Information Security Summary

Last updated November 8, 2022

This document is a summary of the data security policies for Chaind Limited (doing business as Nanumo) ('Nanumo', 'we', 'us', or 'our',) and is a non-exhaustive summary of the key steps that we take to secure customer (’you, ‘your’, ‘yours’) data when you use our services ('Services') as provided via the Nanumo platform.

Table of contents

  1. Overview and general principles
  2. Third party suppliers
  3. Personal data
  4. Employee access to data

1. Overview and general principles

Nanumo stores and processes customer data in accordance with global regulations and to a level that meets industry best practices. In summary our principles include:

  1. Least privilege - All employees and processing systems operate (and are designed in the case of processing systems) with the minimum level of access required to complete their tasks. Access to data is granted and revoked as task requirements change.
  2. Secure by default - Access to data and processing systems is granted on an explicit basis and by default no access is granted. To access data, an entity must be able to prove who it is and that it has sufficient authority to access it.
  3. Zero trust - All systems are designed to operate in an environment where no trust can be assumed and all access must be authorised and authenticated
  4. Encrypted everywhere - All data, whether at rest or in flight is encrypted. We make use of AWS Key Management System to provide best-in-class encryption for data stored in databases, message queues and flat-file storage and use up-to-date TLS encryption for all internal and external communication between processing systems, customers and employees.
  5. Production isolation - Production data of all kinds is kept segregated from other environments and is only accessible in exceptional circumstances to authorised employees. Technical and procedural safeguards ensure that production data remains within the production environment.

2. Third party suppliers

We take care to work only with reputable and secure suppliers and to ensure high standards of security when storing and processing customer data.

Amazon Web Services EMEA SARL (AWS Europe) are our primary supplier of compute and storage infrastructure. Our compute and storage infrastructure is located in the UK and all data processing takes place in the UK. Some non-customer data (e.g. websites, content and documents) is stored in other regions for redundancy and availability purposes.

Google provide us with authentication, administration and non-customer data storage and processing services. Data may be processed in Europe or the US

Datadog Europe provide logging, application metric and monitoring services to us through their German subsidiary. No customer data is processed by Datadog and all of the data processed by Datadog remains within the EU.

3. Personal data

Personally Identifiable Information (PII) is segregated and controlled independently from other business data. A strict boundary is maintained around personal data storage locations and only tokenised PII (i.e. non-identifiable representations of PII) are permitted to be stored outside of the boundary.

4. Employee access to data

Employee access to company data is controlled, monitored and audited in accordance with industry best practices. The Least Privilege principle underpins our employee access strategy and ensures that employees only have access to the data that they need to complete their tasks.

Employee access is monitored, logged and centrally controlled.

Access to segregated personal data is further restricted with strict audit policies in place for accessing personal data in exceptional circumstances.