Data and Security at Sumday
We know that keeping data secure is a top priority for your team, so we’ve made it our mission to make things as easy as possible for everyone involved. Sumday meets—or more likely, exceeds —your company's security requirements. Feel free to pass this page along to your security team for all the initial details.
(👋 Hey there, security team! If you’re reading this, don’t hesitate to reach out if you need anything else. We’re committed to making your job a little easier!)
The low down
What is Sumday?
Sumday is a cloud based accounting platform for accounting and reporting on carbon emissions. With Sumday, users import financial transaction data and other activity data before performing an accounting process to determine their carbon emissions.
What data does Sumday store?
- When setting up an account with Sumday, users provide personal information: email address and full name.
- While using Sumday, users can import financial transaction data via CSV or an API (this is generally the same General Ledger data in the accounting or ERP system). Users can also input activity data and upload documents to the library or attach them to notes.
- Users may use the supply chain engagement tools which requires supplier name and email.
Who owns the data uploaded to Sumday?
You own your customer data! You decide what gets uploaded and we only store this data for the purposes of performing the services you’ve signed up to Sumday for - the accounting. More detail on that below.
What happens to data if the subscription is cancelled?
You can export your customer data before you cancel your subscription.
You can also request all data is deleted, we will only retain data to meet legislative requirements.
Is Sumday compliant with ISO27001, SOC 2 Type II and GDPR?
Yes! Sumday is ISO27001, SOC 2 Type II, EU GDPR and UK GDPR compliant.
Where do you host customer data?
Sumday is hosted on Microsoft Azure, with ISO 27001 / SSAE 18 compliant data centres located in several major Azure regions globally. Our servers are hosted in data centres located in Australia. You can request that your data is hosted in another region that meets your requirements by contacting us (UK is on the way).
What password protections are in place?
Sumday enforces multi factor authentication for every user.
Enterprise users can also request to configure an SSO integration with Auth0, Azure Active Directory, Okta, Google Cloud Identity or any other identity provider that supports OpenID Connect.
Enterprise customers also have the ability to enforce SSO for all users in the workspace and disable other log in methods.
The details
Read more about Sumday's security below
ISO27001
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS).
Conformity with ISO/IEC 27001 means that Sumday has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
SOC 2 Type II
Sumday has received a SOC 2 Type II report demonstrating that over a period of time, it has maintained the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.
A SOC 2 Type II report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Sumday. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA).
GDPR
We take data privacy seriously and are fully committed to complying with the General Data Protection Regulation (GDPR) for our users in the European Union (EU) and the United Kingdom (UK). This means we adhere to stringent standards to ensure the protection and confidentiality of your personal data. Here's what GDPR compliance entails at Sumday:
- Enhanced Privacy Protection: We prioritise the safeguarding of your personal data, ensuring it is processed lawfully, transparently, and securely.
- Clear Consent Mechanisms: We obtain explicit consent from our users before processing any personal data, ensuring transparency and accountability in our data handling practices.
- Robust Data Security Measures: We implement rigorous security protocols to prevent unauthorized access, disclosure, alteration, or destruction of your personal data, minimizing the risk of data breaches.
- Right to Access and Rectify Data: You have the right to access and review the personal data we hold about you. If any information is inaccurate or incomplete, you can request corrections or updates to ensure the accuracy of your data.
- Right to Erasure (Right to be Forgotten): If you wish to have your personal data deleted from our systems, you have the right to request its erasure. We will promptly fulfill such requests, unless we have a legal obligation to retain the data.
At Sumday, your privacy is paramount, and we are dedicated to upholding the highest standards of data protection to ensure a safe and secure experience for all our users.
Penetration testing
Our Pen testing follows a consistent and structured approach, and represents a point in time assessment of the nature and extent of potential or existing exposures that could potentially lead to a compromise.
Testing is based on best practice methodologies in combination with our other in-house developed processes and methodologies.
PCI DSS
All payments made to Sumday are securely processed via Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Sumday is hosted on Microsoft Azure, with ISO 27001 / SSAE 18 compliant data centers located in several major Azure regions globally. Our servers are hosted in data centres located in Australia.
Physical Security: Sumday defers all data centre physical security controls to Microsoft Azure.
Specific Requirements: For businesses with specific data sovereignty requirements, Sumday is able to be hosted within most regions globally, ensuring that your data remains within your specified geographical boundaries. You can contact us to discuss these options.
We recognise the importance of maintaining the highest standards of security in order to protect our team, our assets, and our customers. Here's an overview of our security practices:
Data Security
We utilise both technical and organisational measures to ensure the security of the personal data we manage.
- Data Leak Prevention (DLP) tools: Monitors and restricts potential data leaks.
- Data Masking: Limits the visibility of sensitive data internally and externally.
Passwords
SSO: Enterprise users can configure an SSO integration with Azure Active Directory, Okta or any other identity provider that supports OpenID Connect. Enterprise customers also have the ability to enforce SSO for all users in the workspace and disable other log in methods.
Password management: Sumday employs industry-standard techniques for password management, encryption, storage, complexity, and reset.
Password managers: Sumday encourages customers to leverage a password manager to support strong passwords when using Sumday.
Data Classification
Sumday classifies data based on it’s sensitivity, value, and criticality to the organisation, and the appropriate level of access and protection is applied accordingly.
Endpoint Security
We install endpoint security software on all staff computers. This software is proactive and performs routine checks to ensure all devices are encrypted, firewalls enabled, active screen locks, and free from threats, viruses, or malicious software.
Staff Screening
Every potential Sumday employee undergoes comprehensive police, identification, qualification and work history checks.
Security Training
Every new member joining Sumday is introduced to our security culture during onboarding. We also keep our existing staff up to date with regular security training sessions and annual policy acknowledgments.
Data erasure: Sumday customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements.
Subscription cancellation: Following the cancellation of a Sumday subscription, you will have at least 30 days to download your customer data. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.
Sumday is dedicated to implementing all commercially viable precautions to protect your customer data. We champion transparency in our security procedures, bolstering your trust in our robust infrastructure, meticulous processes, sophisticated tools, and stringent policies that are all geared towards the safeguarding of your data.
Sumday has not had a data breach since starting. If a data breach does happen, Sumday is ready to act with a response plan that ensures we limit any damage and help any customers who might be affected, ensuring they meet their legal obligations.
Data breach definition
If sensitive data is acquired, accessed, used, or disclosed in a manner not permitted under the privacy law or in a manner that compromises the security or privacy of the sensitive data (personal data or PHI), it may be considered a Breach
Notification
Sumday will notify customers promptly without any undue delay upon becoming aware of a data breach. Customers will be contacted via email and phone (if provided), followed by regular updates throughout the day to address progress and impact.
Sumday maintains a robust privacy compliance program and is dedicated to collaborating with its customers and vendors on privacy compliance initiatives.
How we handle your data
At Sumday, our team is committed to creating and implementing data privacy processes and safeguards that align with industry standards and best practices. We provide ongoing training to our team to keep them updated with legislative changes and crucial privacy and security practices.
Every Sumday employee and contractor agrees to non-disclosure terms to ensure the confidentiality and security of your data. Similarly, Sumday requires any vendors handling personal data to uphold the same data management, security, and privacy practices and standards as we do.
What is Customer Data?
- Sumday defines Customer Data as any data that a customer stores in the Sumday platform, like your transactions and activity data you import to do the accounting.
- Customer data does not include analytics data or Account Information.
What is Account Information?
- Account information is the information that our customers provide to us so that we can create and administer their customer accounts.
- For example, account information includes names, usernames, passwords, email addresses, support communications, billing information, and usage information associated with your Sumday account.
- The terms of our Privacy Policy apply to any personal information included in Account Information.
Who owns and controls Customer Data?
- You own your Customer Data, including any data you submit or upload to Sumday.
- You determine what content and data to upload to Sumday. Once uploaded, you manage access to your account by assigning user logins.
- You also oversee the administration of the Customer Data by managing permissions and user credentials under your control.
How does Sumday use my Account Information?
The terms of our Privacy Policy outlines how we collect and uses your account information.
Who should I contact if I have any questions about Sumday’s data protection practices?
If you have any questions about our privacy practices, please contact us at: support@sumday.io
- We understand that uninterrupted access to our services is crucial to your experience. We are committed to providing reliable and available applications to ensure you can access our platform whenever you need it.
- Our infrastructure is designed for high availability, leveraging leading cloud computing solutions that enable us to maintain consistent and stable service. We've implemented redundancy and failover mechanisms to minimize downtime and ensure continuity even in the face of unexpected challenges.
- We actively monitor our applications to identify and resolve any issues swiftly. Our dedicated team works around the clock to ensure that our services are always accessible.
- In the event that maintenance or updates are required we schedule these during off peak hours and provide ample notice so that there is minimal disruption to you.
Sumday access controls are guided by the principle of least privilege and need. These controls apply to critical data and data processing systems at the application and operating system layers, including networks and network services. Sumday employees are only granted the minimum necessary access to perform their job.
The information stored on the Sumday platform is carefully protected, with encryption measures applied both at rest and in transit. When the data is at rest, meaning it is stored within the platform's databases, it is encrypted. Similarly, during transit, when the data is being transferred between the client applications and our servers, it is also encrypted.
Encryption at rest
All data, including backups, is encrypted at-rest using AES-256 encryption.
Encryption in transit
Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.
Secure Sockets Layer
Secure Sockets Layer (SSL) certificates are issued and managed through Azure, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.
Capacity Management
- Critical parameters and their thresholds are monitored for all critical infrastructure elements and software at periodic intervals to ensure required performance levels and availability.
- Capacity planning takes into account current and projected trends in Sumday’s information-processing capabilities.
- System monitoring is enabled to ensure and, where necessary, improve the availability and efficiency of our systems. Detective controls like alerts or alarms are in place to indicate problems in due time.
Backups
Sumday follows a backup retention policy that helps balance the need for historical data availability with storage considerations. Weekly backups are retained for one month, monthly backups are retained for one year, and yearly backups are retained for 2 years. This retention strategy allows for efficient recovery options based on specific recovery timeframes. Additionally, point-in-time restore data is kept for up to 7 days, enabling the restoration of data to specific points in time if necessary.
Logging and Monitoring
Infrastructure elements and software used for Sumday’s operations are configured, where feasible, to capture security-relevant logs (e.g. use of privileged accounts like root and administrator accounts, system failures, policy violations, unauthorized access attempts, and logging of firewall traffic).
Control of Operational Software
Sumday does not allow the installation of any other software on our production infrastructure.
Technical Vulnerability Management
Sumday enforces code review processes and uses automated scanning for vulnerabilities in its devops chain to prevent source vulnerabilities, while application vulnerabilities are prevented by applying secure methods by default to all infrastructure, using whitelist/as-needs access policies, and conducting regular automated and full penetration testing. Additionally, vulnerability detection is achieved by enabling Application Insights logging on all public-facing endpoints.
Sumday utilizes various third-party vendors to ensure the smooth operation of its services, with some being crucial for maintaining security and continuous service delivery. A systematic approach is adopted when sharing critical data with these vendors, which includes regular reviews of their performance and safety measures. This process involves confirming the availability of a contact point should service interruptions occur, verifying the vendors' information security certifications such as SOC2 or ISO27001, and assessing the sufficiency of the vendors' security practices. If such information is lacking, vendors are sent an assessment questionnaire. Furthermore, contingency plans are in place to mitigate potential issues like vendor downtime or sudden cessation of operations, including the option of collaborating with alternative vendors.
- Sumday has a business continuity plan (BCP) in place that in the event of vendor and service outages that could affect its business operations.
- This this plan sets out they key resources we need to ensure that business may continue (in a limited capacity if unavoidable) and contingency plans in the event of a disaster.
- The foundation of Sumday's operations is primarily hosted on cloud services. This design ensures that most of our core functions remain operational even if our staff cannot access the office. With a secure internet connection and a laptop, our team can perform their essential job functions, ensuring our business remains operational.
- Sumday's management reviews the Business Continuity Plan annually to ensure its relevance and effectiveness. After any rehearsal of the BCP, a retrospective session is held to extract lessons learned and identify any playbooks that need creation or modification.
Sumday has a documented incident response plan (IRP) that sets out the procedures to be followed in response to information security incidents.
This IRP is rehearsed at least once a year and includes:
- Escalation procedures
- Incident severity identification and classification
- Roles, responsibilities, and communication strategies in the event of a compromise
- Containment and remediation strategies
- Communication protocols
- A retrospective to determine the root cause so we can make improvements to the IRP and any other system or process required
Sumday has a detailed disaster recovery plan (DRP) designed to manage and restore services in the event of significant disruptions. We perform periodic disaster recovery scenarios and run post-mortems after each simulation to see if any areas need updating or improving. Sumday has a Recovery Point Objective of 12 hours, and Recovery Time Objective of 24 hours.
- Critical Systems: Systems essential for our functioning, such as application servers, background workers, and database servers. These systems are prioritized for immediate restoration if compromised.
- Non-Critical Systems: Systems like analytics, monitoring, and logging that, while important, do not inhibit critical systems from functioning. These have a lower priority.
Using Multi Factor Authentication to Protect Your Account
- Sumday adds an extra layer of security to your account by enforcing multi-factor authentication (MFA).
- When you sign in to your account you will be prompted to set up an authenticator app if you don't have one.
- There will be links to the Google Play Store or Apple App Store to download an app.
- If you do have an app, you'll be prompted with a screen where you can use your authenticator app to scan the QR code to verify it's you.
- Once set up, we’ll ask for a 6-digit code generated by your authenticator app each time you log in to Sumday to verify it’s you.
We know this might be a little annoying, but we take security very seriously and this is part of best practice protection for your account.
Can you send me an SMS to verify my account?Sumday will no longer be sending an SMS to verify its you.SMS verification is less secure, therefore we enforce the use of an authenticator app for best practice protection.
How Sumday Safeguards Your Data When Using AI Powered Features
At Sumday, we are committed to maintaining the highest standards of data security and privacy. As we incorporate AI tools into our platform to help you analyze your carbon accounting data and offer advanced insights, we want to ensure you have a clear understanding of how your data is handled and protected throughout this process.Data Security and Processing: What You Need to Know
What LLM or AI provider does Sumday use?
Sumday uses Microsoft Azure's hosted LLMs from OpenAI's GPT series of models.
Does the LLM use your customer data to improve their services?
Azure OpenAI does not use your inputs and outputs to improve their services. Customer inputs and outputs are used only to serve and improve individual customer experiences. They are not used for model training across customers.
Does Sumday use your data to serve other customers?
The data you submit and the responses you receive through Sumday and our AI tools are used only to serve your experience. They are not used to train models across customers or shared between customers.
Can I turn off the Sumday AI tools off if my organization is not ready to use it?
Yes. Contact support@sumday.io to request this and these tool will be switched off for all of your users.
Where is my data stored and processed?
Your data remains securely hosted in data centers located in Australia, where it is encrypted both in transit and at rest. When you use our AI-powered tools to analyze or query your data, Azure Open AI will process that request using Azure infrastructure in a region that may be outside of Australia (primarily in the United States). This means you will get the highest initial throughput limits and best model availability. If you do have specific region requirements, we may be able to facilitate these for enterprise customers.
How does Sumday protect my data when using these tools?
Before any data is sent for processing, it is anonymized to remove any personal or sensitive information. This means that OpenAI does not have access to identifiable data about you or your company. In addition to anonymization, your data continues to be fully encrypted during transit, ensuring no unauthorized access or breaches occur while it’s being processed. This encryption applies at all stages—from your device to our servers and during AI query processing.
Are Sumday's AI tools SOC 2 and ISO compliant?
Sumday is SOC 2 and ISO compliant, as is Microsoft Azure and Open AI. Each year an audit is complete and we regularly perform pen tests throughout the year as features are released. The AI tools have not completed external assessment for SOC 2 or ISO certification. These features will be added to our standard audit certification reporting cycle.
Key Takeaway: Control Over Your Data and the Tools You Use
If you prefer not to have your data processed outside of Australia for the purposes of performing AI queries, you can choose not to use our AI tools or contact us for region specific model options. Your data will remain securely within Australian data centers and won’t be processed by external servers.
Ensuring Trust and Transparency
We understand that using AI may raise questions about data security, and we're here to provide you with clarity and confidence. If you have any concerns or questions about how we use AI to deliver value to your carbon accounting process, feel free to reach out to our support team.At Sumday, we prioritize your data security and privacy while helping you unlock the full potential of your data with cutting-edge technology.
Here to help
Whether it’s product or accounting support, we have a dedicated team to guide you through the process. We’re here when you need us.