Security
Sonder values the trust of our members and clients beyond all else. Our core value of putting our members first underpins our security philosophy, including how we manage and protect data. We set our own high standards and follow the latest industry standards to ensure we are staying ahead of any cyber threat.
Our security and privacy practices
-
For organisations
Find out more about Sonder’s information security program
-
For members
Find out more about Sonder’s privacy policy and Sonder’s electronic health record (EHR) -
For Sonder
Find out more about how Sonder cares for our staff
Information
security program
Sonder maintains a robust security program, guided by formal policies and detailed requirements that meet best practice standards for our industry. The objective of this program is to maintain the confidentiality and integrity of information across our Sonder systems and in all communications with our members, clients, guests, employees and business partners.
ISO
Sonder policies, procedures, and standards are based on the International Organisation for Standardisation (ISO) / International Electrotechnical Commission (IEC) 27001. ISO 27001 is a globally-recognised Information Security Management System (ISMS) standard. It leverages best practices and comprehensive security controls which includes people, processes and IT systems. Sonder renews this certification annually and uses an independent third-party body to audit compliance.
NCSC Cyber Essentials
Sonder holds NCSC Cyber Essentials certification, a government backed scheme designed to guard against common cyber threats. The five key controls areas for certification include: Firewalls, secure configuration, user access control, malware protection and patch management.
ACHS
Sonder has built its programs using the standards of the Australian Council on Healthcare Standards (ACHS) evaluation and quality improvement program (EQuIP6). This program was designed for healthcare organisations to strive for excellence through principles which support best practice and are designed to facilitate a culture of continuous improvement.
Sonder combines a secure product development life cycle with a software assurance maturity model to continuously analyse and improve our software security posture. Sonder uses secure engineering principles, including secure coding standards, secure test standards, readiness and compliance checks from design to retirement, automated code testing and CI/CD processes, source code repo and version control driven operations, threat modelling, OWASP pen testing, secure developer training programs, segregated environments, role based access to code, build and deploy environments, scrum master/sprints and code maintenance tracking in JIRA.
Sonder leverages a world-class managed security service provider (MSSP) to ensure the operational and security management of both the AWS Cloud infrastructure environment and the applications that run on it. Sonder continuously strengthens this posture with independent external parties regularly conducting a rolling program of web, API, and mobile application penetration testing in an effort to evaluate the application layer security with regards to best practice security standards. This includes Penetration Testing Execution Standard (PTES), Open-Source Security Testing Methodology (OSSTM), and Open Web Application Security Protocol (OWASP) top 10 for both web and mobile applications.
Sonder maintains policies and procedures to ensure continuity of business functions, to identify the Sonder-critical business product and service functions, and to specify the response and recovery actions and strategies needed to mitigate any adverse business effects of disruptions, incidents or crises on the ability of Sonder to maintain business continuity and the uninterrupted provision of core products and services. Sonder’s Business Continuity Plan (BCP) is tested multiple times per year, covering a range of scenarios. All core product and service Recovery Time Objectives (RTO), Recovery Point Objective (RPO) and Maximum Allowable Outage (MAO) are specified within Sonder’s BCP. Speak with your Sonder representative to access a copy of Sonder’s BCP.
Sonder has an end-to-end Enterprise Risk Management System (ERMS). Risk assessments of products and infrastructure are conducted on a regular basis, including reviews of confidential data flows. Sonder maintains a live risk register that identifies, outlines and assesses relevant strategic and operational risks held by Sonder. The risk register is a ‘live document’ — reflective of the current risk mitigation and control framework and managed within an off-the-shelf SaaS program.
Sonder holds policies for general liability, professional indemnity, and cyber and privacy.
To ensure data privacy and compliance with regional requirements, Sonder stores cloud data with Amazon Web Services (AWS) data centres. This geographically distributed approach places your data in the AWS region you require, be it Australia or the United Kingdom.
Sonder hosts data in AWS data centres that have been certified as ISO 27001 and SOC 2 compliant. Learn about Compliance at AWS. AWS infrastructure services include backup power, HVAC systems and fire suppression equipment to help protect servers and ultimately your data. Learn about Data Centre Controls at AWS. AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology and other security measures. Learn about AWS physical security.
Backups for data are performed daily. All backups are encrypted and stored in Amazon Web Service region data centres. Recovery practices are conducted at least annually and are aligned to meet RPO/RTO/MAO objectives outlined within Sonder’s Business Continuity Plan (BCP).
To ensure timely access to the Sonder app for end-users, you may need to provide some user information. This information includes first name, last name, and email address. You can easily transfer this data to Sonder through our secure customer portal (HTTPS protocol) or SFTP (Secure File Transfer Protocol). All platforms are highly secure, and audited regularly.
Sonder offers authentication flexibility for its customers via either SSO (SAML 2.0) for corporate identity management or native (AWS Cognito) identity management.
Sonder encrypts all data both at rest using AWS AES 256 encryption methods and in transit using TLS 1.2
Sonder operates on a ‘least privileged’ control principle. Access to confidential data is restricted to authorised individuals and systems through role-based access control (RBAC), multi-factor authentication (MFA) and Context Aware access (ACA). Access permissions are regularly reviewed by Sonder’s IT team and upon onboarding of new employee, change in roles/requirements and offboarding. All events are formally logged, tracked and executed via business manager and IT approval.
Sonder has a comprehensive data breach notification policy and response plan (“Response Plan”), which outlines the steps we are required to take in the event of a data breach. This allows us to identify and deal with a data breach quickly to mitigate any harm that may result.
As part of the Response Plan, we will notify you as soon as practicable if we:
- discover or suspect that your personal information has been lost, accessed by, or disclosed to, any unauthorised person or in any unauthorised manner;
- believe that you are likely to suffer serious harm as a result; and
- are unable to prevent the likely risk of harm.
Our applications undergo regular penetration testing, and our code is constantly scanned by automated security tools. We also monitor our environment 24/7 for vulnerabilities. This includes leveraging the full range of AWS security services including WAF, GuardDuty, Inspector, Security Hub, CloudTrail, and Flow Logs.
Additionally, we ingest our log data into Sumo (SIEM) and Datadog (APM) for further monitoring and analysis. Our 24/7 security monitoring is conducted by Redbear, an Level 1 AWS certified MSSP (Managed Security Service Provider) specialising in cloud security.
Employees and internal contractors receive training on the ISMS (includes the Acceptable Use & Information Security Policy) and Privacy as part of the Onboarding process and receive refresher training at least annually. Upon any changes to policies, all employees are required to read and acknowledge the policy within Sonder’s HRIS.
Depending on the nature of the role and business requirements, infosec training programs vary. As a minimum all employees receive security awareness training on the various risk domains such as acceptable use, data classification, labelling and handling, secure VPN use, phishing, smishing, vishing etc
All staff security training compliance is reviewed as part of the ISO 27001 Audit process.
Sonder’s Chief Operating Officer (COO) is the accountable for information security. The Head of IT & IS is responsible for the for the compliance of Sonder’s ISMS against key controls, supported by senior technical managers across DevOps, Engineering and Operations.
We recognise and respect your intent to conduct assessment and review of our service. Should you require evidence/attestation of the above, please reach out to your Sonder representative to access our procurement documentation. Please note, that specific documents may require NDA prior to release.
Electronic health record (EHR)
Sonder’s EHR improves care outcomes and is a foundational technology for our human-centric approach. It focuses on the total health of our members — going beyond standard clinical data, and is inclusive of a broader view of an individual's healthcare.
Sonder’s EHR is a real-time health record that makes information available instantly and securely to authorised users (namely, clinicians and allied health personnel). It is designed to not only securely store the medical information that our members share with us, but to enable our clinical teams to better understand an individual’s holistic health journey by collecting and aggregating (stated and revealed) preferences regarding health and wellbeing.
Facilitating a human-centric
approach to healthcare
For Sonder, our EHR underpins the human-centric care we provide. A member’s information moves securely to where it is needed. It allows the Sonder health team to work collaboratively with patients by sharing images, video, and shared whiteboards to unpack problems. When care is needed beyond Sonder’s clinicians, our EHR provides the capability to instantly and securely e-refer to other clinicians using a secure medical messaging system that allows a two-way flow of information between clinicians.
This important tool helps to ensure every Sonder member gets the highest quality clinical experience every time they engage for help, care and support.
There's so much more to share
Sonder is reimagining health, safety and wellbeing support. Sonder proves human centric care leads to earlier intervention. Sonder impacts one person at a time to drive meaningful change across an organisation. Sonder understands people and how to support them.