Security

ISO

Sonder policies, procedures, and standards are based on the International Organisation for Standardisation (ISO) / International Electrotechnical Commission (IEC) 27001. ISO 27001 is a globally-recognised Information Security Management System (ISMS) standard. It leverages best practices and comprehensive security controls which includes people, processes and IT systems. Sonder renews this certification annually and uses an independent third-party body to audit compliance.

NCSC Cyber Essentials

Sonder holds NCSC Cyber Essentials certification, a government backed scheme designed to guard against common cyber threats. The five key controls areas for certification include: Firewalls, secure configuration, user access control, malware protection and patch management.

ACHS

Sonder has built its programs using the standards of the Australian Council on Healthcare Standards (ACHS) evaluation and quality improvement program (EQuIP6). This program was designed for healthcare organisations to strive for excellence through principles which support best practice and are designed to facilitate a culture of continuous improvement.

Sonder combines a secure product development life cycle with a software assurance maturity model to continuously analyse and improve our software security posture. Sonder uses secure engineering principles, including secure coding standards, secure test standards, readiness and compliance checks from design to retirement, automated code testing and CI/CD processes, source code repo and version control driven operations, threat modelling, OWASP pen testing, secure developer training programs, segregated environments, role based access to code, build and deploy environments, scrum master/sprints and code maintenance tracking in JIRA.

Sonder leverages a world-class managed security service provider (MSSP) to ensure the operational and security management of both the AWS Cloud infrastructure environment and the applications that run on it. Sonder continuously strengthens this posture with independent external parties regularly conducting a rolling program of web, API, and mobile application penetration testing in an effort to evaluate the application layer security with regards to best practice security standards. This includes Penetration Testing Execution Standard (PTES), Open-Source Security Testing Methodology (OSSTM), and Open Web Application Security Protocol (OWASP) top 10 for both web and mobile applications.

Sonder maintains policies and procedures to ensure continuity of business functions, to identify the Sonder-critical business product and service functions, and to specify the response and recovery actions and strategies needed to mitigate any adverse business effects of disruptions, incidents or crises on the ability of Sonder to maintain business continuity and the uninterrupted provision of core products and services. Sonder’s Business Continuity Plan (BCP) is tested multiple times per year, covering a range of scenarios. All core product and service Recovery Time Objectives (RTO), Recovery Point Objective (RPO) and Maximum Allowable Outage (MAO) are specified within Sonder’s BCP. Speak with your Sonder representative to access a copy of Sonder’s BCP.

Sonder has an end-to-end Enterprise Risk Management System (ERMS). Risk assessments of products and infrastructure are conducted on a regular basis, including reviews of confidential data flows. Sonder maintains a live risk register that identifies, outlines and assesses relevant strategic and operational risks held by Sonder. The risk register is a ‘live document’ — reflective of the current risk mitigation and control framework and managed within an off-the-shelf SaaS program.

Sonder holds policies for general liability, professional indemnity, and cyber and privacy.

To ensure data privacy and compliance with regional requirements, Sonder stores cloud data with Amazon Web Services (AWS) data centres. This geographically distributed approach places your data in the AWS region you require, be it Australia or the United Kingdom.

Sonder hosts data in AWS data centres that have been certified as ISO 27001 and SOC 2 compliant. Learn about Compliance at AWS. AWS infrastructure services include backup power, HVAC systems and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Centre Controls at AWS. AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology and other security measures. Learn about AWS physical security.

Backups for data are performed daily. All backups are encrypted and stored in Amazon Web Service region data centres. Recovery practices are conducted at least annually and are aligned to meet RPO/RTO/MAO objectives outlined within Sonder’s Business Continuity Plan (BCP).

To ensure timely access to the Sonder app for end-users, you may need to provide some user information. This information includes first name, last name, and email address. You can easily transfer this data to Sonder through our secure customer portal (HTTPS protocol) or SFTP (Secure File Transfer Protocol). All platforms are highly secure, and audited regularly.

Sonder offers authentication flexibility for its customers via either SSO (SAML 2.0) for corporate identity management or native (AWS Cognito) identity management.

Sonder encrypts all data both at rest using AWS AES 256 encryption methods and in transit using TLS 1.2

Sonder operates on a ‘least privileged’ control principle. Access to confidential data is restricted to authorised individuals and systems through role-based access control (RBAC), multi-factor authentication (MFA) and Context Aware access (ACA). Access permissions are regularly reviewed by Sonder’s IT team and upon onboarding of new employee, change in roles/requirements and offboarding. All events are formally logged, tracked and executed via business manager and IT approval.

Sonder has a comprehensive data breach notification policy and response plan (“Response Plan”), which outlines the steps we are required to take in the event of a data breach. This allows us to identify and deal with a data breach quickly to mitigate any harm that may result.

As part of the Response Plan, we will notify you as soon as practicable if we:

1. discover or suspect that your personal information has been lost, accessed by, or disclosed to, any unauthorised person or in any unauthorised manner;
2. believe that you are likely to suffer serious harm as a result; and
3. are unable to prevent the likely risk of harm.

Our applications undergo regular penetration testing, and our code is constantly scanned by automated security tools. We also monitor our environment 24/7 for vulnerabilities. This includes leveraging the full range of AWS security services including WAF, GuardDuty, Inspector, Security Hub, CloudTrail, and Flow Logs.

Additionally, we ingest our log data into Sumo (SIEM) and Datadog (APM) for further monitoring and analysis. Our 24/7 security monitoring is conducted by Redbear, an Level 1 AWS certified MSSP (Managed Security Service Provider) specialising in cloud security.

Employees and internal contractors receive training on the ISMS (includes the Acceptable Use & Information Security Policy) and Privacy as part of the Onboarding process and receive refresher training at least annually. Upon any changes to policies, all employees are required to read and acknowledge the policy within Sonder’s HRIS.

Depending on the nature of the role and business requirements, infosec training programs vary. As a minimum all employees receive security awareness training on the various risk domains such as acceptable use, data classification, labelling and handling, secure VPN use, phishing, smishing, vishing etc

All staff security training compliance is reviewed as part of the ISO 27001 Audit process.

Sonder’s Chief Operating Officer (COO) is the accountable for information security. The Head of IT & IS is responsible for the for the compliance of Sonder’s ISMS against key controls, supported by senior technical managers across DevOps, Engineering and Operations.