🎉 Capsule has raised a $12M Series A!
Read the TechCrunch Article
Customers
Blog
Pricing
Careers

Capsule Information Security

It is the policy of CAPSULE.VIDEO INC. (“CAPSULE”) that its information and data will be at all times protected from unauthorized or accidental modification, destruction or disclosure. This policy describes how information security is managed by CAPSULE as of January 1, 2021.

Personally Identifiable Information (PII). Employees understand and acknowledge that certain confidential information disclosed to CAPSULE may include “Personally Identifiable Information”, which shall mean and include, collectively, any data or information accessible by CAPSULE as a result of its business that can be used to identify a natural person, including but not limited to: name, email address, image, video or telephone number.

Employee access to PII. Employee access to PII is restricted to employees that have a business need to access such information in connection with performing their job. No one else will be granted access to PII without advance written approval from an officer of the company or the consent of the information owner. PII is never stored on employee devices such as laptops, mobile phones or USB drives.

Audit trail. CAPSULE documents how, when and by whom PII has been received, modified, transferred or removed from its database.

Limitations on use. CAPSULE only processes PII on behalf of customers to deliver services in accordance with documented instructions and legal terms, in accordance with the instructions of an officer of CAPSULE, or at the request of the information owner.

Confidentiality. Employees expressly acknowledge and agree to abide by the confidentiality provisions of their proprietary information and inventions agreement (PIIA) with respect to Personally Identifiable Information wherever it may be stored or reside. Transmission of PII, if necessary, will be done using a secure method and must be encrypted during transmission. CAPSULE does not share PIIA or other confidential information with anyone who does not have approval, as defined above.

PII Security. CAPSULE maintains and enforces, and utilizes vendors who maintain and enforce, appropriate security measures in accordance with high industry standards designed to protect the security and confidentiality of PII, protect against any anticipated threats to the security of such PII, and protect against unauthorized access to or use, disclosure, alteration and/or destruction of such PII.

Additionally:

  • CAPSULE does not store PII locally on employee devices.
  • CAPSULE does not use consumer PII in test environments.
  • End user email address data is encrypted at the column level using AES-256/GCM (on top of AES-256 block-level storage encryption).
  • This data is always transmitted over connections secured via TLS.
  • Background checks are performed on employees with access to the database containing end user PII.

Vendor Services. CAPSULE utilizes the following third-party service providers to store or handle user data:


Account Owners. Employees who are account owners are responsible for enforcing a software update process for each account. This process includes monitoring of account and automatic receipt of notices from vendor for availability of security patches, upgrades, testing and installing critical security patches. All such critical security patches not implemented by vendor must be installed within 30 days. Account owners must also manage account passwords and other security measures and immediately notify the CTO, Joseph Jorgensen, of any breach in security.

Account Manager and Data Protection Officer. CAPSULE CTO Joseph Jorgensen is the Account Manager and Data Protection Officer (DPO) and is responsible for overseeing employee use of accounts and information as well as protection of data. Account Manager will:

  • Review and approve all requests for employees access authorizations.
  • Keep employees' information access current with their positions and job functions.
  • Promptly inform appropriate parties of employee terminations.
  • Revoke physical access to terminated employees (ex: changing door passcodes, etc).
  • Promptly report the loss or misuse of CAPSULE information.
  • Initiate corrective actions when problems are identified.

Account Users. In addition to the Account Owners, some CAPSULE officers and employees may have a business need for access to a vendor account. Access must be approved in advance in writing by the Account Owner. Approved account users will sign out of an account or device when they have finished accessing it to limit the possibility of unauthorized access.

Account Users will at all times comply with this policy and promptly report a loss or misuse of CAPSULE information to the DPO.

Vulnerability Remediation and Incident Response. If any employee becomes aware of a vulnerability, they must immediately inform the account owner and the DPO. The account owner and DPO will prioritize any tasks required for remediation. In the event of a data breach, CAPSULE will analyze the extent of any data breach, and inform the affected parties and applicable government authorities, in writing, of the timing, nature and extent of the breach without undue delay after becoming aware of the breach, as required by applicable laws and regulations. Incidents can can so be reported to infosec@capsule.video.

Password Security. Employees will use strong passwords to safeguard the security of their laptops, mobile phones, vendor accounts, email and files. Passwords will never be shared with others. Employees agree to the following minimum password guidelines:

  • Difficult to guess
  • Does not include personal information, account name, or words like “password”
  • At least 10 characters including letters, numbers and special characters
  • Different for different accounts, systems and applications
  • Changed every 90 days
  • Stored securely

Physical Security. All employees are remote and are expected to physically protect any devices that handle company data and ensure that they are encrypted. All company application infrastructure is hosted in data centers managed by third parties that are compliant with the top industry standards.

Employee Workstations. All employees to handle code or user data must run our endpoint monitoring software, anti-malware software, and apply operating system and software updates in a timely manner.

Consequences of Non-Compliance. Any deliberate non-compliance with these policies must be documented and  is grounds for immediate termination. Unintended non-compliance must be documented and remedied immediately upon discovery of such non-compliance.

Review Schedule. CAPSULE will conduct periodic risk assessments and review and revise its information security practices at least annually or whenever there is a material change in its business practices that may reasonably affect the security, confidentiality or integrity of PII.

Message to Employees. Training related to this policy is conducted at the time of hire and annually for all employees. If you have any questions about this policy, please ask. If you have suggestions for ways to improve this policy or the security of CAPSULE information, please communicate with CAPSULE’s DPO. If you store confidential information using a vendor service not shown in the above chart, please notify CAPSULE’s DPO. If you have any reason to believe that CAPSULE information has been leaked, notify CAPSULE’s DPO immediately.

Management will strive to inform you when other business information, such as Client-related information, is confidential. Always ask if client information can be shared publicly. Exercise common sense and think carefully before sharing any CAPSULE information with friends or family. Never speak to journalists about CAPSULE without written permission from management.