Snaile is the leader in Canada when it comes to parcel lockers. Working with leading Canadian companies such as Telus and Cadillac Fairview, Snaile must maintain industry leading data infrastructure, procedures, insurance, and numerous certifications like ISO27001 and fore ratings which benefits all Snaile’s customers, their customers, and stakeholders. Request access to Snaile’s Trust documentation here: https://trust.snaile.ca/
A Security Whitepaper
By Snaile Inc., 2021
Over the past few years, Canadian individuals and businesses have increasingly relied on the internet for daily activities. This trend was further accelerated in the context of the COVID-19 pandemic, with more Canadians than ever working, socializing, and shopping online. Consumers’ expectations of their parcel management systems continue to grow and extend to real-time notifications, access via their smartphone, and even the option to leave items in their locker for collection and return. At the same time, the number and sophistication of cyber threat actors have also been increasing. Modern parcel delivery solutions that receive and process data from multiple sources are no longer a luxury but indeed a necessity.
At Snaile, Canada’s Parcel Locker Company, we understand that the confidentiality, integrity, and availability of our products and services are of the highest priority to our customers. As a Canadian leader in the manufacturing of fully integrated smart parcel locker systems, we serve organizations across various industries, including pharmacies, retail outlets, multi-residential properties, school campuses, and much more. We fully grasp that we are not only asking these organizations to trust us with sensitive information in order to provide them with critical business communications, but we are also asking their customers to trust us with their personal information. In short, there is a lot at stake.
Without the right solution, companies run the risk of exposing their consumers’, as well as their own information. What’s more non-compliance to Canadian information standards and regulations could result in legal penalties and hefty fines in addition to tremendous losses of a financial nature, of competitive advantage, trust and reputation.
Security and privacy are, and always will be, challenging targets. As different threats and compliance standards emerge, organizations need to respond and to frequently assess their systems and practices. Information security is a key focus of Snaile’s and is a part of Snaile’s DNA. From our technology and processes, to individual stakeholders’ interactions with data and each other, it is front and center. We take a comprehensive approach to security and privacy, ensuring that every element of our customers’ data is safe, that our service in the cloud and on site is as secure as possible. Unlike many parcel locker solution providers, Snaile owns, develops, hosts, and maintains the software and hardware tied to our parcel delivery solution. This ensures that we have end-to-end control over the safety and security of our products and services and enables us to provide security assurance at every touchpoint.
This white paper outlines Snaile’s strategy and tactics in terms of cybersecurity. It also introduces our company’s cybersecurity practices including governance, compliance, security assessments, audits, and incident management, as well as plans for future cybersecurity milestones.
The state of cybersecurity today
Cybersecurity has been and is expected to continue to be a concern for Canadian organizations of all sizes. According to the National Cyber Threat Assessment 2020, cybercrime is the “threat that is most likely to affect Canadians and Canadian organizations.”
What is cybercrime?
Cybercrime is the theft of information by cyber threat actors. This information can include intellectual property, financial information and payment systems, data about customers, partners, and suppliers, and industrial plants and machinery. It is then usually held for ransom, sold, or used to gain an unfair competitive advantage.
Over the year prior to July 2020, cyber attacks increased for 99% of Canadian organizations. In a survey conducted by VMWare, Inc. 100% of the Canadian CIOs, CTOs, and CISOs interviewed said their “business has suffered a security breach in the last 12 months”. In fact, the average organization said they had more than one breach in the previous 12-month period.
How does this play out for residential buildings?
Around early April 2021, employees from Douglas Elliman Property Management in New York detected suspicious activities on their IT systems. An investigation uncovered that an “unauthorized party” had gained access to owners’ and employees’ personal data, including names, dates of birth, mailing addresses, social security numbers, driver’s license numbers, passport numbers, and financial information. This breach potentially affected thousands of individuals as the firm represented almost 400 properties with approximately 46,500 units. Management had to notify law enforcement and the FBI was involved. Subsequently, the firm set up a hotline to address questions from residents. They also offered a complimentary one-year membership to an identity theft prevention and credit monitoring service to the affected persons. Regardless of these costly remedial actions, the property management firm’s reputation took a major blow. With individuals’ information now potentially available for identity theft, fraud, and other malicious actions, the full extent of the consequences from this breach remains to be seen.
The data suggests that 1 in 5 Canadian organizations experienced cybersecurity incidents in 2020.The 2020 Cyberthreat Defense Report, which looks at cyber attacks across the globe, found that ransomware impacted over 70% of Canadian organizations within a year.  Even more alarming, more than 1 in 10 companies paid the ransom to their attackers. In 2020 alone, Canadian businesses paid an average of $400,000 towards ransomware attacks, with total costs including the ransom itself, downtime, specialist services, loss of business, and more.
Snaile Lockers’ End-to-End Cybersecurity Practices
With 80% of Canadian CEOs stating concerns over cybersecurity as a threat to growth,  our approach to security and privacy is proactive and comprehensive. Snaile’s cybersecurity policies cover our software, our hardware, the infrastructure that supports our platform, our internal processes, how we train employees, how we manage customer accounts and data, and how we engage with third-party vendors.
In tandem with Snaile’s risk-based management approach, we’ve defined and continuously monitor the following objectives:
• Identify and comply with the applicable Canadian laws, regulations, and contractual requirements.
• Protect Snaile’s information assets, as well as all information entrusted to us within our business activities.
• Ensure the security and reliability of our parcel lockers and the supporting infrastructure.
Canadian Governance, Compliance, and Trust
At Snaile, we believe that the security of our customers’ data is the responsibility of our entire organization. Security governance organization-wide is led by our Cybersecurity Governance Committee, comprised of the Chief Executive Officer (CEO), Chief Technology Officer (CTO), and Chief Information Security Officer (CISO). Our CISO is a dedicated, seasoned executive abreast of legal and best practice requirements for data privacy and security compliance in Canada. Meet Snaile’s CISO.
We recognize the importance of healthy cybersecurity and privacy management practices and support all activities that brings us closer to our commitment of delivering best-in-class security services. By adopting a compliance framework based on industry-recognized standards and cybersecurity management models, we’ve implemented security measures across our organization.
Since parcel lockers can send out emails or text messages to end users in order to supply locker pickup codes, it is important that those electronic messages follow Canada’s Anti-Spam Legislation (CASL). When CASL is not followed, telecommunication companies can block the text messages from going through their networks. Snaile not only follows current CASL requirements, but stays up to date to maintain this compliant status. We also are ISO-27001 compliant and 3rd party audited.
What is ISO-27001 certification?
ISO-27001 certification provides a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving Information Security Management Systems based on international standards set by subject-matter experts.
In the first quarter of 2022, Snaile will achieve SOC 2 certification. Aimed at Software-as-a-Service (SaaS) providers, this procedure is both an audit and requirement for technology-based service organizations with data stored in the cloud. It assures security, availability, processing integrity, confidentiality, and privacy in managing a company’s data to protect both the organization and its customers.  Snaile works with industry-leading external auditors to test our security controls, policy, plans, and other documentation for compliance with cybersecurity standards and best practices.
Whether it is ensuring the safety of customer data, providing robust digital lockers, or protecting our employees’ personal information, trust is at the core of everything we do. At Snaile, we pride ourselves on having a transparent model that demonstrates our full commitment to information security. In the event that anything goes wrong, our cyber insurance that protects our customers, their end-users, and Snaile. Our clients can rest easy knowing that they are protected with a Canadian policy that pays out in Canada for Canadian breaches, unlike U.S. policies that would not pay out in Canada if the data was not hosted inside Canada to begin with, not certified to commercial standards and compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).
Data Access, Security, and Operations
Snaile operates in a multi-tenant environment, utilizing logical isolation to separate resident data. Account authentication, logical database field separation, session management controls, and distinct encryption keys are implemented to restrict customer access to the data associated with their specific organization only.
System configuration and database snapshots are taken daily. All backups have the same protection in place as in production. All customer data is retained strictly during the contract period and securely deleted upon customer request or contract termination.
Access management is an important aspect of any cybersecurity management model. Snaile strives to enforce all stakeholder access on a strict need-to-know basis. Our staff have access to systems based on the principle of least privilege (PoLP). That is, each user is given the minimum level of access/permissions needed to perform their job functions. Whether the systems are development or production, each request must go through an approval process prior to being granted access based on the user’s role. Staff are required by policy to have strong passwords and multi-factor authentication for key systems. Access to production systems, specifically, is limited to what’s needed to support our applications exclusively. Our management team, led by Snaile’s CTO, reviews each user profile’s access to systems and data on a quarterly basis and removes all access that is no longer required. Access is also revoked upon termination of employment.
Snaile monitors all services for performance and malicious activity. We collect logs produced by networking devices such as firewalls, security services such as IDS/IPS, as well as services and devices present in the production environment. All events, as well as activity patterns, are reviewed for suspicious activity or performance degradation. Snaile is also currently developing a Business Continuity Plan, which includes a cybersecurity Incident Response Plan.
All Snaile staff members are required to review and complete security awareness training annually at the minimum. Created by leaders in security, the training course focuses on helping employees understand and identify key threats, as well as how data privacy and security play a part in their core responsibilities. Staff members can report suspicious activity to a dedicated security email inbox.
Our products are designed to provide a secure customer portal through which customers can manage their solution directly. System communications leverage both encryption in transit and at rest. All data in transit and at rest is secured using encryption mechanisms. Specifically, communications between the lockers and servers are encrypted using industry standard AES 256 encryption. Web communications to and from the application to the locker are encrypted using TLS 1.2 and newer encryption. All customer data stored within Snaile’s hosting environment is encrypted at rest, also with AES 256 encryption.
Additionally, customer access is securely controlled via role-based access so that Snaile customers’ administrators can easily:
• Add and remove users and consumers,
• Grant privileges and assign roles, and
• Manage consumer information.
Privacy and Information Security
Snaile’s internal procedures limit access to sensitive information to staff that have a need to know, as per PoLP. These protections also extend to the security of sensitive customer data with third-party contractors and suppliers.
We prioritize service providers who share the same corporate cybersecurity culture as Snaile. We require all third-party vendors to make security assertions and provide assurances similar to our own, with these assertions being enforced contractually. Snaile thoroughly reviews all third-party service providers and retains only those who comply with our security policies and practices. We also perform third-party vendor reassessments at least once per year.
Cloud data hosting location is an important factor when in comes to privacy. In Canada, there are specific laws and regulations that govern the protection of Personally Identifiable Information (PII). PII can include details such as names, cellphone numbers, addresses, and email addresses. It is strictly protected under PIPEDA, but data must be hosted in Canada to be compliant, for this law to apply, and for cyber insurance policies to pay out. Some locker suppliers, like those from the U.S. or Canadian companies reselling U.S. lockers, circumvent Canadian laws, leaving Canadians and their data unprotected by the very laws they rely on. Snaile recognizes the importance of privacy requirements for its customers and employees. Accordingly, all Snaile data is hosted in the Amazon Web Services (AWS) designated Canada Central Region out of Montreal, Quebec  Snaile has also completed a Privacy Impact Assessment. This determines how products and services could affect individual privacy as well as how the company avoids or lessens potential negative effects on privacy that might result.
Software and Systems Infrastructure
Snaile’s system has been designed and built with redundancy in mind. We utilize AWS as our primary cloud computing service provider due to its best-in-class security management practices and data center physical security. AWS guarantees scalability, availability, and quality of provided infrastructure, which is integral to Snaile’s commitment to deliver best-in-class security services.
To mitigate the potential loss of data or ransomware threats, Snaile’s AWS environment has been set up to take daily snapshots of our servers and databases. Our infrastructure is secured based on industry-recognized practices and is accessible only to a strict minimum, hand-picked IT professionals who perform administrative and maintenance activities.
Customers are never at the mercy of third parties with Snaile, as our software is proprietary. This means that Snaile controls both hardware and software, enabling us to support our customers end to end. This is in contrast to smart locker resellers who do not have access to the software source code and so cannot provide support for the software themselves. This is why the cost of Snaile’s competitors is often higher than Snaile because resellers have to markup the lockers they sell in order to make a profit and often have to deal with currency exchange rates.
Snaile uses code repositories and CI/CD processes in our development, which promote stability through added transparency and control, continuous integration, and continuous delivery. We also perform code reviews to ensure that we meet internal and security standards, as well as implement an automated CI/CD pipeline for integrated security, faster delivery, and scalable pipelines.  Snaile is an all-Canadian company with products that are fully supported, installed, and serviced from within Canada. Our parcel lockers are built Canada-tough (rated to -40C), electrically certified under Canadian regulations, and compliant with national PIPEDA laws to ensure data security. Snaile’s onsite Customer Integration Specialists are available to help our customers’ staff, their customers or their tenants, become acquainted with the smart locker system once activated. We also offer secure, instant, ongoing locker support via phone and web, as well as onsite service over the next business day.
Snaile’s products are as much about the software that facilitates their seamless operation as they are about the hardware. Hosted in Montreal, the Snaile Cloud App architecture consists of Defense in Depth (DiD) and Zero Trust principles designed to support confidential information exchange and processing. All configurations are continuously benchmarked against industry security standards and practices to guarantee production system integrity.
Various independent third parties perform annual vulnerability scanning and penetration testing exercises. Third-party penetration testing is a process through which an ethical hacking company attempts to break into the software. The third party then provides actionable remediation reports based on issues found. Snaile has invested in our security testing to include regular web application scanning and annual penetration testing on our infrastructure and application components. Any issues identified are given the highest priority of remediation. This enables us to provide a high level of assurance on our designed architecture and products offered.
Snaile maintains an inventory of assets, including laptops and servers, and software applications. Leveraging a number of solutions like TeamViewer, Azure and AWS, we regularly review our assets to detect and remedy potential unknown or unauthorized systems and software being brought into our environment. Managed Detection and Response (MDR) technology is installed on all Windows systems to mitigate virus and malware threats. Scheduled scans run routinely to discover and remove any detected malware.
Forging ahead towards a safer and more secure future, together
The future is filled with opportunities for Canadian businesses, along with cybersecurity challenges (whether current or unforeseen). This is especially true for organizations dealing with PII in their day-to-day operations. Canadians demand seamless access to their deliveries from lockers and rooms in condominiums, apartment blocks, high-rise towers, school campuses, and student housing. Users want to pick up their parcels from a secure location when they shop online, a trend which shows no signs of slowing down. However, increasingly sophisticated cyberthreats and malicious actors are threatening Canadian organizations’ ability to deliver on those expectations.
Snaile’s cybersecurity strategy and end-to-end cybersecurity practices allow us to focus on the confidentially, integrity, and availability of our system while maintaining the privacy of our customers’ information to the highest of standards. This commitment to security acknowledges and integrates a need to adapt and always strive for more. We aim to continuously improve Snaile security by:
• Continually educating staff about the importance of security and their role in assuring this security for the organization as a whole.
• Expanding our security testing to detect and remediate potential threats.
• Increasing our logging and monitoring to detect and remediate any suspicious activity.
• Pursuing relevant security certifications and compliance as standards and regulations change.
• Maintaining a culture of trust through transparency, both internally and with our customers.
We value ongoing improvement and will continue to be vigilant across all aspects of security and privacy. For a security-first parcel locker solution made for Canadian businesses, look no further than Snaile. To learn more about Snaile’s cybersecurity policies and measures, contact us at firstname.lastname@example.org.