In May 2018 the EU General Data Protection Regulation (GDPR) replaced the existing patchwork of EU National Data Protection legislation and brings a level of consistency to data and privacy protection in the EU. Even prior to the implementation of GDPR, iBaby recognized the worldwide importance of privacy, security, and data protection to our customers, partners, and employees.
We have adopted a cross-functional approach to privacy governance that covers all areas of the company including customer, partner, and employee data. Legal, customer service, IT, human resources, and engineering teams meet regularly to help guide, design, and develop products and systems from the ground up to protect data and privacy. iBaby has a dedicated cybersecurity committee that oversees and monitors privacy and data security, and regularly engages external experts on privacy issues- including design and encryption privacy. iBaby has an active cyber security program to ensure information security. We strictly enforce privacy protection measures within the company.
Specifically, as part of the EU General Data Protection Regulations (GDPR), we have evaluated and continue to evaluate our key processes, products, and services. In particular, we have:
– Improved processes to ensure data transparency, accuracy, accessibility, integrity, security and consistency.
– Map the data and determine what we have, what we are doing, where it is, where it flows and who can access it.
– Evaluate privacy and data security risks and advantages in our systems and products.
– Implemented data incident response teams and processes.
– Privacy and security requirements in the product development cycle.
In addition, all iBaby employees must receive training on privacy and security.
Finally, iBaby complies with all applicable laws that require notification of data security incidents. This means that we will conduct a quick investigation and analysis so that we can provide notifications when necessary. We are also committed to providing appropriate assistance to clients affected by the incident, which may include information from the iBaby support team and advice on steps they can take to reduce the risk of injury.
iBaby system security measures
iBaby Products fully support internet access— parents can view, and talk with their Baby/Family anywhere with a strong network. And since iBaby produces Wi-Fi enabled/ internet products, having a strong security solution is a must. So, we designed iBaby’s security model as follows:
The access between customer and iBaby Products (include: Apps, Monitor, Amazon AWS Cloud Service, and P2P Server) is authorized by username and password. This means the customer should keep their username and password private and not share with others.
The communication between the internal components of the iBaby monitors (include: Apps, Monitor, Amazon AWS Cloud Service and P2P Server) are encrypted by different technologies (see picture below).
iBaby monitors are designed and intended to be used with a home Wi-Fi connection. If you share your home Wi-Fi with others or don’t have encryption, it will place the monitor at risk of hackers and virus attacks. iBaby recommends a private Wi-Fi with internet that can only be accessed by the iBaby monitor and family members.
Customer Interaction with App
When first setting up your iBaby monitor, you must download the iBaby Care App from the Apple App Store or Google Play Store. Once downloaded, users must create a username and password to log in (you will use the username and password in the future to log in and use the App). After creating the account, you can install the monitor following the on-screen instructions. Once the installation step is complete, the monitor will identify you as the account owner with full control. This control gives the owner the ability to give family members access to view or manipulate the monitor. It also allows you to revoke all access. Because of this, the user has to understand the risk associated with sharing the monitor with relatives or friends.
App talk to Cloud Services
The App and the Cloud exchange two types of data. One is the user profile data (includes username, password, monitor information, monitor alert files information, music list etc.). The other is user data (includes video and audio files recorded by sound and motion alerts from the monitor, and music files).
For profile data exchange, iBaby Cloud uses Web APIs provided by HTTP. This means that all data requests and responses become encrypted with an iBaby private password and a token by AES. Tokens are different for each requestor and initiates destruction after the API request is completed. This means that only the requestor knows their token, and no one else can decrypt the data content.
For user data file exchange, iBaby Cloud provides Amazon S3 to store file requests. iBaby Cloud encrypts the path at random and responds to the App via iBaby Web API request. All data file request go through HTTPS, meaning others will not be able to see the real path of the files and will not be able to capture the file content.
How iBaby Monitors talk to the Cloud Service
There’s not a lot of data that’s exchanged between iBaby monitors and the Cloud. iBaby monitors synchronize the hardware information to the iBaby cloud and uploads pictures or videos when sound or motion triggers the sensors. Please note that video and pictures are only uploaded when the owner allows it to.
iBaby Monitors keep a user log of the visitors who view and access the monitor. This information is also uploaded to the cloud.
The communication between the monitor and the cloud services become encrypted with private passwords provided by AES. Enhancement of all encryption and log functions will occur for new products of 2016.
App talks to Monitor directly
There is a P2P tunnel between the App and the monitor. The tunnel, provided by TUTK, is a public P2P company that offers encryption with a security guarantee.
During the monitor’s installation, the App asks for UID, username, and password from the web API (all responses become encrypted). This information then generates at random, and after installation, the authentication information is stored in the monitor and the app. iBaby must provide this information for monitor access via TUTK P2P tunnel.
App talk to Monitor through relay server:
Sometimes when the network connection is poor, the App cannot talk to the monitor directly. It will then need to relay the server to proxy the data traffic. The relay server, and the communication between the relay server, app, and monitor is owned by iBaby and uses the same security process (P2P tunnel + UID + username + password) between the app, and the monitor.
Server Services Protection
All of the iBaby user data is stored on our servers with the highest grade of security. So, we have selected to use Amazon’s AWS as our data security provider. Amazon AWS can provide high availability server services and monitor systems. iBaby follows all of Amazon’s recommendations for server and permission setup.
The P2P relay server only transfers real video and audio data when the App can’t talk to the monitor directly. All data transfer become encrypted by TUTK technology while all servers stay behind the system’s firewall.
Data storage in Cloud
All sensitive data on the cloud is encrypted and stored in the database(RDS). RDS, a service provided by Amazon AWS, allows a specified host to access its data. For iBaby, it only allows access from an iBaby host inside the AWS private LAN(zone). Any unauthorized users cannot get real data without the iBaby WebAPI, even if they can reach the whole database.
Review of iBaby
Independent internal audits (not product engineering) from the IT team include regular penetration testing and PCI compliance audits.
The iBaby system is used to provide you with the provider of our services. As part of the service offering, we may need to share or have personal information about you collected with certain third party service providers. The iBaby sub-processor meets the requirements and obligations of the GDPR.
|System||iBaby service or third party service||Has the data been transferred out of the EU? If yes, where?||If the data is transferred from the EU, where will the data be transferred?||Purpose description|
|iBabylabs.com website||Inside iBaby||yes||CA,US||iBaby official website, wpengine third Party Service|
|iBabyCare iFamCare Yobi||Inside iBaby||yes||iBaby App application|
|iBaby Cloud network services, including API Server,S3 storage, MQTT communication services, etc.||Amazon web service and iBaby||yes||Amazon America Amazon Japan||iBaby is used to store / host / collect / manage personal information, including user accounts, videos, or provide other infrastructure that helps provide iBaby services. These are security environments controlled by the iBaby team and protected by the data processing protocol.|
|MySQL database||Amazon web service and iBaby||yes||Amazon Japan||iBaby is used to store / host / collect / manage personal information, including user accounts, videos, or provide other infrastructure that helps provide iBaby services. These are security environments controlled by the iBaby team and protected by the data processing protocol.|
|Zendesk customer service support system||Third party||YES||US||Support services, including
-in-application ticket submission.
-3rd Pty call Center to manage support phones Personal data may be received during these support, including: email address, device SN, system version
|Vultr VPS||Inside iBaby||yes||US||Some old product servers, such as M 6, M 6 t device side servers. P2P Relay server|
|Fullry||Third party||Yes||US||App Application Statistics and exception Collection|
Change and update
With the development and development of our business, the third-party and subprocessors with which we work may also change over time. By sending a notification to the email address of the registered account holder and publishing any changes here, we will provide notification of any changes to the account owner. Please refer back to this statement to be in the loop.