Technical and Organizational Measures Statement


Inbenta Technologies, Inc. (Inbenta) provides a SaaS natural language solution, as well as Professional Services on top of the platform, which is integrated in our customers’ systems using APIs and SDKs. All company internal processes operate under the ISMS umbrella.

This Technical and Organizational MeasuresStatement (TOMS) document aims to summarize our Information Security Management System (ISMS) that manages our privacy and security measures and regulations, with the main objective of preventing non-normative acts and their consequences by all of our human and technical resources.

In order to achieve this, we adhere to International Standards ISO 9001, ISO 27001 and ISO 27017, implementing the Plan-Do-Check-Act method. To assess risk we follow ISO 27005 on information security risk management and EU European Network and Information Security Agency Guide on Cloud Computing.

Our ISMS is internally and externally audited through a three-year cycle. As of January 2019, Inbenta Technologies, Inc. has been successfully certified under ISO 9001, ISO 27001 and ISO 27017 by AENOR.

In addition, Inbenta’s products (Chatbot, Knowledge Management, Search and Case Management), and their APIs and SDKs  were audited in 2018 by Ackcent, an audit company specializing in cybersecurity that employed international penetration testing methodologies aligned with OWASP, OSSTM and ISSAF.

Also, we implement an annual internal audit following ISO/IEC 27007 Guidelines on managing an information security management system (ISMS) auditing. In 2018, the internal audit was executed by an outsource auditing company, INGECAL.

Official laws and regulations compliance

Inbenta Technologies, Inc. processes all data in Spain, therefore it complies with the current Spanish Act on Data Protection and must report to the Spanish Agency of Data Protection any breach data incident within 72 hours. Also, we comply with EU General Data Protection Regulation 2016/679  (GDPR), and our US office branch is certified under Privacy Shield US-UE Agreement.

Information security policies

We employ our entire Information Security Management System as our security policy by implementing all mandatory processes, records and controls of the International Standard 27001 applicable to our company.

In this regard, all employees manage information according to their educational and training certifications, roles and responsibilities, and have received training in classification of information and EU Regulation 2016/679 (EU GDPR), as well as have signed an intellectual property agreement, and a statement of good practices to prevent non-normative behavior and its consequences when processing and transferring information.

This document of best practices contains understandable examples of the most common possible situations when managing and processing both corporate and personal information of any party, regarding the: i) use of internet; ii) use of email; iii) use of passwords; iv) use of mobile devices; v) connection to VPNs and external wireless networks; vi) security of operating systems and installing not allowed software ; vii) physical security at the workspace, and viii) privacy and level of confidentiality.

Additionally, we also include the following privacy policies as elements controlled through our ISMS:

  • Privacy policy on personal information of clients and/or clients of our clients. Inbenta complies with EU GDPR 2016/679 by subscribing to EU-US Privacy Shield Agreement and Principles, the designation of specific Data Protection Officers and training to our employees on EU GDPR 2016/679. Our privacy policy is published in our website and periodically modified according to laws and regulations.
  • Privacy policy on employee’s personal data and recruitment of candidates. Following EU GDPR 2016/679, regarding our employees’ data, we only ask, process and retain personal data for work purposes. Examples are certifications of their educational and training backgrounds, information to provide to social security and tax agencies, or a bank account to transfer their salary. Regarding candidates, we only collect their educational, training and employment background as well as an email address and phone number, and retain this for a maximum period of one year in our office branches with outsourcing recruitment services, and six months for the rest of our branches.

Organization of information and security operations

At the organizational level, our Chief Information Security Officer holds the maximum level of access to information and execution of security measures, followed by our System Administrators, the Chief Operation Officer and the Chief Technology Officer.

We document and record all mandatory ISMS controls and have a Security Board formed by our CEO, COO, CTO, CISO, Office Manager and Compliance Manager to monitor and assess the security of operations and incidents.

Regarding our services and infrastructure suppliers, we hold a policy of dynamic risk assessment by classifying our risk of non-compliant behavior according to our verification of our vendor’s compliance with international standards of security and privacy by verifying their standards’ certifications. In case of not providing a valid certification, we asked them for a detail description of mandatory ISMS records and controls, assessing the risk as higher than those suppliers that are certified. Our policy is to keep non-certified suppliers as few as possible.

Operations security

All of our data is stored by Amazon Web Services (AWS), which complies with international information security and privacy standards. Our availability zones are in United States, Europe, Asia Pacific and South America. AWS certifications are available here. For information at rest, encryption keys are managed by AWS-KMS and uses at least an AES256. For data in transit, all connections are encrypted under TLS > 1.0 protocol in order to provide communications security and privacy. Protocols, certificates and ciphers can be found here.

We don’t use local servers. Workstations are only used as access terminal stations to enterprise and development environments under a VPN, and encryption of personal computers implements disk encryption: FireVault (OS), LVM Disk encrypt (UNIX/Linux) or BitLocker (Windows). We periodically review our devices to prevent installation of non-authorized software according to their compliance risk assessment and licenses of use. This task is carried out by our system administration team and our compliance manager on a per-month basis.

Access control

Our service infrastructure access is secured by dividing it into different instances where employees can access according to their assigned profiles – based on their roles and responsibilities — and always with usernames and reliable passwords protocols.

Moreover, information is always logged and backed-up.

Regarding access to our servers, product development also implements Amazon Web Services but in a separate instance, and the developers do not have access to the system infrastructure and security.

In terms of internal work organization, we implement Jira and Confluence cloud platforms from Atlassian that provide restriction of access and edition on documents. Atlassian complies with several security standards such as Membership of the Cloud Security Alliance, ISO 27001, ISO 27018 and SOC 2. You can check their certifications here.

Process of personal information according to EU GDPR 2016/679

Inbenta Holdings, Inc. provides services of online communication and information search based on natural language. This means that the user can access information from the client’s knowledge base by writing and submitting  text, which is processed by Inbenta to return the best answer.

Inbenta is delivered as a cloud-based Software As A Service (SaaS), integrated to customer platforms through APIs and SDKs. Inbenta stores the questions that end-users ask to the system. End-users’ data is owned by Inbenta’s customers and Inbenta acts as a Data Processor. Every Inbenta customer has control to pseudonymize personal data coming from end-users by using the inbenta feature “logs obfuscator,” which  pseudonymizes data before storing it.

Each customer must first specify what kind of data they want to pseudonymize and activate the option to do so.

If the client activates this option, personal data of users enters our server already pseudorandomized. If the client does not activate this option, users’ personal data is stored in our server without any privacy anonymization since Inbenta cannot manipulate this data.

Nevertheless, our hosting provider, Amazon Web Services complies with international standards on security and privacy, therefore both information at rest and in transit is secured respecting Inbenta’s limitation of responsibility and liability.

The process and use of personal information by Inbenta is limited to serve our customers’ needs, therefore Inbenta does not transfer data to third, non-involved parties. Unless a different agreement is specified in the contract between Inbenta and the customer, the logs in our server are kept for a maximum of 100 days and can be removed when the services finalizes, if the client specifies it.

Physical and environmental security

Physical access to our offices is secured with 24-hour alarm services and access through passwords and/or fingerprints.

We comply with Spanish Law 31/1995 (amended by Law 54/2003) on the Prevention of Occupational Risks and its implementing legislation, and are audited three times a year by Prevint. Inbenta holds a prevention program in occupational risks. This program includes human physical and psychological safety, as well as physical security of our offices.

Information security incident management

We manage security incidents following the procedure from the Spanish Data Protection Agency that also follow EU GDPR, which dictate that within a maximum period of 72 hours, we must report the Agency and all person and parties affected on the nature, scope and consequences of the incident.

Our internal procedure can be summarized as the following:

1st We receive the notification through any available channels (privacy(at), employees’ corporate electronic mail address, phone, etc.) and we open an inquiry.

2nd In this initial internal report, we describe the following information:

  1. Number of the incident (the number of the open ticket).
  2. Date of notification.
  3. Date and time when the incident took place or was identified.
  4. Identification of the reporter (name, phone, email).
  5. Identification of the persons by whom the incident is reported.
  6. Profile of the users affected by the incident (if any).
  7. Number and typology of the systems affected.
  8. Type of threat: malware, intrusion, fraud, etc.
  9. Description of the incidence.
  10. Impact of the incident over the organization and over the rights of those affected.
  11. Measures and solutions adopted.
  12. If the incident affects data, description of the procedures applied, the data restored, manually recorded data, identification of the responsible and persons involved in the restoration process and communication of it.

3rd We analyze and classify the incident according to the type of data affected in terms of privacy and security.

4th We implement the corrective measures and solutions necessary.

5th We notified the affected parties and individuals of the primary assessment, process of correction and consequences.

6th We determine a period and methodology to assess our intervention to learn from the incident and improve our security strategies and methods.

Last update: 2019/01/16