Robot Arnold Technical & Security Assurance

Robot Arnold (hereafter referred to as “Arnold”) is an employee survey tool delivering employee surveys via a conversation chatbot. Arnold is being developed by LMC s.r.o., headquartered in Prague, Czech Republic, Business ID number 26441381 (hereafter referred to as “LMC”). Arnold operates in a private cloud and offers Software as a Service to customers. LMC as an Application Service Provider (ASP) ensures continuous operation.

Data Protection

Basic Information

  • Customers must be a business/legal entity. From the GDPR perspective, LMC is the Data Processor, and the customers are Data Controllers.
  • Information about the extent and type of data processing and further information regarding personal data processing is presented in Arnold Product Terms. Arnold services cannot be provided without prior agreement to the Product Terms.

Communication

  • Arnold uses business email addresses or phone numbers to communicate with the users.
  • If it is not possible to use business emails and/or phone numbers, customers can use private emails and/or phone numbers. For this purpose, customers must acquire voluntary and well-informed consent from the respondents which must be possible to demonstrate, if required.

Data collection

  • For each survey respondent we store the following data: first name, last name, e-mail and/or phone number, preferred type of contact, preferred language, team membership and role in the organizational structure.
  • Each collected survey for every respondent is saved. Respondents can answer anonymously.
  • Data of finished surveys are stored for a maximum of 25 months from the survey end date. After this time or based on a customer’s request, the data will be anonymized. In Arnold Free plan, data are anonymized after 30 days of the survey’s end.
  • Arnold generates reports. Reports are generated from existing data and the purpose of the report is to create a summary for the management.
  • In technical logs we also collect IP addresses of the incoming requests.

Role Segregation

  • A username and a password are required to access the administration interface of Arnold (admin.arnold-robot.com).
    • In the administration interface users act as Administrators.
    • The administrator interface is separated from the surveys interface.
  • Survey interface (talk.arnold-robot.com) uses individually generated access links based on tokens. Links are distributed via emails, SMS messages or printed QR codes.
    • In the survey interface, users are the Respondents.

LMC Internal Access Restrictions

  • Customer Care [40+] – receive customer requests and process them (first line). Upon the customers’ request they can enter the customers’ Arnold account and perform support requests.
    • There is one exception – customer care personnel are never allowed to bulk import the lists of employees (= survey respondents).
  • Support [20+] – technical support staff (second line of the processing pipeline)
  • Business [20+] – solving functional requirements for products, campaigns, etc. (3rd line)
  • System administration [10+] – maintaining tech resources (servers, backups…)
The above-described roles must (or potentially may) have access to a part of/complete user data. Indicative numbers of the staff may help depict the size of support with inevitable access to personal data. User data can be accessed only by a restricted group of authorized staff. As far as sensitive data is concerned, security measures always include a full track of operations and activities associated with the operator’s identity.

Consents & Legitimate Interest

  • Each user of the administration interface must agree to the Terms of Service when they log in for the first time.
  • Respondents are survey participants based on legitimate interest of customers. Customers can use Arnold to get useful feedback to help them manage the organization better. That being said, individual employees can be removed from receiving surveys at any time.

Technical and Security Measures

  • User passwords minimum length is 8 characters. Password must contain at least 1 character, 1 number. User passwords are checked against blacklist of unwanted phrases like “password”.
  • For selected customers based on the selected plan might be turned on second factor authentication (2FA).
  • When users entered continuously 3x wrong password then intruder lockout mechanism is activated. For upcoming 120 minutes user access is forbidden. The access lock might be canceled by password restore function or by LMC.
  • User access is provided by encrypted connection only.
  • Non-production (development/testing) environment is separated from production-grade data, data are mocked or anonymized.
  • Security-relevant activities on production systems are monitored, logged, and evaluated timely. For selected pages, e.g. admin.arnold-robot.com, read of every displayed accessed page is also logged.
  • Arnold is continuously developed and tested (functionally as well as security-wise)
  • Updates and patches are released on a several days a week basis (or faster in case of serious issues).
  • The processing and protection of user data is ensured in accordance with the EU legislation (GDPR).
  • All detected breaches of personal data protection are reported to both the supervisory authority and the data subject within the reporting obligation (in line with GDPR).
  • Operation monitoring runs continuously (24/7). The status is supervised (and any issues notified) daily (07-22 CET).
  • External monitoring services together with internal systems are employed to check the status.
  • All LMC services are using Flowguard DDOS protection.
  • Arnold is a subject of penetration tests.

Data in Transit

  • Web access allows HTTPS (encrypted) connections only.
  • Supports protocol TLS 1.2, 1.3
  • The X509v3 SSL certificate is signed by trusted CAs (accepted by all major web browsers)
    • A client certificate is not required or supported.
  • Separation of individual client sessions is ensured by the cookie mechanism.
  • All production system traffic in both directions is filtered and only HTTPS for user interaction and encrypted access (SSH protocol with key authentication) for maintenance/updating of the application is enabled.

Data at Rest

Arnold code runs in docker containers as a React application built-up on the top of hardened Linux operating systems. All components run virtualized (OpenStack) on a private cloud solution due to high-availability and fast disaster recovery options. Data are kept in the PostgreSQL databases. Data are continuously synchronized and mirrored to multiple locations; backup is also made on a regular basis. Backup takes place according to a defined plan (retention is implicitly set for 14 days):
  • Transaction log backup is ongoing (to ensure data recovery within 8 hours from the crash)
  • Snapshots of the cloud platform take place daily
  • Full data backups run weekly
Multi-level backup system is used:
  • Online replication of data to multiple locations
  • Backup of private cloud itself
  • Internal backup systems.

Development Cycle

  • The development, integration, and testing environments are fully virtualized and run on a private cloud platform. The environments are logically split (by firewalling). Access rights to different environments are different. In other words, the production environment is fully separated (physically) from non-production environments.
  • Planning, development, and testing of any updates/new releases of Arnold takes place in the framework of agile development (we cycle using weekly or bi-weekly SCRUM’s sprints).
  • Prior acceptance of functionality changes, there are multiple control mechanisms performed, including but not limited to code-review, unit tests, integration tests, end-to-end tests, static code analysis.

Security Assurance

All the main principles, measures, and technical solutions used to safely develop and operate Arnold and protect personal user data are listed on this page: Upon request, we provide our business partners with a detailed description of LMC security measures in the format defined by the ISO/IEC 27001. This level of provision of security information to third parties is final (no further security info, like Test Reports, Internal Security Guidelines etc. are provided outside LMC).

Compatibility and Minimum Requirements

  • To use Arnold service, you are required to:
    • Administrator
      • Internet access via a personal computer
      • Business email address
      • Web browser of the modern generation: Firefox, Chrome, Edge, Safari (last 2 major versions are supported)
    • Respondents
      • Internet Access (personal computer, tablet, or mobile phone with Web browser)
      • Email address or phone number to get the invitation link.

Customer Care and User Support

  • Support requests are collected and registered using Helpdesk and processed by Customer Care in the shortest possible time, during common business days and hours (Mon-Fri, 08-17 CET).

Before Your First Survey

In most cases, Arnold works very smoothly at first attempt. Still, we recommend you take several steps before your first survey:
  • Arnold will send employees/respondents emails (conversation invitations) from the arnold@arnold-robot.eu or arnold@arnold-robot.com email address or SMS number.
    • For Czech Republic, the SMS number sender is +420736352420. For non-Czech Republic recipients ask our support for the number.
  • We performed best practice actions to achieve the highest email deliverability, but to be sure that emails are not considered SPAM, ask your IT department to whitelist the arnold@arnold-robot.eu and arnold@arnold-robot.com email address or the entire domain @arnold-robot.eu as trusted sources.
  • Arnold utilizes the WebSocket technology. In rare exceptions, this technology is blocked by IT. To check, try opening Arnold test page and chat with Arnold for at least 1minute. If the conversation “freezes” please request your IT department to unblock the WebSocket.
  • Select some employees and check the quality of conversations after the first email/SMS distribution.
As a matter of principle, we do not provide other materials or greater detail of our security measures.
This document was updated on July 18, 2022. In case of any questions, contact the LMC Data Protection Officer at dpo@lmc.eu