Security



Thank you for trusting Roof AI with your customers’ personal data. We take this responsibility very seriously and make every effort to be transparent and careful when handling this data on your behalf.

Roof AI uses industry standard technologies and services to secure your data from unauthorized access, disclosure, inappropriate use, and loss of access. We ensure that the security policies of all our sub-processors are documented and up-to-date with industry compliance standards where required (PCI, GDPR, etc).

Security at Roof AI is overseen by our Chief Executive Officer and carried out by our entire team.


Vulnerability Disclosure

If you would like to report a vulnerability, please contact security@roof.ai with a proof of concept, list of tools used, and the output of the tools.

If a security disclosure is received, we will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy.


Compliance and Certification

PCI DSS

Roof AI’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider.


GDPR

Roof AI is compliant with the GDPR. If you have customers who reside in the European Union and use Roof AI then we recommend that you sign a Data Processing Agreement (DPA) with Roof AI. This document is a contractual agreement that recognizes Roof AI as being GDPR compliant and makes your organization GDPR-compliant when it comes to using Roof AI as a sub-processor.

In an effort to provide the best security for all our customers when it comes to personal information, Roof AI treats all data as if it is bound by GDPR regulation.

Any person (including EU residents) wishing to submit a personal data request to Roof AI may do so by sending an email to privacy@roof.ai explaining their data request.


Infrastructure and Network Security

Servers

Roof AI infrastructure is hosted on Google Cloud Platform (GCP). The GCP data centers are equipped with multiple levels of physical access barriers, that include:

  • Alarms
  • Perimeter Fencing
  • Vehicle Crash Barries
  • Custom-designed Electronic Access Cards
  • Metal Detectors
  • Internal Trip-Lights
  • Biometrics

For more information on GCP Security features, you can refer to this website. Roof AI employees do not have physical access to GCP data centers, servers, network equipment, or storage.

We are not able to provide the exact physical address of the data centre as Google has historically been quite reticent in publishing location information of their facilities for security reasons.

We currently run Ubuntu 18.04 on all our servers and use a combination of automated and manual inspection to determine if new vulnerabilities are introduced in the software packages on our systems. Our Infrastructure team ingests security bulletins and prioritizes remediation according to our internal Security Vulnerability Identification documentation.


Logical Access Control

Roof AI has full control over all its infrastructure on GCP, and only authorized team members at Roof AI have access to configure infrastructure when needed in order to add new functionality, or respond to incidents. All access required for control of infrastructure has mandated two-factor (2FA) authentication. The levels of authorization for infrastructure components is mandated by the principle of least privilege.


Penetration Testing

Roof AI undergoes grey box penetration testing conducted by an independent third-party agency on an annual basis. For grey box penetration testing, Roof AI will provide the agency with an overview of application architecture and information about system endpoints.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.


Third-Party Audit

Google Cloud Platform undergoes third-party independent audits and can provide verification of compliance controls for its infrastructure. This includes, but is not limited to, ISO 270001, SOC 2, and PCI.


Intrusion Detection

It’s important to know when suspicious activity is occurring on Roof AI's infrastructure. We employ Intrusion Detection and Prevention systems (IDS/IPS) on each host under our control. This notifies us on common alert channels whenever suspicious activity may occur. Our team will check each alert, investigate the activity, and then respond accordingly.


Business Continuity and Disaster Recovery

High Availability

Every part of the Roof AI service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. We do implement gradual rollout and rollback of services in the case of deployment errors.


Business Continuity

Roof AI keeps continuous backups of our production databases in a separate data center. These backups are typically just a few seconds behind the operational system, allowing us to restore easily to any time in the last 24 hours in the case of data corruption or loss.


Disaster Recovery

Roof AI stores all infrastructure as code and as such is able to bring up complete copies of production and staging environments quickly. In the event of a complete region-wide outage, the Roof AI team will bring up a duplicate environment in a different GCP region.


Data Flow

Data Into System

Roof AI provides an embeddable web window for use on our clients’ websites for users to interact with a client's personal chatbot. This chat window will send data back to Roof AI's APIs over TLS 1.2 or greater. The chat window assets use a subresource integrity (SRI) check to ensure that the files fetched from our CDN are cryptographically verified to prevent Man-In-The-Middle attacks.


Data Through System

Data is sent from end-user chat platforms to the Roof AI backend via TLS 1.2. All data is AES-256 encrypted at rest.


Data Out of System

Roof AI maintains intelligent network firewall rules at the infrastructure level that limit the surface for data extraction. We scrutinize our preferred partners and integrations to ensure that they comply with necessary security regulations (GDPR, PCI, etc), before transferring data for processing.


Data Security and Privacy

Data Encryption

All data in Roof AI servers is automatically encrypted at rest. All volumes are encrypted in GCP using the industry-standard AES-256 algorithm.

Roof AI only ever sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0.


Data Removal

Data may be retained after termination of service according to specification within our main customer contract. If data is kept after termination of service for machine learning training purposes Roof AI will scrub all personally identifiable information (PII) from customer data. This includes, but is not limited to, usernames, emails, phone numbers, credit cards, IPs.


Application Security

Two-Factor Authentication

In addition to password login, two-factor authentication (2FA) provides an added layer of security to Roof AI via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data access from intruders.

Roof AI supports 2FA for all user accounts.


Corporate Security

Risk Management

Roof AI uses the NIST CyberSecurity Framework (CSF) to guide and manage our cybersecurity-related risks.


Security Policies

Roof AI maintains internal copies of security documentation, which are updated on an ongoing basis and reviewed annually for gaps:

  • Business Continuity Plan
  • Access Control Policy
  • Data Handling & Encryption Policy
  • Security Incidence Management Policy

Background Checks

Roof AI conducts a mandatory background check and reference check for all employees prior to joining our team.


Disclosure Policy

In the event of a data breach, Roof AI defers to GDPR regulations, which maintains that customers shall be notified within 72 hours of a data breach, where feasible.

Roof AI maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.