Rooted Elm has put in place guidelines and procedures that our Partners, Employees, and Contractors must adhere to and aligns with the ISO 27001 standard. We frequently review our security processes and guidelines and ensure they are forward looking and enable us to quickly respond to any newly identified threats. Rooted Elm utilized the NIST Cyber Security Framework to measure our ability to detect, protect, respond, and recover from security events.
Rooted Elm will make all clients aware of any security incidents experienced by our systems or by our third-party partner systems within 24 hours of discovering or being made aware of the incident. If we determine that any personal identifiable information may have been accessed by unauthorized actors we will also provide affected clients with a copy of said data and ask that the client notify their customers of the breach within 48 hours of receiving the information from RootedElm. When a client fails to notify their customers within the specified time-frame, Rooted Elm will notify their customers directly and inform them.
All Laptops or Desktops used by Rooted Elm Partners, Employees, and Contractors are required to be a macOS device and are managed to permit remote locking and remote wiping of the device. Rooted Elm further restricts the devices to only permit the installing of Apple Developer signed apps on the machine. We also deploy Bitedefender to routinely scan for viruses and malware; and Little Snitch to monitor incoming and outgoing network connections.
When possible, Rooted Elm requires all Partners, Employees, and Contractors to utilize two factor authentication to access third party accounts and services. We further employ policies, when possible, to require passwords for all internal and external third-party service accounts to be a minimum length of 20 Characters which must contain 1 Capital Letter, 1 Lowercase Letter, 1 Number, and 1 Non-Alphanumeric Character.
Personnel & Training
Rooted Elm performs a vetting process on all Partners, Employees, and Contractors to ensure that everyone at all levels is helping to secure and protect your data. This process includes performing background checks, requiring the signing of confidentiality agreements, and requiring everyone stay up to date on any and neccesary training and certifications. As part of this all Partners, Employees, and Contractors are also—at a minimum—required to complete the Cyber Hygiene module from Salesforce Trailhead as well as to complete the FedVTE (Federal Virtual Training Environment) Cyber Essentials course yearly.
Data Storage & Processing
Rooted Elm only stores data in US-based data centers and make use of. We make use of our own hardware as well as cloud infrastructure provided by Cloudflare and Amazon AWS to securely store and serve data. Rooted Elm further makes use of TLS 1.2 to encrypt data in transit and utilize AES-256 encryption on data at rest.
Rooted Elm only uses state of the art data centers and cloud providers. Our Servers are located at data centers that are monitored 24/7 for security and performance. Physical access to these facilities are restricted via biometric, keycard, intrusion sensors, and round the clock surveillance both inside and outside the building. Each facility or partner facility is certified to a minimum of SOC 1 Type 1 & 2, SOC 2 Type 1 & 2, and SOC 3 compliance as well as ISO 27001, 27017, and 27018 certifications.
Rooted Elm employs a strategic plan that ensures little to no data loss. We require all Partners, Employees, and Contractors to work on macOS computers and enable local Hourly Physical Backups of all of their company data with Daily Backups being transmitted to Rooted Elm Servers.
Our Partners Security
Below are a list of the third party services we utilize to facilitate the delivery of your email marketing needs and links to their corresponding security information.
Salesforce Marketing Cloud
Used by clients and Rooted Elm to facilitate Marketing and Transactional email marketing, SMS text messages, as well as landing page web hosting. Data stored by Marketing Cloud will include Name, Email Addresses, Mobile Phone Numbers, and other data provided by our clients to help segment and personalize their messages to their customers.
More information about Salesforce Marketing Cloud security policies can be found at https://security.salesforce.com.
Used by clients and Rooted Elm to facilitate Marketing and Transactional email marketing. Data stored by Campaign Monitor will include Name,Email Address, and other data provided by our clients to help segment and personalize their messages to their customers.
Email Template and Message creation, storage, organization, and email analytics services utilized by Rooted Elm and our clients to better analyze and manage email marketing programs.
More information about Litmus security policies can be found at https://www.litmus.com/trust.
Data centers used by Rooted Elm to host our servers which serve our web pages, our clients custom landing page solutions, and archival storage of Rooted Elm data.
More information about Mac Stadium security policies can be found at https://www.macstadium.com/security.
Data services used by Rooted Elm to deliver our web pages and to protect against DDOS and other security risks related to our websites.
More information about Cloudflare security policies can be found at https://www.cloudflare.com/trust-hub/technologies.
Content Delivery Services used by Rooted Elm to help deliver images and font files used in emails and webpages. Data storage services are used to actively store and retrieve operational and archival data for Rooted Elm and our clients.
More information about Amazon AWS security policies can be found at https://aws.amazon.com/security.
Used by Rooted Elm to manage our Direct Email Messages to and from the rootedelm.com domain. Email messages directly sent by our Partners, Employees, and or Contractors will be stored and transmitted by Google.
More information about Google Workspace security policies can be found at https://workspace.google.com/security.
Used by Rooted Elm for all Virtual Meetings. Teams may store recordings of these meetings as well as logs of any chats that may occur as well. In addition to recordings and chat logs, Teams may also store certain documents and files shared by meeting participants.
More information about Microsoft Teams security policies can be found at https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview.
Any question or concern with our Security Policies; or to report a problem or potential vulnerability in our systems or those of our partners or clients should be addressed to:
Jason Meeker, Managing Partner
September 1, 2021