Introduction

Crowd Emotion Limited Group of Companies (CEL), including Element Human Limited and Element Human Research Limited, consensually collects, stores, and interprets personal sensory data to produce psychological and biometric data used to empathise businesses, improve customer experiences, and personalise human-machine interactions.

The information systems underpinning CEL provide the safeguards for the control, access, and usage of extremely sensitive and private data of the individuals and organisations we serve. The employees and stakeholders of CEL enable the use and distribution of our systems in a safe, secure and reliable way.

It is essential that we protect that data and the trust with which it was given.

The misappropriation of data from CEL has the potential to produce reputational damage, financial damage, and disruption both to us and our clients. Worse, it may expose the sensitive data that the public has entrusted to us.

This document constitutes the Crowd Emotion Information Security policy and includes guidance for staff.

All members of the company are responsible to work within the guidelines of this policy.

Scope

This Policy provides a framework for the management of information security throughout the company and applies to:

  • All those with access to companies information systems, including staff and contractors.

  • All data held by the company including documents, spreadsheets, electronic data, images and video.

  • All systems managed by Crowd Emotion and connected to our network.

  • All the company owned computers including laptops and phones.

  • All companies that provide third-party services to the company.

This policy will be:

  • Made public

  • Reviewed at minimum quarterly by the security committee

The Security Committee can be reached here: security@elementhuman.com

General Principles

The following information security principles provide overarching governance for the security and management of information at Crowd Emotion.

  1. Information should be classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.

  2. Staff are responsible for information, they must ensure the classification of that information is established, handle that information in accordance with its classification level, and abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.

  3. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

  4. Information will be protected against unauthorized access and processing in accordance with its classification level.

  5. Breaches of this policy must be reported.

  6. Information security provision and the policies that guide it will be regularly reviewed, including through the use of regular internal audits and third-party penetration testing.

Information security is the responsibility of all members of staff at Crowd Emotion, these principles are there to guide behaviour and enable us to build and maintain secure products.

Data Classification

The following table summarises the information classification levels for all data that we collect.

The classification directly references GDPR categories.

Data Security

Personal data is at the core of the business; our company only works through the trust of our respondents to allow us to use their data. With that in mind we must do our utmost to ensure their data remains secure and stays private.

  • Follow industry-standard best practices in software development.

  • All systems must be owned and actively managed by an organisational unit, with operational responsibility taken for all software deployed.

  • Ensure software packages are up to date and free from critical vulnerabilities.

  • Ensure the least amount of data is collected to meet the objectives of the product. This frees us from having to maintain and secure more data than is required allowing us to focus on product development rather than data management. We consider private data as a liability rather than an asset.

  • Pseudo Anonymisation should not be used anywhere on the platform, it can be easily reversed when joining other datasets and provides a false sense of security. All it takes is one additional set of data to be leaked and your data can be revealed.

  • Products should be designed from the ground up with security in mind, ideally building products that are secure by design.

  • Services should have the least access they require to do their job.

  • Data should be encrypted at rest.

  • Service rate limits should be monitored to ensure data exfiltration is not taking place.

This is not an exhaustive list; some elements will apply to some projects and not to others. Use common sense and raise any issues that seem uncertain with a more senior member of the development team.

Remote Access

We don’t use VPNs or have privileged access networks in the Element Human corporation, we subscribe to BeyondCorp principles. All sites and data employees need to access are

Available through the public internet over secure connections.

Two factor authentication is mandated across the business and is implemented into many of our applications.

Physical Security

We are a fully remote company with no formal offices. The physical security of our workplace is down to each individual employee; with this in mind we ask for the following:

  • All laptops and employee devices should be password protected.

  • Screensavers should start after 15 minutes of inactivity and they should require a password to log back in.

  • Employee equipment should not be left in open communal areas unattended.

  • We are a paperless company, no documents should need to be printed off and dispersed.

  • No personal data should be copied down from our platform to employee laptops.

  • Any loss should be reported immediately to the security team.

We do not run our own data centres. We are fully hosted over a mixture of Google Cloud Platform and Amazon Web Services, security documentation is available on their sites individually.

Responsibilities of Management

Senior Managers are responsible for the security of their physical environments where information is processed or stored. Furthermore, they are responsible for:

  • Ensuring that all staff, permanent, temporary and contractor, are aware of the information security policies, procedures and user obligations applicable to their area of work.

  • Ensuring that all staff, permanent, temporary and contractor, are aware of their personal responsibilities for information security.

  • Determining the level of access to be granted to specific individuals.

  • Ensuring staff have appropriate training for the systems they are using.

  • Ensuring staff know how to access advice on information security matters.

Responsibilities of the development team

The development team ultimately is responsible for the management and security of private data within the organisation.

  • Detect and preempt information security breaches such as misuse of data or computer systems and raise these with management.

  • Ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted in a risk assessment.

  • Uphold ethical and legal responsibilities for handling and capturing PII set out in this document.

Responsibilities of all staff

All staff are responsible for information security and therefore must understand and comply with this policy and associated guidance. Failure to do so may result in disciplinary action. They should understand:

  • How to handle and store private data in a safe and secure manner.

  • The procedures, standards and protocols that are used for sharing of private data.

  • No individual should be able to access information to which they do not have a legitimate access, if they do this should be raised with a manager.

  • How to report a suspected breach of information security within the organisation.

Reporting breaches

All concerns, questions, suspected breaches, or known breaches shall be reported immediately to the Security Committee who will inform the CEO. Shall the CEO not be present or unable to be notified, the Security Committee shall inform the Directors of the Board.

All members of staff have an obligation to report actual or potential data protection compliance failures.

What to do in case of these breaches is listed in the IT breach documentation.

Contact:

Site Reliability and Security Team

security@elementhuman.com

Did this answer your question?