | Network controller or vendor location engine | Positioning |
Venue/Company | Store 52, Acme Shops | Internal | Customer database | Positioning |
Time of request | Internal | Network controller or vendor location engine | Monitoring | |
RSSI (received signal strength indicator) | 50 | Internal | Network controller or vendor location engine | Positioning |
X,Y coordinate | 200,34 | Client Confidential | Network controller or vendor location engine | Positioning |
Visit start | 2020-01-01 09:00:00 | Internal | Aggregation | Monitoring |
Visit end | 2020-01-01 17:00:00 | Internal | Aggregation | Monitoring |
Location-based services
Location data is data collected passively about devices (both authenticated and non-authenticated) by compatible network access points. Typically, an AP records a received signal strength indication (RSSI) value, a MAC address (which may be randomised, depending on the client software) and a date/time for each client WiFi probe. With the right hardware and 4 or more APs, this data may be enhanced to an estimated geometric coordinate of the device relative to the uploaded floor-plan.
API
A RESTful API exists for extracting most end user data in raw format. Access to this service is via signed public/private keys, provided on request by the Purple support team once a customer’s rights to the data have been verified. Access to Purple APIs is encrypted in transit using HTTPS, and requested are signed with a nonce to prevent replay attacks, and a full audit log exists of all requests, including the source IP of the requests.
Personally identifiable information and Personal Health Information (PII & PHI)
Our Wayfinding solution is purposefully architected so as to not capture Personally Identifiable (PII) or Personal Health Information (PHI) as defined by GDPR and HIPAA respectively.
The exception to this is our kiosk solution which is an optional extra solution. If you chose to deploy our kiosk solution, physical kiosks will be deployed at your location on which end-users can enter their email address to send themselves their directions. Note that this feature is optional for customers and end-users, and data is not stored in our solution and can be deleted from our email service provider upon request via our DPO or automatically after 13 months.
Additionally, Purple Wayfinding can collect other data that is categorised as being potentially personally identifiable when combined with other data: client/device MAC, journey start and end.
Payments
Purple’s Wayfinding solution does not handle or store any user financial data.
ISO compliance
Purple as a business is ISO 9001 compliant for business practice. The business is audited annually by an accredited third party company to check that we remain compliant. This is in addition to our own in house interim audits and management reviews. Certification can be supplied upon request.
Data sovereignty
All data gathered by the Purple Wayfinding platform resides in one of the North America Azure data centres. In general these are split out as follows:
- Illinois – Wayfinding Reports and production environments
- California – Dev environments
- Virginia – Staging environments and backups
- Texas – Geo replication data
Purple is compliant with regional data storage/privacy requirements where implemented, to retain data within the geographical boundaries determined by local legislation.
Data Retention
All user data is not tied to any personally identifiable information as is solely used in an aggregated form in order to monitor the service and deliver improvements and support. Any that is captured via one of the optional solutions is deleted after a period of 13 months of inactivity. This means Purple will store a user’s personal data, in its full form, for at least 13 months, and after 13 months of inactivity (not using the service) we delete anything deemed personally identifiable.
Data storage and backup
All of our databases are replicated to a secondary instance in a different Zone. The replication is real time. In the event of planned database maintenance, DB instance failure, or a Zone failure, the affected cloud service will automatically failover to the standby. This means that we do not have a single point of failure.
Purple runs daily snapshots on all databases, which means we have the ability to restore our database quickly should the need arise.
Data ownership/controller
The customer will have access to the end-user data and share ownership of this data with Purple as a third party, in order to provide the solution. In this scenario you are also considered the Controller of this data and Purple is the Processor. We are required to treat this data in accordance with the same regulations as Purple and any local legislation concerning the safe storage of data. At present the solution is centrally hosted.
Application components
Admin portal
We provide a secure administration portal for the administration of your solution. The portal is protected by a web application firewall to prevent distributed denial of service. Users are authenticated with username and password with passwords hashed and lasted.
Location / presence data collection
Purple’s Wayfinding solution is powered by the combination of different sources in order to facilitate our location based services. In order to facilitate the service we provide, we collect the end-users MAC address and a RSSI strength indicator based on proximity to an access point (AP), Bluetooth strength, (BLE), and the magnemoter in iphones. This information collected is not tied to any Personal Information that could be tied to an individual users and is stored only for aggregated reports such unique visitors for the day, most navigated destinations, types of devices used etc. The geolocation data used to position users within a building is anonymised and shared with our partner InDoor Atlas for the main purpose of troubleshooting and analytics and is deleted after 12 months.
Mobile and Web
Our mobile and web user interface for end-users is facilitated by API endpoints built using Azure’s App Services to transfer the risk of hardware patching requirements to the SOC compliant hosting provider. Our API endpoints are delivered via Azure’s Front Door Functionality to mitigate the threat of DDoS.
Our Android and iOS code is scanned for vulnerabilities monthly and pen tested annually. Code changes are subject to testing prior to release to production.
Kiosk
The kiosk solution is an optional hardware screen located within a Purple venue that allows end-users to navigate to a given endpoint. The security of this hardware is managed by Purple and patched inline with our security SLAs. The software itself is regularly reviewed for application security vulnerabilities and will be patched remotely by a remote administration tool of your choice. In order to facilitate these we require network connectivity into the host.
The kiosk solution offers functionality to allow end-users to email themselves their journey link to their phone. This is the only area in which we potentially handle Personal Data and it is important to note that this feature can be disabled upon request.
Personnel Management, Procedures and Policies
Staff access
Access to the Purple Wayfinding system within Azure is strictly limited to key members of staff, which is reviewed on a regular basis to ensure only appropriate staff have accounts.
Contractors and outsource companies are occasionally retained to do development work. All code produced is subject to the same peer review as any code created by our internal team. Our outsourced development team based in India are contractually held to the same personnel and data security requirements we hold for our business. Development teams undergo secure development training around the OWASP Top Ten at least annually.
Staff access roles are clearly defined and reviewed quarterly and on contract change. Access to data and applications is established on a least privilege basis, with users only being granted access to what they need to fulfil their role for as long as they need it. Staff have minimal access rights while on their three month probation period, and non-employees (e.g. contractors) have no access to any customer data, live services or code repositories.
All staff are subject to background reference checks and staff with administrative access as part of their role are subject to basic DBS checks.
Development and testing procedures are clearly defined in our secure development policy. All code is submitted via pull request and peer-reviewed by the team and at least two senior developers prior to merge. It then goes through regression testing processing with our QA team who create and maintain standardised test sheets. Unit testing is used throughout the code base, and test-driven development encouraged. UAT may be carried out with selected partners prior to the release of large new features in the form of betas/trials.
Releases
Deployments occur at least weekly for general maintenance and bug fixes are deployed as required. Large releases follow a quarterly deployment schedule. All deployments go via Purple’s test platform for final sign-off by our QA team.
Vulnerability/threat management
Purple carries out monthly automated vulnerability/threat analysis tests of all of our applications and infrastructure, and on every significant change (large code releases, infrastructure/architecture changes or after software upgrades). Software patches are applied at least monthly. Should a vulnerability be found during these tests, the threat will be assessed for level of impact and patched immediately should it be deemed necessary or have the fix rolled into the next release.
A full third party penetration test/audit is performed by our security partner as required and at least once per year.
Incident response
We implement a Security Incident Reporting Policy that gives staff clear guidelines to protect the integrity of data collected by Purple. This ensures that security incidents, or potential incidents, are identified, brought to the attention of the Information Security Manager and dealt with in a manner appropriate to the urgency and impact of the breach.
Staff termination
Purple has a clear procedure for staff termination. Requests to remove access to systems and recall hardware are logged as change requests on the in-house service desk. Our development partners are subject to the same personnel policies as our team.
Access is granted in line with our role based access control matrix. Access is regularly audited throughout the year.
- Wayfinding Data and Security
- Created on 29 March 2021
- Last updated on 29 March 2021