Last Updated: 31 May 2023
This Security Statement applies to the products, services, websites, and apps offered by 3Laws Robotics. We refer to those products, services, websites, and apps collectively as the “Services"; in this Statement. This Security Statement also forms part of the user agreements for 3Laws Robotics customers, which includes the Privacy Statement and Terms of Service.
3Laws Robotics values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below. Our
Access to 3Laws Robotics technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. Our production password policy requires complexity, expiration, and lockout and disallows reuse. 3Laws Robotics grants access on a need-to-know basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after 3Laws’s employee or contractor termination.
3Laws Robotics maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training such Secure Coding, PCI, and job-specific security and skills development and/or privacy law training for key job functions. The training schedule is designed to adhere to all specifications and regulations applicable to 3Laws Robotics.
3Laws Robotics conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, 3Laws Robotics communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements and provides ongoing privacy and security training for all personnel.
Dedicated Security Personnel
3Laws Robotics has a dedicated Trust & Security organization, which focuses on application, network, and system security. This team is also responsible for security compliance, education, and incident response. Only authorized personnel with specific and legitimate business needs are granted access to our data systems.
Vul. Mgmt and Pen Tests
3Laws Robotics has a dedicated Trust & Security organization, which focuses on3Laws Robotics maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third-party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
We also conduct regular internal and external penetration tests and remediate according to severity for any results found.
Least Privilege Access
3Laws Robotics has a dedicated Trust & Security organization, which focuses onAccess privileges to information systems and data is granted based on the principle of least privilege. Each user shall be granted the minimum level of access necessary to perform their job responsibilities effectively. Access privileges are reviewed periodically to ensure they remain appropriate and necessary. Access are modified or revoked promptly when job roles change or when access is no longer required.
Strong Password and Cryptographic Keys
Password Requirements: Users must create passwords that are strong, unique, and resistant to unauthorized guessing or brute-force attacks. Passwords must have a minimum length of 16 characters. Passwords must contain a combination of uppercase and lowercase letters, numbers, and special characters. Passwords must not be based on easily guessable information, such as names, birthdates, or dictionary words. Users cannot reuse passwords across different systems or accounts.
Password Management: a) Users are required to change their passwords at regular intervals, with a recommended frequency of 6 weeks. Passwords are to be kept confidential and not shared with others. In cases where passwords are forgotten or compromised, a secure password reset process is implemented to ensure the integrity of account recovery.
Cryptographic Key Management: Cryptographic keys used for encryption, digital signatures, or other security mechanisms are generated using strong algorithms and key lengths. Cryptographic keys are securely stored and protected from unauthorized access or disclosure. Key management practices, including key rotation, revocation, and distribution, shall be implemented in accordance with industry best practices and applicable regulations.
Multi-Factor Authentication (MFA): Multi-factor authentication is implemented to enhance the security of accounts and systems. Where feasible, users shall be required to use at least two factors of authentication, such as a password combined with a biometric factor or a one-time password (OTP).
3Laws Robotics has a dedicated Trust & Security organization, which focuses onWe encrypt your data in transit using secure GPG and TLS cryptographic protocols. 3Laws Robotics data is also encrypted at rest using AES-256.
Customer Data Segre-gation
Customer data is segregated from other organizational data to prevent unauthorized access, unauthorized modification, or accidental disclosure.3Laws Robotics data is also encrypted at rest using AES-256.
Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually.
Development, testing, and production environments are separated. All changes are peer-reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
3Laws Robotics maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.
Information Security Incident Mgmt
3Laws Robotics maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly and tested bi-annually.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if 3Laws Robotics learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Information Security Aspects of Business Continuity Mgmt
3Laws Robotics’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability. Furthermore, 3Laws Robotics maintains a formal Business Continuity Plan (BCP). The BCP is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.
Logging and Monitoring
We use application and infrastructure systems to log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized 3Laws Robotics personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.