Plume Trust Center

• Plume integrates security into the product development lifecycle, following industry recognized frameworks such as OWASP SAMM. Security assessments are conducted as part of the release process. Plume’s goal is to ensure our software and firmware are designed and built securely from the ground up.
• Security training is designed to help our employees identify, address and mitigate security threats.
• Plume’s service providers undergo a security risk assessment as part of Plume’s Third Party Risk Management program. This program includes review of each such third party’s compliance with law.

• Plume uses NIST best practice frameworks to protect services and NIST standards to encrypt customer data in storage and communication between the consumer premise equipment and mobile/web applications to the cloud.
• Network segregation and role-based access control is used to restrict unauthorized data access.
• Data permissions are configured using the principle-of-least-privilege to limit access to only those who need it for a specific business purpose.
• Access to production data is monitored, logged, and audited.

• If you have questions about Plume’s information protection programs, have experienced an information security event related to Plume’s services or want to submit a vulnerability disclosure, please contact us at security@plume.com. To submit a vulnerability disclosure, you may also use this form.
• You can expect to receive an acknowledgement within 5 business days. Periodic updates on reported issues will be sent.
• To the best of our ability, we will confirm the existence of the vulnerability and be as transparent as possible throughout the process.

Plume’s privacy governance program includes these key practices:

• Plume describes in its privacy policies the rights and choices that individuals may have with respect to personal information and how to exercise those rights.
• Plume’s employees participate in privacy awareness training designed around organizational, contractual and regulatory requirements.
• Plume incorporates privacy-by-design and privacy-by-default controls in the product development Lifecycle.
• Plume has procedures for preventing, detecting and remediating any unauthorized access, use, unavailability or disclosure of personal information.
• Plume’s suppliers and vendors that handle personal information are subject to binding commitments that establish their roles and limitations in processing that personal information.
• Plume conducts periodic self-assessments to identify gaps in its privacy governance program and establish measures for eliminating the identified gaps and establishing best practices.
• Plume takes measures to retain personal information for the duration necessary to fulfill the disclosed purposes unless a different retention period is required by customer agreements or law.
• Plume services are hosted and operated in multiple geographic regions. In some cases, Plume may transfer personal information across jurisdictional borders. For international transfers of personal information from the EEA, UK and Switzerland, Plume’s customer and supplier contracts include the Standard Contractual Clauses issued by the European Commission under decision 2010/87/EU (including the UK and Swiss addenda). Plume complies with applicable laws with respect to other personal information transfers when the destination jurisdiction does not ensure the same level of data protection as the jurisdiction from which the personal information originates.

• The Plume cloud is architected to provide high availability and data redundancy.
• The cloud infrastructure is built and operated using a shared responsibility model leveraging certified cloud provider services supplemented by organizational and technical controls.
• Access to corporate resources are managed using controls such as Single-Sign-On (SSO), Multi-Factor Authentication (MFA) and Virtual Private Network (VPN) based remote access.
• Systems are configured with minimum necessary services and changes are logged and monitored.
• Anti-malware and intrusion detection systems are used to detect and respond to anomalous behavior and malicious activity.
• Periodic assessments are performed to detect vulnerabilities in the environment which are then mitigated based on their risk using change management and incident response processes.

• The ISO 27001 information security management system (ISMS) preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested internal and external parties that risks are adequately managed.
• ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.

• The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers—is ISO 27001 certified

  

• The ISO 27701 privacy information management system (PIMS) is built on top of ISO/IEC 27001 and helps organizations reconcile privacy regulatory requirements. The standard outlines a comprehensive set of operational controls that can be mapped to various regulations, including GDPR, CCPA. Once mapped, the PIMS operational controls are implemented by privacy professionals and audited by internal or third-party auditors resulting in a certification and comprehensive evidence of conformity.
• This standard specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
• The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers—is ISO 27701 certified.
  

  

• The Data Privacy Framework is a comprehensive set of guidelines and standards developed to facilitate and regulate the transfer of personal data between organizations operating in different countries. The U.S. Department of Commerce, International Trade Administration oversees the DPF.
• The DPF consists of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Plume’s DPF certification to all three was officially awarded.
• You can find evidence of Plume’s verification by typing “Plume Design Inc” into the search bar on the DPF website