POCKETALK Ventana White Paper

1. About This Document

This document is intended for those who are considering using Pocketalk Ventana (hereinafter referred to as “Ventana”) or who are currently using it. The purpose of this document is to help you understand our security measures and to help you understand the precautions to use Ventana safely. In addition, this document serves as an appendix to the Terms of Use and is an agreement between our company and the customer regarding the use of Ventana.

2. Cloud Service Providers

Ventana is developed and operated by Pocketalk Corporation (hereinafter referred to as “Pocketalk”) and provided to our customers using Google Cloud Platform (hereinafter referred to as “GCP”).

3. Boundary of responsibility between Pocketalk and Ventana customers

The diagram below explains the boundary of responsibility between Pocketalk and customers when using Ventana.

4. Data Center Location

GCP used by Ventana is operated in the following regions.

  • Region: US West
  • Multi-AZ: 2 locations in Los Angeles, California

5. Service Level Objectives (SLOs)

Service hours 24 hours a day, 365 days a year
** We also monitor the service during the same time period.
Service availability 99.0%
**Does not include annual planned service outages
Planned service outages 2~4 times / year
** Service outages are expected to last up to 6 hours at a time.
Data backup The DB configuration is redundant with a primary / secondary
configuration (constantly synchronized).
Data generation management backup is not provided. Customers are responsible for downloading and properly storing and managing data using Ventana’s reporting function.

6. Pocketalk Security Control Measures

At Pocketalk, we are committed to adhering to the highest international standards for information security and recognize the importance of maintaining the confidentiality, integrity, and availability of our information assets and those of our clients.
As proof of this commitment, we underwent a rigorous assessment process from an independent certification body and officially achieved the ISO27001 and ISO27017 certifications as of rebruarv 2024.
The following section outlines the policies and initiatives that we have set forth to align with these standards, and our ongoing efforts to maintain a secure environment for our data and systells.

Policy group for information security

We have established basic policies for information security initiatives in our cloud services as our “Information Security Basic Policy” and “Cloud Service Security Basic Policy,” and operate our services in accordance with these policies.

Information security roles and responsibilities

The roles and responsibilities regarding information security are as stipulated in “3. Boundary of responsibility between Pocketalk and Ventana customers.”

Liaison with relevant authorities

The relevant authorities are as specified in “4. Data Center Location”.

Share and assign roles and responsibilities in a cloud computing environment (CLD.6.3.1)

The sharing and division of roles and responsibilities in the cloud computing environment will be as stipulated in “3. Boundary of responsibility between Pocketalk and Ventana customers.”

Removal of cloud service customer assets (CLD.8.1.5)

The following describes how customer data will be handled when the customer terminates their use of the service.

  • Customers cannot apply for service termination themselves using the functions provided by Ventana. For customers who wish to terminate the service, please contact below. (Only users who have an administrator account can delete the accounts of users in their organization on Ventana.)

Contact

North America: ventana@pocketalk.com
Europe: ventana-eu@pocketalk.com
Asia: https://pocketalk.link/inquiry

  • After we receive your request for service termination, we will delete your account and any stored customer data within a maximum of 30 days.
  • After we delete your account and customer data, we will inform you via email that the deletion has been completed.
  • After we delete your account and customer data, you will no longer be able to access Ventana.
  • If you need the data stored on Ventana, it is your responsibility to download it from Ventana and store it properly.
  • After we delete your data, it may take up to 180 days to completely delete it in GCP’s data centers, but during that time you will no longer be able to log in to or access your data.

Labeling information

Ventana provides the ability for customers to label information (device name, group name, etc.).
Please see the manual for details.

User registration and deletion

For user registration and deletion, register, update, and delete users using an account with administrator privileges.
Please see the manual for details.

Providing user access

Ventana allows you to grant different privileges to the accounts of users using the service in your organization, and to limit the information that can be viewed and the functions that can be used.
Please see the manual for details.

Managing privileged access rights

Privileged access is granted to accounts with administrator privileges. The security of administrator accounts is ensured by login ID and password authentication. You are responsible to properly manage your account.

Management of user secret credentials

After registering as a user with Ventana, an invitation email will be sent to the registered email address. You can register your customer information including your password from the invitation email.
Please see the manual for details.

Restricted access to information

Ventana limits the information displayed and available functions depending on the privileges granted to the logged-in user’s account.
Please see the manual for details.

Using privileged utility programs

Ventana does not provide utility programs such as APIs that allow you to use various service functions by circumventing security procedures. We strictly restrict users of privileged utility programs necessary to provide services, confirm the appropriateness of use in advance, obtain logs, and conduct reviews.

Isolation in virtual computing environments (CLD.9.5.1)

Operates in a multi-tenant environment. Access resources are separated by ID for each tenant, and access to different tenants is controlled.

Hardening virtual machines (CLD.9.5.2)

All virtualized environments we build have port and protocol restrictions in place to block unauthorized access. Additionally, we conduct vulnerability assessments and penetration tests by a third-party organization at least once a year.

Policy for using cryptographic controls

Customer data stored in Ventana is encrypted, and keys are managed using Google Key Management Service (Cloud KMS). Passwords for customer accounts are hashed and stored. Communication that exchanges customer data is encrypted using SSL/TLS (TLS 1.2 compatible) communication, and the data itself sent and received between the device and Ventana is also encrypted.

Secure disposal or reuse of equipment

Regarding the disposal of equipment media that has been replaced due to aging or breakdown of equipment, we do not directly dispose of the equipment. Based on GCP facility, building, and physical security.

https://cloud.google.com/docs/security

Change control procedures

If we update the services we provide or perform periodic maintenance, we will inform you in advance by email.

Capacity/capacity management

In order to provide stable services, we monitor the resources of each server and increase capacity as necessary.

Operational security for practical managers (CLD.12.1.5)

The operating method of Ventana and security settings are explained in the manual.
In our operations, we manage the cloud environment separately for development, staging, and production, and in principle prohibit those engaged in development from accessing the production environment, and only a limited number of operational personnel are allowed to access the production environment. All access and operation that occurs in the production environment are kept in audit logs. This access restriction is managed by GCP’s IAM, and we regularly take inventory of IAM users and manage it appropriately.

Data backup

When we make changes to the production environment, we take a system backup of the environment. This backup data also includes customer data, which is encrypted and stored. After system changes are released, the backup data will be deleted within a maximum of 7 business days.

Event log access log acquisition

Although Ventana does not provide a function for customers to acquire event logs themselves, we acquire and store appropriate logs (up to 13 months) necessary for service maintenance and management.
In addition, if a major incident occurs and log information is required for the purpose of investigating the situation, we will conduct an investigation using access logs from the past 13 months in response to customer inquiries. Please contact privacy@pocketalk.com.

Time synchronization

Ventana uniformly synchronizes time (UTC) with the internal NTP server provided by GCP.

Monitoring cloud services (CLD.12.4.5)

We monitor system resource conditions such as CPU, memory, and disk usage, and have implemented a WAF (Web Application Firewall) and log monitoring for security incident detection.
We also perform service monitoring to ensure the proper operation of the Ventana web application.

Managing technical vulnerabilities

We collect vulnerability information, and if it becomes necessary to take action within our responsibility, we will take action through regular or emergency maintenance.
Maintenance information will be notified by email.
To ensure even greater security, we define security requirements at the time of development and design, and conduct not only in-house testing but also third-party vulnerability diagnosis and penetration testing before release.

Network separation

Access to Ventana is via an internet connection. Security is logically ensured by identifying customer organization IDs based on user accounts.
For maintenance and operation work for our production environment, we manage permissions appropriately using GCP’s IAM and allow access after application and approval. Additionally, access to the production environment and operations performed are managed by storing audit logs.

Analysis and specification of information security requirements

We maintain and provide the information security required by our customers under the Information Security Basic Policy and the Cloud Service Security Basic Policy.
As specifications of information security functions mainly considered by customers, this document describes the following items.

  • Access control functions (Restricted access to information, Hardening virtual machine)
  • Communication encryption (policy for using cryptographic control)
  • Backup (Data backup)
  • Logging (Event log acquisition)

Policy for development with security in mind

As part of our security-conscious development policy, we address security risks and vulnerabilities from the time of development, and conduct third-party vulnerability assessments and penetration tests upon release.

Handling security in agreements with suppliers

Roles and responsibilities at Ventana are defined in the Terms of Use, and we provide services. Regarding the boundary of responsibility for this service, please refer to “3. Boundary of responsibility between Pocketalk and Ventana customers.”

ICT supply chain

We understand the information security standards of the cloud service providers we use and confirm that they are consistent with our own information security.
Ventana operates GCP as a cloud service provider.

Please see below for the GCP compliance status.
https://cloud.google.com/compliance

Responsibilities and procedures

In the event of a security incident that significantly impacts Ventana users (data loss, prolonged system outage, etc.), we will, in principle, inform you via email within 72 hours. For inquiries regarding security incidents, please contact privacy@pocketalk.com.

Reporting information security events

We will inform you by email.
For individual inquiries, please contact privacy@pocketalk.com.

Gathering evidence

If there is a legitimate disclosure request based on law, such as a request for disclosure from a court, customer data may be disclosed to the relevant organization without the customer’s consent. Furthermore, if a major incident occurs for a customer and log information is needed for the purpose of investigating the situation, we will conduct an investigation using access logs from the past 13 months in response to the customer’s inquiry.
Please contact privacy@pocketalk.com.

Bitte wenden Sie sich an privacy@pocketalk.com.

Identification of applicable laws and contractual requirements

Regarding the use of Ventana, the applicable law is “Japanese law.”
Regarding various laws and regulations related to Ventana, we follow the relevant laws and regulations management guidelines and strive to comply with the laws and regulations.

Intellectual property right

Intellectual property rights are defined in the Terms of Use.

Record protection

For details on protecting records, please refer to “Event log acquisition”.

Regulations for encryption functions

For information on the use of encryption, please refer to the “Policy for using cryptographic controls”
Ventana does not utilize any encryption technology that is subject to export controls.

Independent review of information security

Our company conducts internal audits and management reviews to maintain and improve information security.