Wochit Information Security Policy
Last Updated: October 28, 2021
TECHNICAL AND ORGANISATIONAL MEASURES
(I) GENERAL BACKGROUND:
This Technical and Organizational Measures sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.
The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed annually for gaps:
- Information Security
- Security Incident Response
- Vulnerability Management
- Policy Management and Maintenance
- Data Request
- System Access
- Business continuance and disaster recovery
SYSTEM ACCESS CONTROL
Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. The personal data processed and stored by Company is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password. In addition to password login, two-factor authentication (“2FA”) provides an added layer of security to Wochit database.
PHYSICAL ACCESS CONTROL
The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, security cards, CCTV, etc.) and the physical security measures taken by Company hosting providers. The Company secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors which visit the Company facilities are accompanied by Wochit employees at all times. Company works with Amazon Web Services datacenter, as its main storage and hosting processor, Amazon’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
DATA ACCESS CONTROL
All access to a database, system or storage is solely with authorization hierarchy and password protection by two-factor authentication. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Further measures for internal IT and IT security governance and management have been taken and the Company’s IT team ensures security of all hardware and software by installing all updates needed, installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.
Wochit conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Default encryption is implemented in transit and rest.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster Wochit will be able to continue to provide the services.
Personal Data and raw data are all deleted as soon as possible or legally applicable. Usually the data is provided by the Customer for the purpose of providing the services by Wochit and is deleted upon termination of the contractual obligations. However, certain data, such as financial data is required to be retained for a longer period of time.
Employees, customers, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education.
DATA SUBJECT REQUEST
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
- encryption both in transit and at rest;
- As of the date of this DPA, Sentry has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
- No court has found Wochit to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- Wochit shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- Wochit shall use all available legal mechanisms to challenge any demands for data access through national security process that Sentry receives, as well as any non-disclosure provisions attached thereto.
- Wochit will will notify Customer if Wochit can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.