Security & Trust
Fuel50 is committed to ensuring it puts the security of its global clients first. From our robust and best-in-class security management and data handling, to our infrastructure and privacy policies, Fuel50 is a company and solution you can trust.
Fuel50 is an HR system provider and as such receives, stores and processes Personally Identifiable Information (PII) and other client data as part of its platform services.
Fuel50 Software as a Service (SaaS) operates in a secure data center. The following document describes the technical and security measures implemented by Fuel50 for secure handling of clients’ data.
The Fuel50 Security & Privacy team manages a robust Information Security & Privacy Management System (ISPMS), which is implemented based on the following industry standards:
|ISO 27001:2013||Information technology – Security techniques – Information security management systems – Requirements|
|ISO 27017:2015||Information technology – Security techniques – Code of practice for information security controls|
|ISO 27701:2019||Information technology – Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines|
|ISO 22301:2019||Information technology – Security and resilience – Business continuity management systems – Requirements|
Fuel50 has successfully completed a SOC 2 Type II examination for infrastructure and operations of our platform.
Our security framework includes:
- Policies, procedures and controls
- Asset management
- Risk management
- Access management
- Organizational security
- Physical security
- Operations security
- Supplier security
- Business continuity
Security and Privacy is the responsibility of all Fuel50 personnel. The entire team is regularly trained, and our systems and processes are audited at planned intervals. The Global Security & Privacy Manager defines and maintain the security portfolio up-to-date. The ISPMS Steering Committee reviews the entire program and controls on a regular basis during the Management Review Meetings.
Each employee goes through a comprehensive security training, and awareness campaigns and meetings happen regularly.
Prior to employment, potential candidates undergo interviews for suitability into the vacant role and a full spectrum background check. Upon employment, the candidate must read, sign, and adhere to a series of documents outlining their responsibilities for information security.
Termination of Employment
Terminated employees are removed from all systems. All access to management systems, hardware, tools and SaaS platform is revoked immediately. All assets must be returned to the company.
Acceptable Use Policy (AUP)
Fuel50 AUP is a set of rules that must be followed by all Fuel50 employees. The document focuses on the handling procedures of any asset – including data, hardware, and information systems (software) – to produce security-conscious operations for minimizing risk to people, processes, technology, and environments.
An information security competence and awareness program is in place so employees can perform their functions in a secure manner.
All workstations at Fuel50 are configured to comply with our standards for security. These standards require all workstations to be properly configured and updated, and to be tracked and monitored by a secure endpoint management solution.
Users are only provided with access to the network, systems, applications, and network services that they have been specifically authorized to use. Access to the system is audited, logged, and verified.
To further reduce the risk of unauthorized access to data, a Fuel50 Access Control model is based on Role Based Access Control (RBAC) to create separation of state. There is continuous monitoring at the application and infrastructure level with all monitoring data sent to a Security Information and Event Management (SIEM) system. Principles of least privilege are enforced.
Fuel50 employs multi-factor authentication for all access to systems with client data. Whenever possible, Fuel50 uses private keys for authentication, in addition to the multi-factor authentication on a separate device. Clients can also use Federated Access Control; Fuel50 uses Security Assertion Markup Language (SAML) version 2.0 protocol for Identity Provider (IDP) Single Sign-On (SSO).
All employees are required to use an approved password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks. To manage access to these accounts, Fuel50 uses 1Password for authentication.
Monitoring & Logging
Fuel50 access control and continuous monitoring logs all database access and ships the logs to a centralized SIEM system. Administrative access, use of privileged commands, and system calls on all servers are logged and retained.
Log information is protected against tampering and unauthorized access. System administrator and system operator activities are logged, and access/change actions can be reviewed.
Servers and endpoint devices such as laptops and desktops are protected and monitored from malwares, malicious and unsafe codes or applications by deploying a set of protection tools.
Access to the office, data centers, and work area containing sensitive information will be physically restricted to limit access to only authorized personnel. Employees use fob cards for entering the offices and maintain a visitor log. There are surveillance cameras and security in place to monitor the building.
Fuel50 uses third-party sub-processors to provide its services. Prior to engaging any third-party sub-processor, Fuel50 Security & Privacy Team performs diligence to evaluate their privacy, security, and confidentiality practices, and executes a non-disclosure agreement implementing its applicable confidentiality obligations. The assessment process is repeated annually.
Vulnerability & Penetration Testing
Fuel50 engages independent vendors to conduct application and infrastructure-level vulnerability scanning and penetration testing on the SaaS platform. All findings are logged into a database, risks are identified, assessed, and treated until residual risk comes down to the lowest acceptable level. Executive summary reports of vulnerability scans are available to users upon request.
Client Data Protection
Data as an asset (Classification and Handling)
At Fuel50, data is treated as a valuable asset. Information assets of the organization will be classified based on their relative business value, legal requirements and impact due to loss of confidentiality, availability and integrity of the information asset. The level of security will be identified based on the information classification performed.
Customer data is classified at the highest level.
- Data in Transit: Fuel50’ cryptographic controls use Hyper-Text Transfer Protocol Secure (HTTPS) over Transport Layer Security (TLS) version 1.2
- Data at Rest: Fuel50 uses Data at Rest Encryption using Key Management Service (KMS). All data is encrypted using 256-bit Advanced Encryption Standard (AES-256), with each encryption key itself encrypted with a regularly rotated set of master keys.
Data Center Security
Fuel50 SaaS is hosted on a secure cloud services provider. Data center operations comply with a set of standards and regulations including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1.
Customer data is stored for as long as it is needed to meet Fuel50 operational needs, together with contractual legal and regulatory requirements. Data is retained for the duration of the contract or unless indicated within the Contract/Master Service Agreement (MSA).
Fuel50 will anonymize customer PII after a period of 90 days of the termination of contracts, however, upon expiration of the applicable retention period and when expressly required by a customer, we will securely destroy the data in accordance with applicable laws and regulations.
Fuel50 complies with applicable legal, regulatory and contract requirements as well as industry best practices. There is a comprehensive Privacy Program in place and annual audits are performed against regulatory requirements.
Cryptographic controls are used in compliance with all relevant agreements, laws, and regulations. Regular technical compliance reviews, including penetration testing and IT health checks of all information systems, are taken to ensure continued compliance.
Fuel50 has a Risk Management Procedure in place to identify, assess and treat risks depending on the level of impact and likelihood. After treatment, all risks are re-assessed for residual risk evaluation. Risks are only accepted when they reach the lowest level and no longer represent threats to Fuel50 system and data assets.
Fuel50 has an established procedure for responding to potential security incidents. All security incidents are managed by following the non-conformity treatment process:
- Immediate action
- Root-cause analysis and incident classification (based on severity)
- Corrective action
All processes are documented and updated annually. Lessons learned are kept for future reference. In the event of an incident, affected customers will be informed by our Client Success Team and Security department when necessary.
Business Continuity and Disaster Recovery
Continuity management is a risk based approach to managing risks/issues that can cause interruption/disruption to business operations or service delivery operations. Fuel50 manages these risks by determining the most common causes of interruption/disruption and have prepared plans for treatment of these issues.
Within Fuel50, the specific roles are identified in relation to continuity management endeavours. Each role has a defined responsibility.
Fuel50 Business continuity plans are effectively implemented by:
- Having all stakeholders briefed on the contents of the BCP and aware of their individual responsibilities;
- Cloud platforms to be tested and audit results discussed during Management Meetings; and,
- Failover tests updated annually.
Datacenter Disaster Recovery Process
Fuel50 instances reside in two regions (North America and Europe) utilizing its Availability Zones to provide fault tolerance and redundancy at the data center level of operations. Each region utilises its own Database and client data is backed up within the same region.
Recovery Time Objective & Recovery Point Objective
Fuel50 Recovery Time Objective is committed to the Service Level Agreements. Services delivered from CorpIT to internal-facing employees must be recovered within 24 hours. Services delivered from cloud-based software to external-facing clients must be recovered within 7 hours.
Fuel50 Recovery Point Objective (RPO) is dependent on multiple factors and when delivered from SaaS: deliveries to external-facing clients must be recovered to a point within 24 hours. The 24-hour value is based on conducting backups of the supplied client data within each data center.
NOTE: Client-provided data is not backed up to removable media or removed from the data centers for backup purposes.
Fuel50 GDPR Strategy
Fuel50 SaaS is fully compliant to GDPR requirements and the organisation has crafted a strategy for aligning with the European Union (EU) General Data Protection Regulation (GDPR) requirements, including but not limited to engaging the EU Representative, conducting annual revision to its DPIA (Data Privacy Impact Assessment), administrative controls for rights management, Breach reporting, DPA (Data Processing Agreement), etc. and technical controls for Data Protection in transit and at rest.
Based on the GDPR principles, Fuel50 provides the following information to show its compliance.
1. Lawfulness, fairness and transparency
Lawfulness: All information is collected and processed lawfully based on contractual requirements.
Fairness: Fuel50 only process data according to the documented policies and procedures.
There is no undocumented collection, use or disclosure of client data that.
Transparency: We keep the Security White Paper as a means to be transparent with our clients in terms of how our data practices are being carried. Fuel50 only access client data and client instances when they have been explicitly permitted to do so by the client in order to address client requests (e.g. troubleshooting) and for support purposes, there is no casual data access.
2. Purpose limitation
Client data collected by Fuel50 is for specified, explicit and legitimate purposes, which depends on client’s Business and Use case. All client provided data is used for service delivery as per contracted terms and agreements.
3. Data minimization
Fuel50 has minimum data requirements: First Name, Last Name, and Email Address. Any further information provided by clients are up to the complete discretion of the client and to support their Business Case and Use Case toward the use of Fuel50.
Fuel50 provides all clients with complete control over their own data. All clients have a Web Based User Interface (WebUI) access to Fuel50 SaaS for control and data entry, deletion and modification. Fuel50 has no control over the accuracy of client data inputted into the system.
5. Storage limitations
Fuel50 data retention period is governed by the contractual agreement with the client.
6. Integrity and confidentiality
Fuel50 makes sure that client personal data is processed in a manner that ensures industry-standard security of personal data. Fuel50 protects client data against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Fuel50 does not ‘share’ or ‘sell’ any data. All client provided data is used for service delivery as per contracted terms and agreements. Any data transferred to suppliers is done so as a part of Fuel50 service delivery. Suppliers are bound by contractual agreements to process data for Fuel50 only for Fuel50 business needs.
Fuel50 is responsible for Personal Information under its control and has a designated Global Security & Privacy Manager acting as Data Protection Officer (DPO) who is accountable for Fuel50 compliance with this Privacy Code of Conduct. Fuel50 uses an Access Control Process overlaid with Role Based Access Control (RBAC) for separation of duties and segregation of roles. Upon request, Fuel50 provides specific and understandable information about its policies and practices.
Data Transfer Impact Assessment
This document provides information to help Fuel50 customers conduct data transfer impact assessments in connection with their use of Fuel50 product, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
In particular, this document describes the legal regimes applicable to Fuel50 in the US, the safeguards Fuel50 puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”), and Fuel50’s ability to comply with its obligations as “data importer” under the Standard Contractual Clauses (“SCCs”).
For more details about Fuel50’s GDPR compliance program please visit here.
Step 1: Know your transfer
Where Fuel50 processes personal data governed by European data protection laws as a data processor (on behalf of our customers), Fuel50 complies with its obligations under its Data Processing Addendum available at Data Processing Addendum (“DPA”). The Fuel50 DPA incorporates the SCCs and provides the following information:
- description of Fuel50’s processing of customer personal data (Annex I); and
- description of Fuel50’s security measures (Annex II)
Please refer to Annex I of the DPA for information on the nature of Fuel50’s processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects.
A list of all of our data subprocessors is available at subprocessors.
We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Services. The locations will depend on the particular Fuel50 Services you use, as outlined in the chart below.
|Product(s) and Services||In what countries does Fuel50 store Customer Personal Data?||In what countries does Fuel50 process (e.g., access, transfer, or otherwise handle) Customer Personal Data?|
|Fuel50 cloud account||United States, Germany
Note: EU clients are hosted in Germany
|Depending on the customer location, Fuel50 can access data from these countries. United States, United Kingdom, New Zealand|
|Fuel50 business operations and analytics (“Usage Data”)||United States, European Union
Note: EU clients are hosted in the European Union
|Depending on the customer location, Fuel50 can access usage data from these countries. United States, New Zealand
Note: Usage data related to EU clients is not accessed by Fuel50 personnel located in the United States.
|Fuel50 support||New Zealand, United Kingdom||New Zealand, United Kingdom|
Step 2: Identify the transfer tool relied upon
Where personal data originating from Europe is transferred to Fuel50, Fuel50 relies upon the European Commission’s SCCs to provide an appropriate safeguard for the transfer. To review Fuel50’s Data Processing Addendum (which incorporates the SCCs) please request a copy of it by sending an email to email@example.com
Where customer personal data originating from Europe is transferred by Fuel50 to third-party subprocessors, Fuel50 enters into SCCs with those parties.
Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
U.S. Surveillance Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
- For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
- EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
- Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
- The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance
Is Fuel50 subject to FISA 702 or EO 12333?
Fuel50, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP. However, Fuel50 does not process personal data that is likely to be of interest to US intelligence agencies.
Furthermore, Fuel50 is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. Fuel50 does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
EO 12333 contains no authorization to compel private companies (such as Fuel50) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Fuel50 processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
What is Fuel50’s practical experience dealing with government access requests?
To date, Fuel50 has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.
Therefore, while Fuel50 may technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
Fuel50 provides the following technical measures to secure customer data:
- Encryption: Fuel50 offers data encryption at rest and while in transit.
- Security and certifications: Additional information about Fuel50’s security practices and certifications are available on our Trust site.
Fuel50’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. In particular, we are subject to the following requirements:
- Technical measures: Fuel50 is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers and service providers.
- Transparency: Fuel50 is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that Fuel50 is legally prohibited from making such a disclosure, Fuel50 is contractually obligated to challenge such prohibition and seek a waiver.
- Actions to challenge access: Under the SCCs, Fuel50 is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
Fuel50’s organizational measures to secure customer data include:
- Policy for government access: To obtain data from Fuel50, law enforcement officials must provide a legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
- Onward transfers: Whenever we share your data with Fuel50 service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security & Privacy Team to ensure our customers’ personal data receives adequate protection. This process includes a review of the data Fuel50 plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our subprocessors page.
- Privacy by design: Fuel50’s Privacy Principles outline Fuel50’s approach to privacy.
- Employee training: Fuel50 provides data protection training to all Fuel50 staff.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this document, including Fuel50’s practical experience dealing with government requests and the technical, contractual, and organizational measures Fuel50 has implemented to protect customer personal data, Fuel50 considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as “data importer”) or to ensure that individuals’ rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
Fuel50 will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
We know that if someone doesn’t trust a tool, they won’t use it. We’re passionate about creating meaningful data controls, choices, and notices to foster open collaboration and deeper teamwork.
This means we embrace privacy by design in everything we do. We’re on a mission to build a better privacy-aware product, with a high degree of configuration, to make sure every team member is on board.
Trust through transparency
Trust can’t grow without proactive transparency. We commit to providing forthcoming, clear, simple, and consistent information around who can access your data and for which purposes. We won’t wait for you to ask. Our goal is to deliver a familiar, straightforward privacy structure – no surprises.
We surface this information in a few places, including Fuel50’s:
We may surface additional information within our products where possible to assist you in understanding the impacts of particular product configurations.
We also let you know about data incidents when they arise. Visit Data Handling for more details about our approach to Security Incident Management.
Confidence through control
We want you to feel confident providing data to us, stemming from the choices we present you around providing, restricting, modifying, accessing, or revoking personal data. While we’ll always honour legal requirements as a baseline, we’re constantly looking for ways to enhance your options and deliver better solutions than the law requires.
Learn more about your choices by visiting:
You can always change your mind on these settings and reconfigure them.
To assist us in meeting business operations needs and to perform certain services and functions, we may share your information with providers of hosting, marketing, sales/customer relationship management services, product support, product management, and security enhancement. Pursuant to our instructions, these parties may access, process or store Personal Data in the course of performing their duties to us.