Security and Data Privacy

Introduction

From day one when the company ROOMZ has been created, several core values have been defined: easy to use, easy to install, scalable and secure.

This document describes how ROOMZ handles the security and data privacy.

Technology with security at its core

The solutions and products provided by ROOMZ are installed by local or multinational companies working in any type of sectors, from education to health, finance, watch maker or NGOs. By such a fact, architecture, hardware and software have to be thought in order to follow the highest security standards. This starts with a good decoupled architecture.

Architecture

todo: schema

The architecture is composed of 3 parts:

  • Booking System

  • ROOMZ Portal

  • ROOMZ Devices

Booking System

The booking system is owned by the client and is where the information about the reservation of the resourced are stored. Depending on the booking system manufacturer, resources such as meeting room, desk or equipments in general are managed in a different way than users. They have their own lifecycle and data. As ROOMZ is only interested by the agenda of the resources, the access to any other type of information can be blocked by the customer's IT. In the Booking System Configuration you will find what is the minimal configuration ROOMZ requires in order to have access to those agendas. 

Resource's Agenda

When accessible and configured, ROOMZ will read the following information from the agenda of a resource:

  • From (date and time)

  • To (date and time)

  • Organizer

  • Subject

  • Creation Date

  • Private flag

  • Attachment

From and To are the minimal information required in order to have the knowledge about the reservation status of a resource. It is possible then to specify if the Organizer and/or the Subject must be read in order to be present on the ROOMZ Display. The Creation Date is used for Analytics purpose. When available, the Private flag is used in order to hide the Subject of the meeting when it has been considered as confidential. Also optional, the Attachment can be read when custom image have to be sent to the ROOMZ Display.

Information lifetime

Those information are read by the ROOMZ Portal in order to render a picture. When a new picture is generated,  it overwrites the previous one. Depending on the template chosen (daily vs. weekly template), the information about one meeting such as the Organizer or the Subject have a maximal lifetime of one week on the ROOMZ Portal. 

For the long-therm analytics, only the FromTo and Creation Date are keep on the ROOMZ Portal.

If the organization is using myROOMZ, the information's lifetime is handled differently.

Communication protocol / data format

The communication protocol (e.g. REST, SOAP, ..), encryption (HTTPS, TLS, ...) and the data format (e.g. JSON, XML, ...) are defined by the booking system.

ROOMZ Portal

The Portal (https://portal.roomz.io  is where all the intelligence is located. This is where organization administrator will configure, maintain and analyze workspaces.

Infrastructure Cloud

The data and the computing are all on Microsoft Azure in a multi-tenant environment. All the communications, data and the backups are encrypted. Using the cloud infrastructure provides the following advantages:

  • Infrastructure maintenance and security updates are managed by Microsoft

  • Application maintenance, scalability and updates are managed by ROOMZ

  • Devices updates are managed by ROOMZ

Infrastructure On-Premise

It is possible to install ROOMZ in an internal network infrastructure. Only the device registration must be executed in the cloud platform so that ROOMZ is aware about which organization owns which devices. The ROOMZ Portal must be installed on Windows Server 2019 or higher and the data must be stored into a MS SQL Server. ROOMZ On-Premise is not using any Internet access in production. The maintenance of the operating system including updates and security is the responsibility of the customer or its partner.

Human authentication

Human access to the ROOMZ Portal is using an OAuth 2.0 authentication. External authentication system Microsoft and Google are supported.

Communication

HTTPS:443 TLS1.2 (except for WPA2-Enterprise where the chipset is limited to TLS 1.0)

Customer Data

The customer's data stored on the ROOMZ Portal is:

  • user information

    • first name

    • last name

    • email

    • token (external OAuth provider) or password hash

    • preferences

  • organization information

    • name of the organization

    • name of the buildings including address

    • name of the floors

    • name of the workspaces

    • booking system credentials

    • booking system resource identifier

    • live booking system resource information (for generating picture for the ROOMZ Display). This includes for all displayed meeting the following information

      • start date

      • end date

      • subject (optional)

      • organizer (optional)

      • creation date

      • private flag

      • attachment

    • live presence coming from the ROOMZ Sensors

    • for analytics purpose, the following information are saved for long-term for a workspace

      • meeting information (start date, end date, creation date)

      • presence/non-presence

    • subscriptions

Process

Once an account has been created on the ROOMZ Portal, the user will create Workspaces (e.g room or desk) located in a Floor located in a Building. For each Workspace it is possible to activate/deactivate Features. Some features require to associate the workspace to the agenda of a booking system resource and/or to associate ROOMZ Devices. Once the workspace is configured, following scenarios:

  • ROOMZ Portal will regularly read the agenda of the booking system resource associated in order to know when there is something new

  • ROOMZ Portal will generate picture based on the configuration of the workspace

  • ROOMZ Devices wake up, start the communication with the ROOMZ Portal and ask what are the actions to execute. After executing the actions, the ROOMZ Devices will go back into a deep sleep mode.

  • When human interacts with a ROOMZ Device (e.g. book 15 minutes from a ROOMZ Display), the ROOMZ Device starts the communication with the ROOMZ Portal giving the an identification of the action, and then ask what are the actions to execute.

ROOMZ Display

Network configuration

The ROOMZ Devices are using Wi-Fi for communicating with the ROOMZ Portal. The network configuration is stored into the NFC chip of the ROOMZ Device. For reading or writing the information stored on the NFC chip, an NFC authentication is required. It gives access to device specific AES-256 encrypted data.

The ROOMZ Mobile application allows organization administrator to read or write the network configuration of the ROOMZ Devices. Using the mobile application, it will check that the user is an administrator and that the user owns the device. When writing or reading the network configuration of a device, data is sent to the ROOM Portal in order to encrypt/decrypt the content. The mobile application do not own any security information. This is just a bridge between the ROOMZ Portal and the ROOMZ Device. The ROOMZ Portal do not store the network configuration of the ROOMZ Devices during this process. 

On the ROOMZ Portal, it is possible to create network profile. A network profile allows to update remotely the network configuration of the ROOMZ Devices of an organization (e.g. SSID, Wi-Fi Authentication type, password ...). ROOMZ do not keep a copy when the user deletes the network profile. (excepted auto-backup).

Wi-Fi Authentication

  • Open

  • WPA2-PSK

  • WPA2-Enterprise

    • EAP/TLS (certificate)

    • PEAP/MSCHAP-V2 (username/password)

Cypher suite

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_RC4_128_MD5

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_GCM_SHA256

Communication

The communication between the ROOMZ Device the ROOMZ Portal is always started by the ROOMZ Device. Most of the time, the device is in 'sleep' mode. The devices wake-up, ask the portal about the actions to execute and sleep for a given duration. The time between two communications is managed by the portal depends on several factors such as 'when starts the next meeting'.  All the communications are using HTTPS (port 443) over TLS 1.2 (except for WPA2-Enterprise where the chipset is limited to TLS 1.0) The ROOMZ Device will only establish a communication with a ROOMZ Portal when the Server certificate used is trusted. Each ROOMZ Device is uniquely identified.

Customer data

ROOMZ Devices only own the network configuration of a customer. In the case of the ROOMZ Displays, they are displaying a picture generated by the ROOMZ Portal. The ROOMZ Displays are not aware about the content of the image. This means that by design, the devices do not have at any time booking system credentials information. Should a display be stolen, the thief would only have access to picture.

Meltdown and Spectre

The ROOMZ Display and Sensor are using a ARM Cortex-M processor. ARM's answer about Meltdown and Spectre: "Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted"

ROOMZ Sensor

The ROOMZ Sensor has the same properties as the ROOMZ Display but it is not possible to interact with it. Also, the following measurements are read:

  • Temperature

  • Humidity

  • Noise

  • VOC

Network configuration

The network configuration of the ROOMZ Devices must be configured in order communicate with the ROOMZ Server. We are providing 3 ways of editing the network configuration:

Android application

The easiest way to edit the network configuration of a ROOMZ Device is to use the ROOMZ Android application. After being authenticated, only the ROOMZ Admin of an organization can only read of write the network configuration of a ROOMZ Device the organization is owning. Each device has its own encryption key. During the process or reading or writing the network configuration of the device, the Android application is sending data in a secured channel to the ROOMZ Portal in order to encrypt/decrypt the information. The ROOMZ Portal does not store the content of this information during this process. 

ROOMZ Tools

The ROOMZ Tools is using the same API as the Android application. Instead of using NFC, an encrypted file is sent to the ROOMZ Devices. It is not possible to read the network configuration using this tool.

Network Profiles

On the ROOMZ Portal it is possible to update remotely the network configuration of a device by specifying its profile. A profile can be downloaded and tested by a device the next time the device start the communication with the Portal. Once deleted by the customer, the profile is not more present in the database.

myROOMZ

The web and mobile application myROOMZ are designed for the employees to help them searching and booking a workspace.

Data Hosting / ROOMZ Hosted

In this context, ROOMZ provides for the bookable desk an option to store the booking information internally (ROOMZ Hosted). This allows the customer to avoid to create a booking system resource for each desk in the booking system.

Information's lifetime

When using ROOMZ Hosted, the data is retained up to 2 years in case of analytics re-computing. After this period, the data is completely removed. It is also possible with the application to book a workspace in the future. In order to be efficient and to have a good user experience, ROOMZ contains the upcoming bookings of each workspace. The upcoming booking timeframe depends on the customer’s configuration on the ROOMZ Portal.

Customer exiting

Data lifetime

Once an organization decides to exit ROOMZ, the data will be conserved for a duration of 6 months in case the organization wants to come back.

After 6 months, all organization's information will be removed except the financial transactions.

External auditing

Even with a good architecture and best practices applied, . This is why penetration tests are regularly executed by external companies specialized into security.