Plume Trust Center

At Plume, we are committed to providing trusted consumer experiences to our customers by protecting the security, privacy, and availability of their data.

App Store Google Play Download Button Works on mobile devices with OS version 15.0 or newer
Google Play Apple store Download Button Android mobile devices with Android 7.0 or newer
App Store Google Play Download Button Works on mobile devices with iOS 15.0 or higher
Google Play Apple store Download Button Works on Android mobile devices with Android 7.0 or higher
Security
Plume is dedicated to the security of our products and services. We focus on security so our customers can focus on growing and innovating their services while empowering consumers to elevate their smart home experience. Plume has earned two certifications from the International Standards Organization (ISO): ISO27001 and ISO27701. ISO certifications are widely considered the gold standard certifications for protecting information and the systems through which that information is handled. If you have questions about Plume’s information protection programs or have experienced an information security event related to Plume’s services, please contact us at security@plume.com.
Device & Application Security
  • Plume integrates security into the product development lifecycle, following industry recognized frameworks such as OWASP SAMM. Security assessments are conducted as part of the release process. Plume’s goal is to ensure our software and firmware are designed and built securely from the ground up.
  • Security training is designed to help our employees identify, address and mitigate security threats.
  • Plume’s service providers undergo a security risk assessment as part of Plume’s Third Party Risk Management program. This program includes review of each such third party’s compliance with law.
Data Security
  • Plume uses NIST best practice frameworks to protect services and NIST standards to encrypt customer data in storage and communication between the consumer premise equipment and mobile/web applications to the cloud.
  • Network segregation and role-based access control is used to restrict unauthorized data access.
  • Data permissions are configured using the principle-of-least-privilege to limit access to only those who need it for a specific business purpose.
  • Access to production data is monitored, logged, and audited.
Vulnerability Disclosure
  • If you have questions about Plume’s information protection programs, have experienced an information security event related to Plume’s services or want to submit a vulnerability disclosure, please contact us at security@plume.com. To submit a vulnerability disclosure, you may also use this form.
  • You can expect to receive an acknowledgement within 5 business days. Periodic updates on reported issues will be sent.
  • To the best of our ability, we will confirm the existence of the vulnerability and be as transparent as possible throughout the process.
Privacy
Plume is committed to protecting individuals’ privacy. Plume’s commitment is realized by a privacy governance program guided by these core privacy principles:
  • Lawfulness, Fairness and Transparency: Processing of personal information is transparent and fair.
  • Purpose Limitation: Personal information is processed for specific, explicit, and legitimate purposes that are disclosed to the individuals and not further processed in a manner inconsistent with those disclosed purposes.
  • Data Minimization: Personal information is processed as reasonably necessary for the purposes for which the personal information was collected.
  • Accuracy: Plume strives to maintain personal information as accurate, up-to-date and complete.
  • Storage Limitation: Personal information is stored only as long as necessary for the purpose for which it was collected.
  • Integrity and Confidentiality: Plume protects the security and confidentiality of personal information through appropriate technical and organizational measures.
Privacy Governance Program

Plume’s privacy governance program includes these key practices:

  • Plume describes in its privacy policies the rights and choices that individuals may have with respect to personal information and how to exercise those rights.
  • Plume’s employees participate in privacy awareness training designed around organizational, contractual and regulatory requirements.
  • Plume incorporates privacy-by-design and privacy-by-default controls in the product development Lifecycle.
  • Plume has procedures for preventing, detecting and remediating any unauthorized access, use, unavailability or disclosure of personal information.
  • Plume’s suppliers and vendors that handle personal information are subject to binding commitments that establish their roles and limitations in processing that personal information.
  • Plume conducts periodic self-assessments to identify gaps in its privacy governance program and establish measures for eliminating the identified gaps and establishing best practices.
  • Plume takes measures to retain personal information for the duration necessary to fulfill the disclosed purposes unless a different retention period is required by customer agreements or law.
  • Plume services are hosted and operated in multiple geographic regions. In some cases, Plume may transfer personal information across jurisdictional borders. For international transfers of personal information from the EEA, UK and Switzerland, Plume’s customer and supplier contracts include the Standard Contractual Clauses issued by the European Commission under decision 2010/87/EU (including the UK and Swiss addenda). Plume complies with applicable laws with respect to other personal information transfers when the destination jurisdiction does not ensure the same level of data protection as the jurisdiction from which the personal information originates.
Cloud
Using the power of the cloud, Plume services are designed to be secure, resilient and dynamically scalable. The operational status of our US cloud and EU cloud is publicly available.
Cloud Practices
  • The Plume cloud is architected to provide high availability and data redundancy.
  • The cloud infrastructure is built and operated using a shared responsibility model leveraging certified cloud provider services supplemented by organizational and technical controls.
  • Access to corporate resources are managed using controls such as Single-Sign-On (SSO), Multi-Factor Authentication (MFA) and Virtual Private Network (VPN) based remote access.
  • Systems are configured with minimum necessary services and changes are logged and monitored.
  • Anti-malware and intrusion detection systems are used to detect and respond to anomalous behavior and malicious activity.
  • Periodic assessments are performed to detect vulnerabilities in the environment which are then mitigated based on their risk using change management and incident response processes.
Compliance
Plume is continuously working to meet and exceed its regulatory compliance obligations. Plume maintains a set of compliance certifications.
ISO27001: Security Information Management
  • The ISO 27001 information security management system (ISMS) preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested internal and external parties that risks are adequately managed.
  • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
  • The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers—is ISO 27001 certified

    bsi ISO 27001

ISO27701: Privacy Information Management
  • The ISO 27701 privacy information management system (PIMS) is built on top of ISO/IEC 27001 and helps organizations reconcile privacy regulatory requirements. The standard outlines a comprehensive set of operational controls that can be mapped to various regulations, including GDPR, CCPA. Once mapped, the PIMS operational controls are implemented by privacy professionals and audited by internal or third-party auditors resulting in a certification and comprehensive evidence of conformity.
  • This standard specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
  • The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers—is ISO 27701 certified.
    ISO 27701 PIM
Data Privacy Framework
  • The Data Privacy Framework is a comprehensive set of guidelines and standards developed to facilitate and regulate the transfer of personal data between organizations operating in different countries. The U.S. Department of Commerce, International Trade Administration oversees the DPF.
  • The DPF consists of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Plume’s DPF certification to all three was officially awarded.
  • You can find evidence of Plume’s verification by typing “Plume Design Inc” into the search bar on the DPF website