Plume Trust Center

At Plume, we are committed to providing trusted consumer experiences to our customers by protecting the security, privacy, and availability of their data.

Deployed in million+ locations

Security

Plume is dedicated to the security of our products and services. We focus on security so our customers can focus on growing and innovating their services while empowering consumers to elevate their smart home experience. Plume has earned two certifications from the International Standards Organization (ISO): ISO27001 and ISO27701.  ISO certifications are widely considered the gold standard certifications for protecting information and the systems through which that information is handled. If you have questions about Plume’s information protection programs or have experienced an information security event related to Plume’s services, please contact us at security@plume.com.

  • Plume integrates security into the product development lifecycle, following industry recognized frameworks such as OWASP SAMM. Security assessments are conducted as part of the release process. Plume’s goal is to ensure our software and firmware are designed and built securely from the ground up.
  • Security training is designed to help our employees identify, address and mitigate security threats.
  • Plume’s service providers undergo a security risk assessment as part of Plume’s Third Party Risk Management program. This program includes review of each such third party’s compliance with law.
  • Plume uses  NIST best practice frameworks to protect services and NIST standards to encrypt customer data in storage and communication between the consumer premise equipment and mobile/web applications to the cloud.
  • Network segregation and role-based access control is used to restrict unauthorized data access.
  • Data permissions are configured using the principle-of-least-privilege to limit access to only those who need it for a specific business purpose.
  • Access to production data is monitored, logged, and audited.
  • If you have questions about Plume’s information protection programs, have experienced an information security event related to Plume’s services or want to submit a vulnerability disclosure, please contact us at security@plume.com.
  • You can expect to receive an acknowledgement in 5 business days as well as periodic updates on progress during the confirmation of the security issue.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the process.

Privacy

Plume is committed to protecting individuals’ privacy. Plume’s commitment is realized by a privacy governance program guided by these core privacy principles:

  • Lawfulness, Fairness and Transparency: Processing of personal information is transparent and fair.
  • Purpose Limitation: Personal information is processed for specific, explicit, and legitimate purposes that are disclosed to the individuals and not further processed in a manner inconsistent with those disclosed purposes.
  • Data Minimization: Personal information is processed as reasonably necessary for the purposes for which the personal information was collected.
  • Accuracy: Plume strives to maintain personal information as accurate, up-to-date and complete.
  • Storage Limitation: Personal information is stored only as long as necessary for the purpose for which it was collected.
  • Integrity and Confidentiality: Plume protects the security and confidentiality of personal information through appropriate technical and organizational measures. See Plume’s ISO 27701 certification.

Plume’s privacy governance program includes these key practices:

  • Plume describes in its privacy policies the rights and choices that individuals may have with respect to personal information and how to exercise those rights.
  • Plume’s employees participate in privacy awareness training designed around organizational, contractual and regulatory requirements.
  • Plume incorporates privacy-by-design and privacy-by-default controls in the product development Lifecycle.
  • Plume has procedures for preventing, detecting and remediating any unauthorized access, use, unavailability or disclosure of personal information.
  • Plume’s suppliers and vendors that handle personal information are subject to binding commitments that establish their roles and limitations in processing that personal information.
  • Plume conducts periodic self-assessments to identify gaps in its privacy governance program and establish measures for eliminating the identified gaps and establishing best practices.
  • Plume takes measures to retain personal information for the duration necessary to fulfill the disclosed purposes unless a different retention period is required by customer agreements or law.
  • Plume services are hosted and operated in multiple geographic regions. In some cases, Plume may transfer personal information across jurisdictional borders. For international transfers of personal information from the EEA, UK and Switzerland, Plume’s customer and supplier contracts include the Standard Contractual Clauses issued by the European Commission under decision 2010/87/EU (including the UK and Swiss addenda). Plume complies with applicable laws with respect to other personal information transfers when the destination jurisdiction does not ensure the same level of data protection as the jurisdiction from which the personal information originates.

Cloud

Using the power of the cloud, Plume services are designed to be secure, resilient and dynamically scalable. The operational status of our US cloud and EU cloud is publicly available.

  • The Plume cloud is architected to provide high availability and data redundancy.
  • The cloud infrastructure is built and operated using a shared responsibility model leveraging certified cloud provider services supplemented by organizational and technical controls.
  • Access to corporate resources are managed using controls such as Single-Sign-on (SSO), Multi-factor authentication (MFA) and VPN based remote access.
  • Systems are configured with minimum necessary services and changes are logged and monitored.
  • Anti-malware and intrusion detection systems are used to detect and respond to anomalous behavior and malicious activity.
  • Periodic assessments are performed to detect vulnerabilities in the environment which are then mitigated based on their risk using change management and incident response processes.

Compliance

Plume is continuously working to meet and exceed its regulatory compliance obligations Plume maintains a set of compliance certifications.

  • The ISO 27001 information security management system (ISMS) preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested internal and external parties that risks are adequately managed. 
  • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
  • The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers— is ISO 27001 certified

ISO27001: Security Information Management

  • The ISO 27701 privacy information management system (PIMS) is built on top of ISO/IEC 27001 and helps organizations reconcile privacy regulatory requirements. The standard outlines a comprehensive set of operational controls that can be mapped to various regulations, including GDPR, CCPA. Once mapped, the PIMS operational controls are implemented by privacy professionals and audited by internal or third-party auditors resulting in a certification and comprehensive evidence of conformity.
  • This standard specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
  • The Plume production cloud—covering business activities relating to operations, maintenance, and management of Plume’s smart home consumer experience cloud platform for communications service providers and consumers—is ISO 27701 certified.

ISO27001: Security Information Management

"Plume has a great track record with some of the largest service providers around the world and we are really excited that, through our partnership, we are able to bring this premium experience to our members and their customers."

Jared Baumann, Vice President of Broadband Solutions NCTC

CSP Partners

plume partners and logos