Security & Privacy
At Greater Moment, data security and privacy are our top priorities. We've built these principles into our product and company structure from the very beginning.
Privacy Measures
Greater Moment employs specific protocols to protect personal data, in line with GDPR guidelines.
Technical Measures
We utilise encryption, secure authentication, and network security to safeguard your data.
Organisational Measures
Our organisational strategy includes controlled access and regular security procedure reviews.
PRIVACY MEASURES
Privacy FAQs
Greater Moment adheres to GDPR guidelines and implements comprehensive privacy measures. Our approach includes Data Processing Agreements, minimal processing of Personal Identifiable Data (PII), and transparent sub-processor agreements.
Are you GDPR compliant?
Yes. We have taken a number of steps to be GDPR compliant including:
- Data Processing Agreements and Standard Contractual Clauses for non EEA (EU) countries
- Privacy Policy
- Process as little Personal Identifiable Data (PII) as possible
- Sub-process agreements with all sub-processors only in EEA (EU)
- Rely on as little sub-processes as possible
- Data Subject Right process
- Data breach notification processes
Do you offer Data Processing Agreements?
Yes. All customers can enter a Data Processing Agreement with us. This covers all of the main terms needed under the GDPR. It also describes our processes when it comes to telling you about changes or breaches (if they happen).
We understand that customers may have their own DPAs, but we do ask that our DPA is used as it describes the processes we have in place for the benefit of all of our customers.
We understand that customers may have their own DPAs, but we do ask that our DPA is used as it describes the processes we have in place for the benefit of all of our customers.
Do you have protections in place for international data transfers?
Yes. We use Standard Contractual Clauses (SCC) when personal data is being transferred from or to customers that are outside the EEA (EU). This ensures the transferred data receives a level of protection equivalent to that provided within the EEA (EU).
Who has access to data?
Various teams inside of Greater Moment may have access to your data. The level of access granted is determined by the nature of their job functions and the specific tasks required to deliver services to you.
All current and future employees and contractors sign contractual agreements to process data to be compliant.In the capacity of a processor, similar to many other Software as a Service (SaaS) providers, we collaborate with external sub-processors to facilitate the delivery of our services. A comprehensive list of these sub-processors, along with additional details, can be accessed here.
All current and future employees and contractors sign contractual agreements to process data to be compliant.In the capacity of a processor, similar to many other Software as a Service (SaaS) providers, we collaborate with external sub-processors to facilitate the delivery of our services. A comprehensive list of these sub-processors, along with additional details, can be accessed here.
Where is your data stored?
EU (Netherlands). Greater Moment runs its software infrastructure services on two major cloud platform providers: Microsoft Azure for the database layer and Heroku (Salesforce) for the application layer.
Which sub-processors do you use?
Greater Moment makes use of only 4 sub-processors to process Personal Identifiable Information (PII).
View all sub-processors here.
View all sub-processors here.
How long do you hold personal data?
As a processor, we hold personal data for the duration of your contract with us. Any personal data within your account is deleted at the end of the contract.
Technical Measures
Technical FAQs
We employ robust technical safeguards, including encryption at rest and in transit, secure authentication protocols, and rigorous network security. Our hosting and workstation configurations are aligned with international security standards.
Internal Authentication
Greater Moment enforces a robust internal password policy to safeguard access to essential systems and data. All internal employees and contractors must adhere to stringent password requirements, including a minimum length of 12 characters, the use of upper and lower case letters, numbers, and special symbols.
We require Multi-Factor Authentication (MFA) for all internal employees and contractors to access critical systems.
Do you encrypt data at rest?
Yes. For Greater Moment, Customer Data is encrypted at rest using different standards. In the database layer managed by MongoDB Atlas on MS Azure, AES-256 is employed. In the application layer hosted on Heroku, AES-128 encryption is utilized to secure all data. This approach provides a layered encryption strategy, aligning with both the Heroku and Azure platforms' specific security measures for encrypting all volume (disk) data at rest.
Do you encrypt data in transit?
Yes. All Greater Moment's traffic, including interactions between the application and the database, is protected by Transport Layer Security (TLS) V1.3. This security protocol is enabled by default within both Heroku (application layer) and MongoDB Atlas on MS Azure (database layer), ensuring that Customer Data transmitted to Greater Moment is encrypted in transit using TLS.
Which infrastructure do you use?
Geater Moment runs its software infrastructure services on two major cloud platform providers: Heroku (Salesforce) for the application layer and Microsoft Azure for the database layer.
Heroku’s physical infrastructure is hosted and managed within secure data centers in the Europe region, which are compliant with a number of physical security and information security standards. These include ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). Additional details about Heroku’s security practices and compliance can be found here: Heroku Security Policy.
For the database layer, Microsoft Azure is responsible for the security of its data centers hosting MongoDB Atlas in the Netherlands. Azure's data centers are compliant with numerous physical security and information security standards, detailed here: Azure Security. At least twice per year, Azure is subject to due diligence performed by Geater Moment's Database-as-a-Service Sub Processor (MongoDB Atlas) and other third-party auditors. This includes obtaining and reviewing security compliance certifications, ensuring alignment with the required security and compliance benchmarks. Together, Heroku and Microsoft Azure, through MongoDB Atlas, provide a robust, secure, and compliant infrastructure that aligns with international standards and regional regulations.
Heroku’s physical infrastructure is hosted and managed within secure data centers in the Europe region, which are compliant with a number of physical security and information security standards. These include ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). Additional details about Heroku’s security practices and compliance can be found here: Heroku Security Policy.
For the database layer, Microsoft Azure is responsible for the security of its data centers hosting MongoDB Atlas in the Netherlands. Azure's data centers are compliant with numerous physical security and information security standards, detailed here: Azure Security. At least twice per year, Azure is subject to due diligence performed by Geater Moment's Database-as-a-Service Sub Processor (MongoDB Atlas) and other third-party auditors. This includes obtaining and reviewing security compliance certifications, ensuring alignment with the required security and compliance benchmarks. Together, Heroku and Microsoft Azure, through MongoDB Atlas, provide a robust, secure, and compliant infrastructure that aligns with international standards and regional regulations.
Is your network secure?
Yes. We divide our systems into separate networks to protect critical customer data. Testing and development activities are hosted in a separate network from systems that have production applications. Customer data is only permitted to exist in our production network - the most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.
Network access to Greater Moment's production environment from any open public networks like the internet is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of service to its users are open at our perimeter.
Network access to Greater Moment's production environment from any open public networks like the internet is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of service to its users are open at our perimeter.
When do you dispose data?
We remove your data after your service ends, and can remove any data subjects data upon request.
How secure is your hosting?
Greater Moment hosting provider (Heroku’s physical infrastructure is hosted and managed within secure data centers in the Europe region, which are compliant with a number of physical security and information security standards. These include ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). Additional details about Heroku’s security practices and compliance can be found here: Heroku Security Policy.
Are your workstations secure?
Yes. All workstations are pre-configured for employees to meet our standards. The default configuration includes disk encryption, anti-virus, strong passwords, and locking when idle. Employees are not permitted to download customer data from production systems to their local workstations.
Organisational Measures
Organisational FAQs
Greater Moment implements strict access controls and follows clear security measures across all personnel. Monthly Information Security Council meetings ensure continual review and enhancement of our organisational security protocols.
Do you implement access controls?
Yes. We adhere to the principle of least privilege. Only authorized users can access Greater Moment, utilizing robust security protocols. These protocols ensure access solely for those with valid credentials and permissions, aligned with the platform's principles of Role-Based Access Control (RBAC), Least Privilege, and Separation of Duties.
Do personnel follow security measures?
Yes. Personnel practices apply to all members of Greater Moment's workforce: regular employees and independent contractors who have direct access to Greater Moment's internal information systems. All workers are required to understand and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms, and attend a security onboarding training delivered by the managing director and head of engineering. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Greater Moment, all access to systems is removed immediately.
Before gaining initial access to systems, all workers must agree to confidentiality terms, and attend a security onboarding training delivered by the managing director and head of engineering. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Greater Moment, all access to systems is removed immediately.
Do you implement versioning control?
Yes. We utilise version control systems to maintain organized tracking of code changes. This practice enables the ability to review previous versions of the code, detect any issues, and maintain a consistent codebase.
Do you review security & privacy procedures?
Yes. Greater Moment runs a monthly Information Security Council meeting from Aug 2023 where all procedures around our organisational and technical safeguards for Customer Data are reviewed. We review how we identify, detect, protect against, respond to, and recover from security incidents. All meeting minutes are documented, and any changes or improvements made are documented.
Greater Moment’s monthly information security meeting is lead by our Managing Director. The Information Security Council decides on any changes to our organization, business practices, technology, services, and applicable laws and regulations, which are documented. We do not alter or modify the maintenance of compliance in a way that materially weakens or compromises the effectiveness of our security controls.
Greater Moment’s monthly information security meeting is lead by our Managing Director. The Information Security Council decides on any changes to our organization, business practices, technology, services, and applicable laws and regulations, which are documented. We do not alter or modify the maintenance of compliance in a way that materially weakens or compromises the effectiveness of our security controls.
Let’s chat
Questions? Requests? Talk to us.
View pricing
We offer flexible pricing for pilot and continuous usage
