Roomie, Inc Data Security Policy

This policy explains how Roomie protects the data it collects and processes, including the security measures used to keep information safe.

1. Purpose

This Data Security Policy defines the administrative, technical, and physical safeguards Roomie, Inc. ("Roomie") uses to protect the confidentiality, integrity, and availability of data processed, stored, or transmitted through its systems. This policy is designed to align with Roomie’s Privacy Policy, institutional security expectations (e.g., HECVAT), and applicable data protection laws.

2. Scope

This policy applies to:

• All Roomie employees, contractors, and authorized third parties
• All Roomie systems, applications, infrastructure, and cloud services
• All data handled by Roomie, including Personal Information, institutional data, and operational data

3. Data Classification

Roomie classifies data into the following categories:

3.1 Restricted Data

Highly sensitive data requiring the highest level of protection, including:

• Personally Identifiable Information (PII): name, email address, room assignment
• Authentication credentials

3.2 Confidential Data

Business-sensitive data not intended for public disclosure, including:

• Internal system logs
• Security configurations
• Non-public product or operational data

3.3 Public Data

Information approved for public release, such as marketing content and publicly available documentation.

4. Governance and Responsibility

• Executive Responsibility: Information Security oversight resides with Roomie’s CTO, with executive accountability held by the CEO.
• Security Reviews: Security controls and risks are reviewed quarterly or as needed following incidents.
• Employee Responsibility: All employees and contractors are required to follow this policy and complete mandatory security awareness training.

5. Access Control

5.1 Principle of Least Privilege

• Access to production systems and customer data is limited to authorized personnel with a documented business need.
• Most staff access data via internal, web-based tools with restricted permissions.

5.2 Authentication

• Firebase Authentication is used for user identity management, supporting Google SSO and email/password sign-in methods
• Administrative access to servers and databases requires SSH key-based authentication.

5.3 Privileged Access

• Direct database access is read-only except for approved application services.
• Privileged access is logged and monitored.

6. Infrastructure and Data Security Controls

6.1 Cloud Infrastructure

• Roomie operates in a 100% cloud-based environment using AWS infrastructure, primarily in the US-East (N. Virginia) region, with plans for regional redundancy.
• Core components include AWS EC2, RDS (PostgreSQL), S3, load balancers, and third-party services such as Google Firebase and Shopify.

6.2 Encryption

• Data in Transit: All data transmitted between clients and Roomie systems is encrypted using HTTPS/TLS.
• Data at Rest: All production data is stored in encrypted form at rest. Roomie uses AWS-managed encryption for databases, backups, and storage volumes, including Amazon RDS and Amazon S3. Encryption at rest uses industry-standard AES-256 encryption and is managed through AWS Key Management Service (KMS).

6.3 Monitoring and Logging

• Continuous monitoring using AWS monitoring tools, application performance monitoring (APM), and centralized logging.
• Alerts are generated for anomalous activity or system degradation.

7. Application Security

• Input validation and error handling follow standard e-commerce security practices.
• Application logs capture detailed validation and system events and are monitored for suspicious behavior.
• New features and major changes undergo security review based on confidentiality, integrity, availability, and access control principles.

8. Incident Response and Breach Management

Roomie maintains a formal Incident Response and Data Breach Response Plan, integrated with its Crisis Management, Business Continuity, and Disaster Recovery framework.

Detection and escalation mechanisms include:

• Automated infrastructure alerts via AWS CloudWatch, routed through AWS SNS to internal Slack channels.
• Application-level monitoring and error detection through SigNoz and Sentry.
• Ongoing review by engineering leadership and the CTO.

Key elements include:

• Rapid identification and containment of incidents
• Activation of a cross-functional response team
• Client notification within 72 hours when required
• Root cause analysis and remediation

9. Business Continuity and Disaster Recovery

• Critical systems are backed up hourly using AWS RDS replication.
• Recovery Time Objectives (RTOs) for core functions are ≤ 4 hours.
• Disaster recovery and business continuity plans are reviewed and tested annually.

10. Third-Party Risk Management

• Roomie relies on vetted third-party providers for infrastructure, analytics, monitoring, and marketing services.
• Core infrastructure providers include AWS (hosting, databases, storage), Google/Firebase (SSO), Shopify (checkout), SendGrid (email verification), and GoDaddy (DNS).

Additional third-party services may receive limited Personal Information or user context data in the normal course of application operation, including:

• Mixpanel (product analytics): email address, first name, last name, user ID, organization ID, university ID, and signup method.
• Sentry (error monitoring): error reports and limited user context; session replay enabled at a limited sample rate in production.
• Google Analytics (GA4) and Vercel Analytics (usage analytics): page views and behavioral data; user ID may be included in event parameters.
• Facebook Pixel and TikTok Pixel (marketing analytics): behavioral event data; TikTok may receive SHA-256–hashed identifiers (e.g., email or phone) on commerce-related events.
• Google Gemini AI (image analysis): user-uploaded images submitted voluntarily by users when using optional style analysis features.

Additional statements:

• No institutional systems (e.g., SIS, housing systems, or campus IAM) are integrated with the Roomie platform.
• Student data is provided directly and voluntarily by users; campuses do not transmit student data to Roomie.
• Third-party security incidents are managed in coordination with vendors, with required disclosures and documentation.
• Vendors handling Personal Information are expected to maintain industry-standard security practices.

10.1 Cyber Insurance

• Roomie maintains a cyber-risk insurance policy to mitigate financial and operational risk related to security incidents.
• Coverage includes a $500,000 aggregate limit for cyber events.
• Insurance provider: Corix Insurance Services LLC.

11. Employee Security Practices

• Background checks are performed prior to employment.
• Security awareness training is mandatory for all employees.
• Remote work is permitted only using secure internet connections and approved authentication controls.

12. Data Retention and Disposal

• Personal Information is retained only as long as necessary for business or legal purposes, consistent with the Privacy Policy.
• Secure deletion procedures are followed when data is no longer required.

13. Compliance

This policy supports compliance with:

• GDPR (for EU residents)
• FERPA-aligned institutional expectations (where applicable)
• Applicable U.S. state and federal data protection laws

Roomie does not process regulated educational records (FERPA), financial aid data, grades, government-issued identification numbers, or other sensitive institutional records. Student data is provided voluntarily by users and is not transmitted by campus systems.

14. Policy Review and Updates

This Data Security Policy is reviewed annually and updated as necessary to reflect changes in technology, risk, or regulatory requirements.

15. Contact Information

Questions regarding this policy may be directed to:

27 Treasure Island Way
Kalispell MT 59901
Email: brett@roomie.com

‍

‍