Security and Data Privacy
- 1 Introduction
- 2 Technology with security at its core
- 3 Infrastructure
- 4 Architecture
- 4.1 Booking System
- 4.1.1 Resource's Agenda
- 4.1.2 Information lifetime
- 4.1.3 Communication protocol / data format
- 4.1.4 Certificates
- 4.2 ROOMZ Portal
- 4.2.1 Infrastructure Cloud
- 4.2.2 Infrastructure On-Premise
- 4.2.3 Human authentication
- 4.2.4 Communication
- 4.2.5 Customer Data
- 4.2.6 Process
- 4.3 ROOMZ Display
- 4.3.1 Network configuration
- 4.3.2 Wi-Fi Authentication
- 4.3.3 Cypher suite
- 4.3.4 Communication
- 4.3.5 Customer data
- 4.3.6 Meltdown and Spectre
- 4.4 ROOMZ Sensor
- 4.5 Network configuration
- 4.5.1 Android application
- 4.5.2 ROOMZ Tools
- 4.5.3 Network Profiles
- 4.6 myROOMZ
- 4.1 Booking System
- 5 Customer exiting
- 5.1 Data lifetime
- 6 External auditing
Introduction
From day one when the company ROOMZ has been created, several core values have been defined: easy to use, easy to install, scalable and secure.
This document describes how ROOMZ handles the security and data privacy.
Technology with security at its core
The solutions and products provided by ROOMZ are installed by local or multinational companies working in any type of sectors, from education to health, finance, watch maker or NGOs. By such a fact, architecture, hardware and software have to be thought in order to follow the highest security standards. This starts with a good decoupled architecture.
Infrastructure
ROOMZ Ecosystem is hosted on Microsoft Azure.
The main system is running on Microsoft Azure West Europe (Netherlands) and there is a geo-replication on Microsoft Azure North Europe (Ireland).
Architecture
The architecture is composed of 3 parts:
Booking System
ROOMZ Portal
ROOMZ Device
Booking System
The booking system is owned by the client and is where the information about the reservation of the resourced are stored. Depending on the booking system manufacturer, resources such as meeting room, desk or equipment in general are managed in a different way than users. They have their own lifecycle and data. As ROOMZ is only interested by the agenda of the resources, the access to any other type of information can be blocked by the customer's IT. In the Booking System Configuration you will find what is the minimal configuration ROOMZ requires in order to have access to those agendas.
Resource's Agenda
When accessible and configured, ROOMZ will read the following information from the agenda of a resource:
From (date and time)
To (date and time)
Organizer
Subject
Creation Date
Private flag
Attachment (Optional ; only used for showing images for Exchange / Exchange online and ROOMZ Connector)
From and To are the minimal information required in order to have the knowledge about the reservation status of a resource. It is possible then to specify if the Organizer and/or the Subject must be read in order to be present on the ROOMZ Display. The Creation Date is used for Analytics purpose. When available, the Private flag is used in order to hide the Subject of the meeting when it has been considered as confidential. Also optional, the Attachment can be read when custom image have to be sent to the ROOMZ Display.
Information lifetime
Those information are read by the ROOMZ Portal in order to render a picture. When a new picture is generated, it overwrites the previous one. Depending on the template chosen (daily vs. weekly template) and the utilization of myROOMZ, the information about one meeting such as the Organizer or the Subject have a maximal lifetime of one month on the ROOMZ Portal.
For the long-term analytics, only the From, To and Creation Date are keep on the ROOMZ Portal.
Communication protocol / data format
The communication protocol (e.g. REST, SOAP, ..), encryption (HTTPS, TLS, ...) and the data format (e.g. JSON, XML, ...) are defined by the booking system.
Certificates
ROOMZ only supports the Certificates Authorities (CAs) used by Microsoft Azure.
ROOMZ Portal
The Portal (https://portal.roomz.io is where all the intelligence is located. This is where organization administrator will configure, maintain and analyze workspaces.
Infrastructure Cloud
The data and the computing are all on Microsoft Azure in a multi-tenant environment. All the communications, data and the backups are encrypted. Using the cloud infrastructure provides the following advantages:
Infrastructure maintenance and security updates are managed by Microsoft
Application maintenance, scalability and updates are managed by ROOMZ
Devices updates are managed by ROOMZ
All Microsoft related certifications (ISO, SOC, GDPR) can be found at the following address: Service Trust Portal Home Page (microsoft.com)
Infrastructure On-Premise
It is possible to install ROOMZ in an internal network infrastructure. Only the device registration must be executed in the cloud platform so that ROOMZ is aware about which organization owns which devices. The ROOMZ Portal must be installed on Windows Server 2019 or higher and the data must be stored into a MS SQL Server. ROOMZ On-Premise is not using any Internet access in production. The maintenance of the operating system including updates and security is the responsibility of the customer or its partner.
Human authentication
Human access to the ROOMZ Portal is using an OAuth 2.0 authentication. External authentication system Microsoft and Google are supported.
Communication
HTTPS:443 TLS1.2 (except for WPA2-Enterprise where the chipset is limited to TLS 1.0)
Customer Data
The customer's data stored on the ROOMZ Portal is:
user information
first name
last name
email
token (external OAuth provider) or password hash
user preferences
organization information
name of the organization
name of the buildings including address
name of the floors
name of the workspaces
booking system credentials
booking system resource identifier
live booking system resource information (for generating picture for the ROOMZ Display). This includes for all displayed meeting the following information
start date
end date
subject (optional)
organizer (optional)
creation date
private flag
attachment
live presence coming from the ROOMZ Sensors
for analytics purpose, the following information are saved for long-term for a workspace
meeting information (start date, end date, creation date)
presence/non-presence
desk reservation (in case of myROOMZ hosted)
subscriptions
Process
Once an account has been created on the ROOMZ Portal, the user will create Workspaces (e.g room or desk) located in a Floor located in a Building. For each Workspace it is possible to activate/deactivate Features. Some features require to associate the workspace to the agenda of a booking system resource and/or to associate ROOMZ Devices. Once the workspace is configured, following scenarios:
ROOMZ Portal will regularly read the agenda of the booking system resource associated in order to know when there is something new
ROOMZ Portal will generate picture based on the configuration of the workspace
ROOMZ Devices wake up, start the communication with the ROOMZ Portal and ask what are the actions to execute. After executing the actions, the ROOMZ Devices will go back into a deep sleep mode.
When human interacts with a ROOMZ Device (e.g. book 15 minutes from a ROOMZ Display), the ROOMZ Device starts the communication with the ROOMZ Portal giving the an identification of the action, and then ask what are the actions to execute.
ROOMZ Display
Network configuration
The ROOMZ Devices are using Wi-Fi for communicating with the ROOMZ Portal. The network configuration is stored into the NFC chip of the ROOMZ Device. For reading or writing the information stored on the NFC chip, an NFC authentication is required. It gives access to device specific AES-256 encrypted data.
The ROOMZ Mobile application allows organization administrator to read or write the network configuration of the ROOMZ Devices. Using the mobile application, it will check that the user is an administrator and that the user owns the device. When writing or reading the network configuration of a device, data is sent to the ROOM Portal in order to encrypt/decrypt the content. The mobile application do not own any security information. This is just a bridge between the ROOMZ Portal and the ROOMZ Device. The ROOMZ Portal do not store the network configuration of the ROOMZ Devices during this process.
On the ROOMZ Portal, it is possible to create network profile. A network profile allows to update remotely the network configuration of the ROOMZ Devices of an organization (e.g. SSID, Wi-Fi Authentication type, password ...). ROOMZ do not keep a copy when the user deletes the network profile. (excepted auto-backup).
Wi-Fi Authentication
Open
WPA2-PSK
WPA2-Enterprise
EAP/TLS (certificate)
PEAP/MSCHAP-V2 (username/password)
Cypher suite
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
Communication
The communication between the ROOMZ Device the ROOMZ Portal is always started by the ROOMZ Device. Most of the time, the device is in 'sleep' mode. The devices wake-up, ask the portal about the actions to execute and sleep for a given duration. The time between two communications is managed by the portal depends on several factors such as 'when starts the next meeting'. All the communications are using HTTPS (port 443) over TLS 1.2 (except for WPA2-Enterprise where the chipset is limited to TLS 1.0) The ROOMZ Device will only establish a communication with a ROOMZ Portal when the Server certificate used is trusted. Each ROOMZ Device is uniquely identified.
Customer data
ROOMZ Devices only own the network configuration of a customer. In the case of the ROOMZ Displays, they are displaying a picture generated by the ROOMZ Portal. The ROOMZ Displays are not aware about the content of the image. This means that by design, the devices do not have at any time booking system credentials information. Should a display be stolen, the thief would only have access to picture.
Meltdown and Spectre
The ROOMZ Display and Sensor are using a ARM Cortex-M processor. ARM's answer about Meltdown and Spectre: "Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted"
ROOMZ Sensor
The ROOMZ Sensor has the same properties as the ROOMZ Display but it is not possible to interact with it. Also, the following measurements are read:
Temperature
Humidity
Noise (this is just a number representing the noise level. The hardware is not able to record any voice)
Network configuration
The network configuration of the ROOMZ Devices must be configured in order communicate with the ROOMZ Server. We are providing 3 ways of editing the network configuration:
Android application
The easiest way to edit the network configuration of a ROOMZ Device is to use the ROOMZ Android application. After being authenticated, only the ROOMZ Admin of an organization can only read of write the network configuration of a ROOMZ Device the organization is owning. Each device has its own encryption key. During the process or reading or writing the network configuration of the device, the Android application is sending data in a secured channel to the ROOMZ Portal in order to encrypt/decrypt the information. The ROOMZ Portal does not store the content of this information during this process.
ROOMZ Tools
The ROOMZ Tools is using the same API as the Android application. Instead of using NFC, an encrypted file is sent to the ROOMZ Devices. It is not possible to read the network configuration using this tool.
Network Profiles
On the ROOMZ Portal it is possible to update remotely the network configuration of a device by specifying its profile. A profile can be downloaded and tested by a device the next time the device start the communication with the Portal. Once deleted by the customer, the profile is not more present in the database.
myROOMZ
The web and mobile application myROOMZ are designed for the employees to help them searching and booking a workspace.
Data Hosting / ROOMZ Hosted
In this context, ROOMZ provides for the bookable desk an option to store the booking information internally (ROOMZ Hosted). This allows the customer to avoid to create a booking system resource for each desk in the booking system.
Information's lifetime
MyROOMZ saves upcoming reservations in the cache. Depending on the settings (privacy), the data is anonymised at midnight or after 3 months. After that, the anonymised data is stored in the system for up to two years.
Basic and Advanced ROOMZ Analytics only work with anonymised data that is not older than 2 years.
By default, the data is anonymised at midnight, if the customer wishes to keep the non-anonymised data for 3 months (reasons for this can be billing, COVID and others), this can be adjusted in the settings.
Customer exiting
Data lifetime
Once an organization decides to exit ROOMZ, the data will be conserved for a duration of 6 months in case the organization wants to come back.
After 6 months, all organization's information will be removed except the financial transactions.
External auditing
Even with a good architecture and best practices applied. This is why penetration tests are regularly executed by external companies specialized into security.