Privacy, Security, Backup and Recovery
- arkadi kaplon
Galooli is committed to protecting the security, availability, and confidentiality of its customers’ data.
Galooli implements a comprehensive information security program that is based on the ISO 27001 standard. This program includes various security measures of the cloud environment, including access control, data encryption, network security, and data backup and recovery.
Galooli holds ISO 9001 and ISO 27001 certifications. You can access the certificates in our knowledge base at: Quality Standards, Certifications, and Patents.
Galooli undergoes regular security audits by independent firms and our Chief Information Security Officer (CISO).
Galooli assures full compliance with GDPR requirements.
For detailed information on Galooli’s security and privacy policy, please refer to the links bellow
Should you have any questions or concerns, please contact us.
Galooli's Servers Security Level
All Galooli's data is safe and stored on Amazon servers, with the highest security level.
You can find more information about the server's security at the following links:
Galooli Data Protection
Galooli is committed to customary acceptable standards of information security, and operates in compliance with all material respects to applicable information security laws and regulations, including GDPR.
Our cloud is hosted on AWS US.
Data transfer is aligned with Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework.
According to the Data Privacy Framework (PDF) Program Overview, “On the basis of the EU-U.S. DPF Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including the commitments by the U.S. Department of Commerce’s International Trade Administration (ITA) regarding the administration and supervision of the Data Privacy Framework (DPF) program, the European Commission was able to adopt a new adequacy decision recognizing the adequacy of protection provided by the EU-U.S. DPF. The European Commission’s new adequacy decision affirms that the strengthened safeguards in U.S. law on signals intelligence activities, new redress mechanism, and the amended privacy principles under the EU-U.S. DPF meet EU legal requirements thereby enabling participating organizations to use the EU-U.S. DPF Principles to transfer EU personal data to the United States in compliance with EU law.” For further details visit:
Data Backups and Recovery
Galooli's Information Security Policy, Disaster Recovery Plan (DRP), and Business Continuity Plan delineate backup procedures and data recovery protocols for various scenarios, encompassing instances such as server unavailability, employee incapacitation, office space disruption, and database corruption or catastrophe.
Galooli’s source code is managed and will be securely backed up to a separate cloud.
Database backups are conducted on a daily basis for active databases.
Security Training procedures establish precise timelines for both full and partial retrieval of essential data components.
Galooli conducts regular security audits to identify and fix any security vulnerabilities in its services.
Galooli discontinues the processing of information that is no longer deemed necessary. In such cases, every reasonable measure is taken to ensure that the information remains inaccessible through conventional means, even including the restoration process utilizing backup facilities.
Galooli Security Layers
Unit Protection | Login | Protocol Between | System Architecture | Development | General |
|---|---|---|---|---|---|
Propriety protocol between on-site units to servers
| Password Managing
| Token based connectivity | Server systems are departmentalized, with different secured VPCs without the possibility of accessing DB | Separated environment for test and production | ISO 27001 |
Optional adding Private APN/ Restricted APN
| SSO Login
| Fully secured client-server communication - HTTPS | AWS environment
|
|
GDPR |
ID to every unit
| Re Captcha V3
| End Clients installed applications are fully signed | Replicating the systems in case of an emergency |
|
|
Audit trail
| IDP Engine
| All emails from the Galooli system sent only from |
|
|
|
RBAC
| Allowed IPs
| Secure File Transfer Protocol (SFTP)
|
|
|
|
| Session Timeout
|
|
|
|
|
| Disable Inactive Users
|
|
|
|
|
| Two-Factor Authentication
|
|
|
|
|
| Auto Logout
|
|
|
|
|
Access & Security Configuration
Galooli allows its users to easily set Access and Security Settings. For further details see the following links:
Security & Privacy FAQ
Question | Answer |
|---|---|
“What security and privacy measures has AWS implemented to protect customer data, and how does their Data Processing Agreement (DPA) relate to GDPR compliance?” | AWS has implemented a comprehensive set of security and privacy measures to protect customer data, including data encryption, access control, and audit logging. AWS also offers a Data Processing Agreement (DPA) that incorporates AWS's commitments as a data processor under the GDPR. |
"What are the storage requirements for personal data under the GDPR, and how does it relate to the protection of EU residents' personal data?" | The GDPR does not specify where data must be stored (although it does require that data controllers take appropriate measures to protect the personal data of EU residents). |
“What is the level of GDPR compliance in AWS data centers located in the US, especially in North Virginia, and where can I find up-to-date documentation on this matter?” | All AWS data centers are compliant with DGPR, including the ones in the US in general, and North Virginia in particular. See for example this up-to-date White Paper by AWS: |
“What kind of information Galooli processes? “ | The kind of information Galooli processes is detailed in Galooli's Privacy Policy, especially in the sections “Data,” and “Data Collecting.” The latter reads: "Data is collected under the legitimate business interests of the Asset Owner to enable it to monitor aspects such as, but not limited to: Asset Location, Fleet Optimization, Road and Driver Safety, Environmental Impact, Fuel Usage, Power usage." Note: Galooli does not directly process sensitive personal data. We do process non-identifiable information, such as anonymized meter identifiers and beyond-the-meter readings related to energy consumption, as well as technical factors associated with connected assets and energy sources. This data cannot be linked to any specific individual. All data transfers by Galooli are fully encrypted, utilizing HTTPS and TLS (no less than 1.2) encryption protocols. In addition, Galooli collects data on how users interact with the platform (e.g., login times, session durations, interactions with various features), including anonymized data This data is used to compile aggregate statistics and improve user experience (e.g., making popular features more visible and user-friendly). This helps us enhance the functionality and performance of our platform. The Galooli online platform also gives customer-administrators the option to manage user access and upload employees’ names, email addresses, and phone numbers, if they see fit. |
“What categories of personal data Galooli transfers?” | Galooli does not directly process sensitive personal data. However, it does collect data on how users interact with the platform to improve user experience (UX), and allows customer-administrators to manage user authorization and upload employees’ names, email addresses, and phone numbers, if they see fit. |
Information Security Incident Response and Breach
At Galooli, we prioritize data security with robust measures like encryption and intrusion detection systems. Our comprehensive Information Security Incident Response and Breach Policy outlines the steps we take to detect, prevent, manage, and effectively respond to security incidents, including both human-based and external breaches. This policy details reporting procedures, investigation protocols, preventive and corrective actions, and ongoing training for employees.
Technical and Organizational Security Measures
Galooli undertakes the following technical and organizational measures, among others, to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in compliance with applicable data protection laws:
24/7 Monitoring: Includes pre-configured and customized alarms and notifications for abnormalities.
Access Control: Access to customer data is strictly limited to authorized Galooli personnel and users, enforced through identity and access management protocols within our ISO 27001 certified IT and cloud environments.
Admin Login Notification: Admin login from more than one device triggers a Double-Login Attempt notification.
All Data Transfers: Fully encrypted, utilizing HTTPS and TLS (no less than 1.2) encryption protocols.
Audit Trail and Login Records: Including records of attempted, failed, and successful logins."
AWS IAM: Utilizes Amazon Web Services Identity and Access Management for secure and granular control over user permissions.
AWS Notifications: Includes access to AWS real-time platform status dashboards and AWS Inspector for enhanced monitoring.
AWS Multi-Zone
Block Events Records: Record of blocked events maintained for security auditing.
Crisis Simulation Drill: Conducted periodically by management and the Chief Information Security Officer (CISO).
Data Availability Dashboard and KPIs: Provides real-time insights and key performance indicators to monitor data accessibility.
Data Isolation: Data is separated in distributed databases, with stringent authentication checks at both application and data layers to prevent unauthorized access and ensure data isolation by customer.
Data Deletion: Policies align with Galooli’s Service Level Policy, which permits data storage for a default period of three years. For longer retention, clients should contact Galooli support. Decommissioning processes prevent unauthorized access and ensure secure deletion in line with industry standards.
DDoS Mitigation and Firewall Protection: We employ IP- and port-based firewalls. Our infrastructure is designed to mitigate Distributed Denial of Service (DDoS) attacks through elastic load balancing and resilient DNS services.
Disaster Recovery (DR) Exercises: Conducted at least four times a year to ensure system resilience.
High Availability Setup: Includes a decentralized solution architecture using various database types (e.g., RDS, Redis, NoSQL) and AWS microservices.
MFA for Development Admins: Multi-Factor Authentication is required for development admins to enhance security.
Network Security: Protected by firewalls and boundary devices with carefully configured rule sets and access control lists to monitor and control data flow. Administrative access is restricted and continually verified.
Ongoing Data Replication.
Ongoing Risk Management: Integral to our R&D activities, ensuring continuous identification and mitigation of potential threats.
Open-Source Monitoring: For vulnerabilities: Utilizing NPM (client-side), NuGet (server-side), and AWS Inspector.
Periodic Development Training: For R&D and Product personnel to maintain and enhance product security.
Physical and Environmental Security: Measures in place include secured facility access and environmental controls to protect information systems.
Policy Procedures: Establish clear definitions of roles and authorities.
Pseudonymization and Encryption: Where applicable, data is pseudonymized or encrypted to enhance confidentiality.
Redundancy: Systems and data are duplicated across multiple sites to ensure availability and data integrity.
Segmentation and Compartmentalization: In permission management enhance security.
Split Between Staging and Product Environments: Environments are split between staging and production to safely manage and test changes before deployment.
Wrong Password: Five incorrect password attempts result in user block for 30 minutes.
Password Strength and Policy: Requires a combination of at least 8 letters, numbers, and symbols, changed at least every 180 days, with no reuse of previous passwords.
Predefined default settings for all factors in the system.
Irregularities Reports.
Bulk Configuration of System Assets.
Cloud-Based Managed Anti-Virus.
AZURE Active Directory + InTune.
Normalization of All Stored Data: To ensure consistency and reliability, with no unnecessary data retained.
Online Multi-Zone Replication.
Periodic Backups.
Management of Database Access Logs.
Change Alerts at the Code Level.
Continuous Improvement: Galooli’s security measures are reviewed annually, including independent third-party penetration testing to identify and remediate any potential vulnerabilities. Being ISO 9001 certified, Galooli always seeks to enhance its Quality Management System at all levels of operation.