TRUST CENTER

Employee Awareness

At Locus Robotics, security resilience starts with people. Our top-down approach to security awareness education creates a holistic culture across all technical and non-technical departments. Employee awareness is the foundation for secure processes, practices, and technologies.

Assurance

Based on a principle of mature foundations, we build security into everything from our cloud customer portal to our robots executing instructions. We leverage the latest methods of encryption (in transmission and at rest). We continuously monitor the effectiveness of our controls, taking a continuous compliance assurance approach to mitigate risk across the product and service lifecycle.

Learn how to Secure Autonomous Mobile Root Deployments in the Workplace

Security Incident Preparedness

Locus Robotics acknowledges and continuously prepares for security incidents through education and awareness efforts, and building security into our work processes and product. Our leadership established and practices Incident Response processes, based on industry standards, to ensure proper decision making steps are known and followed. We analyze and respond to events with the key priority to protect our customers from any impact of an event.

Our Guiding Principles: 

• Our enterprise privacy and data protection framework is guided by global privacy regulations, including the General Data Protection Regulation (GDPR) and we comply with all applicable data privacy laws in the US and countries in which we operate. 

• We aim to be transparent with you about our policies and practices when it comes to the way we collect, process, and secure your data in our day-to-day operations. 

• We invest continuously in our infrastructure and processes to provide our customers with robust and secure systems. 

• We monitor the global regulatory landscape and adjust our program to meet new requirements as needed.  

• We promote a culture of respect for, and thoughtful consideration of, privacy and personal data protection throughout Locus Robotics. 

Should you have questions about our privacy programs, please feel free to contact us at [email protected]. 

To exercise your privacy rights, you may submit a request at https://locusrobotics.com/company/trust-center/dsar  

SOC 2 Type II

Locus Robotics has achieved SOC 2 Type II compliance certification. Our public-facing SOC 3 report can be viewed here. The attestation is a confirmation of the suitability of the design and operating effectiveness of our internal controls stated for the scope of the report. Locus Robotics provides reasonable assurances that our service commitments and system requirements are achieved based on the trust services criteria relevant to security, availability, confidentiality and processing integrity set forth in the TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

Vendor Risk Management

To ensure a high level of customer service, a strong security foundation, and reliable business continuity, Locus Robotics has implemented a Vendor Risk Management process to evaluate third-party service providers that we partner with.  The evaluation process considers: Cloud Architecture, Authentication, Application Security, Data Security, Privacy, Internal Controls, Certifications, and other security practices that add to a strong security program and dependable customer service. 

Sustainability

As a technology leader, we actively support driving sustainability across all aspects of our business – from manufacturing to deployment, support, and maintenance. We are also committed to recycling nearly 100% of components at the end of the useful life of the LocusBots. 

The typical lifespan for a LocusBot would be typically five to seven years, given technology evolution. However, with our refurbishing processes, the life span of our LocusBots extends well beyond this period.

One key aspect of our company is our Robots as a Service (RaaS) model. Since customers do not own the LocusBots, we maintain the robots in the field sustainably. When contracts change or grow, we can quickly refurbish, repurpose, and redeploy robots to new facilities or regions. No robots go to waste.

The four major components in the LocusBots are ABS plastic, metal casings, batteries, printed circuit boards, and related electronics. Because the useful life of each component varies, we work hard to refurbish and repair components vs. replacing them. Recycling is only done when we are unable to refurbish or repurpose a component or part.

Reliability

Locus Robotics Business Continuity and Disaster Recovery (BCDR) program maintains current available business operations and facilitates the efficient restoration of business operations due to a large-scale disruption. The BCDR program helps ensure critical business functions continuously operate and support customer services without disruption.

The BCDR program includes the main three components, as well as annual program testing, including the coordination and monitoring of restoration efforts when activated.

• Business Continuity Plan – The BCP includes a comprehensive set of instructions and tasks that must be completed upon an impactful business disruption. The BCP identifies key stakeholders and their responsibilities, defines communication and documentation requirements, and details plan activation and deactivation steps and authorities.
• Business Impact Analysis –The BIA evaluates the critical business functions and applications that support business operations and customer services.
• Disaster Recovery Plans – For each critical business function identified in the BIA, product and service teams maintain a disaster recovery plan that lists, in order, the technical processes required to bring business operations back into a fully operational state. The two core processes involved in maintaining a recoverable operational environment are backups and redundancy. 

We have implemented robust disaster recovery protocols designed to maintain operational continuity, no matter the challenge. Our approach is rooted in proactive planning and continuous evaluation, utilizing advanced monitoring systems and redundant infrastructure to safeguard against disruptions.

Our commitment to availability encompasses every layer of our operations. We regularly test and refine our disaster recovery plans, ensuring that our systems are not only resilient but capable of rapid recovery in the event of an incident. By employing automated failover mechanisms and strategic data replication, we minimize downtime and protect critical data, keeping our operations and your business running smoothly.

Locus Robotics' dedication to availability is not just about maintaining uptime; it's about delivering reliability that our partners can depend on. Through continuous improvement and rigorous testing, we provide the assurance that our systems will remain available, securing your operations against the unexpected.

To maintain a secure environment for protecting data confidentiality and integrity, Locus Robotics updates operating systems, firmware, software applications, and utilities in response to detected vulnerabilities.

Purpose of Path Management Policy

Locus Robotics’ Patch Management Policy creates a risk mitigation framework for the continuous and consistent updating of technical assets with regular security updates and patches, including:

• Operating systems
• Firmware
• Software applications
• Utilities

Scope of Patch Management Policy

Patches are usually released for three reasons:

• To fix faults in an application or operating system.
• To alter functionality or to address a new security threat.
• To change or modify the software configuration to make it less susceptible to attacks and more secure.

Two of the main core goals of patch management and systems updates include:

1. Supporting the processing of changes related to vulnerabilities as described in the Vulnerability Management Standard and,
2. Enabling traceability of changes related to vulnerabilities as described in the Vulnerability Management Standard, which should be possible through proper execution of the process described below in the Patching Procedure and Exceptions section.

As part of its Patch Management Policy, Locus Robotics secures its Corporate environment and the Product environment, including technical assets managed as part of a customer’s Robotics-as-a-Service (RaaS) environment.

Patching Prioritization

We use the following factors when prioritizing patch management activities:

• Common Vulnerability Scoring System (CVSS) severity score
• Value of critical business assets affected
• Likelihood of exploitation
• Patch’s or update’s potential impact on asset’s operation

Priority

• To determine patching timeframes, we use a risk matrix that considers:
• Asset type
• Application/risk criticality
• Patch priority
• Estimated time of completion

Risk matrix:

Patch Testing

Patch testing is typically performed based on the significance of:

• The issue(s) the Patch attempts to address
• Resource value

Although Locus Robotics works to limit business disruptions or other issues, patches can sometimes cause unintended consequences for some dependent systems since third-party vendors and patch management services/tools often test them in generic situations. 

Patch Preparation

Unforeseen complications may arise from a patch, which can cause issues like:

• Leaving devices unusable
• Cascading issues across other IT systems or software

Prior to applying any patch, responsible parties should ensure they implemented recovery strategies and rollback plans such as, but not limited to:

• A full system backup  performed prior to the installation of the update.
• A full data backup  performed prior to the application of the update.

Automated and Manual Patching

Whenever possible, the patch management process should be automated to reduce staffing burdens and ensure prompt application through the system environment. 

In some cases, patches and updates require manual intervention. Whenever this occurs, scheduled maintenance windows must be planned and approved by the appropriate asset owner. 

Patching Procedure and Exceptions

The patching procedure includes the following key steps:

• Engaging in vulnerability assessment
• Creating an asset inventory for technical assets
• Regularly scanning for vulnerabilities
• Reviewing vulnerability alerts
• Authentication patches for integrity 
• Scanning downloaded patches with an anti-virus/malware tool
• Testing patches prior to full implementation
• Adhering to the enterprise change management policy
• Performing audits to ensure patches applied and function as expected

Patching exceptions fall into three categories:

1. Failed Patches: Updates and patches that are unable to be installed correctly despite multiple attempts.
2. Unreasonably Disruptive Patches: Updates and patches that will cause critical business processes to be disrupted in an unacceptable manner if installed.
3. Unnecessary Patches: Patches or updates that enable or fix unneeded or unwanted features that are not security related.

When Locus Robotics or a customer chooses to create an exception within one of these categories, the mitigation plans must include:

• Details regarding affected systems 
• Details regarding the urgency of the unpatched vulnerability
• Strategy for mitigation and how it addresses the unpatched vulnerability.

Review and approval of mitigation and exception lists will follow the appropriate change management processes and review. 

It is the policy of Locus Robotics to implement security measures and controls to protect the information systems environment and the privacy and confidentiality of protected information, to include financial, business, or other sensitive information for the Organization. 

By adopting continuous security best practices, Locus Robotics ensures that risks are continuously addressed, evaluated, and mitigated. Our continuous risk assessment process covers the entire lifecycle of the Locus business and operational processes. We consider risks to data, people, processes and technologies.

CE Mark (EU and Australia)

The CE mark affirms our product’s conformity with European regulations regarding health, safety and environmental protections.

CE Marking on a product is a manufacturer’s declaration that a product meets the applicable health, safety, and environmental requirements outlined in the appropriate European product legislation and has undergone the relevant conformity assessment procedure.  CE marking is compulsory for most products covered under the EU’s New Approach Directives and is necessary for the free movement of products within the European market.

Regulatory Compliance Mark (RCM)

The Regulatory Compliance Mark (RCM) is a trademark owned by the electrical regulator (Regulatory Authorities (RAs). 

The move to one single mark helps reduce red tape for the industry and save costs. This mark represents compliance, and the removal of the need to track and mark equipment with unique approval/certificate numbers saves time and money. 

Ongoing Data Inventory

As part of Locus Robotics compliance and privacy programs, on an annual basis, Locus Robotics reviews all the data that is captured, utilized, and stored.  Our ongoing data inventory process includes the following actions:

• Mapping data processed – illustrating the data actions and associated data elements for systems and services.
• Documenting the categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried.  
• Mapping the data actions of the systems/products/services are inventoried.
• Confirming the data processing environment is identified (e.g., geographic location, internal, cloud, third parties).

Data Governance

Data governance is where data security and privacy converge for a holistic approach to mitigate risk. We enforce the principle of least privilege, giving the least amount of data access to users that they need to complete their job functions. We rigorously monitor user access with regular reviews to ensure comprehensive protection across the entire user identity lifecycle. Our data governance processes and practices cover the entire data lifecycle from creation to destruction.

Data Risk Assessment

A Data Protection Risk Assessment process that determines the threats to your regulatory protected and sensitive data. We identify and categorize your data according to the severity of the risk involved and take the steps required to mitigate the risks and ensure continuous protection and compliance.