Data Hosting, Security, and Privacy of Customers’ Capture Data

At OpenSpace, we take pride in our proactive approach to security and privacy, particularly given the volume of customer data entrusted to us. Indeed, we have captured more than 11 billion square feet of site imagery across 91 countries and six continents, and that number is growing exponentially. We are pleased to share greater detail about our information security and privacy policies and the steps we’re taking to protect our customer’s capture data.

Security by Design

The core tenets of OpenSpace’s security program are to safeguard customer data and to maintain customer trust. OpenSpace uses a defense-in-depth approach to implement layers of security throughout our organization. We’re passionate about defining new security controls and continuously refining our existing ones. Our security program is driven not only by compliance and regulatory requirements but also by industry best practices like the OWASP Top 10, CIS Benchmarks, ISO 27001, and threat intelligence.

Vulnerability Mitigation

The OpenSpace Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. We perform regular vulnerability scanning against our platforms. Network-based and application-level vulnerability scans ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws early in the development lifecycle. Regular scanning helps OpenSpace stay ahead of many security threats.

We bring in industry-recognized third parties to perform annual penetration tests. Penetration tests are performed against the application layers and network layers of the OpenSpace technology stack, and penetration testers are given internal access to the OpenSpace product networks in order to maximize the kinds of potential vectors that should be evaluated.

Privacy Protection

OpenSpace works hard to maintain the privacy of the data you entrust with us. Data you store in OpenSpace’s platform is yours—we put our security program in place to protect it and use it only as permitted in our Terms of Service, Privacy Policy, and Master Service Agreements. We never share your data across customers and never sell it.

OpenSpace provides solutions for the global market, so we have implemented controls to ensure we comply with privacy programs from several different countries. That means that OpenSpace takes steps to protect personally identifiable information (PII) through controls such as de-identification, encryption, and strict access control. OpenSpace is your data processor, and data processing agreements (DPAs) are available to customers who need to maintain compliance with GDPR, CCPA, PIPEDA, and other global frameworks that may require separate DPA agreements.

Data remains geo-located in the country that is specified in your agreement with us. We never transfer your data outside of its geographic privacy region without your written consent.

OpenSpace’s Commitment to Security: SOC 2

OpenSpace went through a rigorous third-party audit to receive this prestigious status among SaaS organizations. The report on compliance is available to customers and prospective customers that have a signed non-disclosure agreement.

What is a SOC 2 Report?

SOC stands for System & Organization Controls, and the standards are set forth by the AICPA. The AICPA developed SOC 2 as a comprehensive evaluation of a company’s controls, processes, and policies when it comes to Information Security, privacy, confidentiality, risk management, change management, and more.

There are varying levels of SOC 2 audits based on the Trust Service Principles you are audited against. The 3 Trust Service Principles selected by OpenSpace and relevant to the services we deliver to customers are:

  • Security
  • Availability
  • Confidentiality

InfoSec and privacy laws such as GDPR, PIPEDA, and CCPA mean that audits like this are more and more important to demonstrate that OpenSpace is ready to handle your data safely. Evidence that controls have been running effectively are reviewed and tested by auditors. The controls and testing results are available in the report.

We Aren’t Stopping Here…

An important part of SOC 2 compliance is ongoing adherence and improvements made to security systems and processes. The standards for SOC shift as the tech ecosystem changes and ongoing improvements to controls are needed in order to stay up to date. OpenSpace plans on annual SOC 2 Type II audits as a mission for customers to have confidence that their data is safe with us.

In addition, OpenSpace has chosen ISO 27001 as the basis for its security program, and we are pursuing an ISO certification. If you ever have questions for OpenSpace’s Security Team, you can reach out to us directly at compliance@openspace.ai.

 

Security and Privacy FAQs

Data Security

Q: Does OpenSpace have a SOC2 report?
A: OpenSpace has a SOC2 report available to pre- and post-sales customers with a non-disclosure agreement (NDA). Purchasing an OpenSpace license is not required – you can obtain an NDA through your sales rep or by contacting us at support@openspace.ai.

Q: Does OpenSpace have an ISO 27001 certification?
A: OpenSpace is working on completing its ISO 27001 certification and will make an announcement on its website when this has been completed.

Q: What security framework has OpenSpace implemented?
A: OpenSpace has implemented a combination of the controls required under ISO 27001/Annex A controls and those required for FedRAMP Moderate (NIST 800-53).

Q: Can customers conduct a penetration test of the OpenSpace platform?
A: No, as this would be perceived as an attack by OpenSpace’s security team, which would trigger an incident response. OpenSpace conducts regular penetration tests using qualified third parties. Information about these tests can be found in the SOC2 report and is also available under NDA.

Q: Does OpenSpace support Multi-Factor Authentication (MFA), SAML 2.0, or OpenID Connect?
A: OpenSpace allows customers to federate access to their own identity provider (IdP) that supports OpenID Connect (OIDC) or SAML 2.0, such as Azure Active Directory or Okta. Customers may implement their own access control requirements according to their internal security plan.

Q: How does OpenSpace classify customer data?
A: All customer data is considered to be proprietary and confidential. Any personally identifiable information is handled accordingly.

Q: How will users be authenticated?
A: Customers may sign in using a unique username and password or federate their identity access management to their own identity provider (IdP).

Q: Will OpenSpace require any integration with customer systems? A: OpenSpace does not require any third-party integration.

Q: Does OpenSpace integrate directly with customer systems?
A: No – OpenSpace does not integrate directly with customer systems except for authentication.

Q: Where is your data stored? How do I know that my data is safe?
A: At OpenSpace, we take data security very seriously. We are Privacy Shield certified and even comply with the planet’s strictest security policies, the EU’s GDPR. We treat all the information stored on our systems, regardless of customer, user, or use case, as equally important and extremely sensitive. All customer data is encrypted in transit with TLS encryption, as well as encrypted at rest using industry-standard 256-bit AES encryption. Our data is stored with AWS. Read more about their security policies at Amazon Security.

Privacy Protection

Q: Does OpenSpace have a privacy policy?
A: OpenSpace’s current privacy policy is available on its Web site at this URL: https://www.OpenSpace.ai/privacy-policy/.

Q: What data is collected by OpenSpace, and for what purpose?
A: Please review the current privacy policy.

Q: What privacy regulations does OpenSpace comply with?
A: As many countries do, OpenSpace uses the European Union’s General Data Protection Regulation (GDPR) as the basis and minimum for its approach to privacy. OpenSpace will work with individual customers to determine how best to meet their specific regulatory requirements.

Q: Who is the data controller?
A: Customers are responsible for collecting and providing all information on individuals. Therefore the customer is the data controller for its data subjects.

Q: What role is OpenSpace operating within as it relates to privacy protection?
A: OpenSpace is the data processor.

Q: Will OpenSpace sign a data processing agreement with a customer?
A: Yes, your account executive can provide a DPA. Please fill out the DPA completely before sending it to OpenSpace. If you’re unsure of the data sent to OpenSpace for processing, please consult your Account Executive for more information.

Q: Where is the data stored and processed?
A: Data is stored and processed in a single region selected by the customer. Contact your account executive to see which regions are available. OpenSpace is always expanding and adding new geo-fenced regions to store and process customer data.

Q: Who are some of OpenSpaces’ partners, vendors, and customers?
A: As a matter of policy, OpenSpace does not disclose the names of partners, customers, or vendors.