Wochit Information Security Policy
Last Updated: June 27, 2018
Wochit, Inc. (“Company”, “we” or “us”) takes information security seriously and has created this security overview and policy (“Security Policy”) to disclose its practices in safeguarding Personal Data processed through our services (“Service(s)”). We have implemented the below technical and organizational measures to protect the Personal Data, processed by us, against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc.
As part of our GDPR compliance process we have prepared this Security Policy to provide you with a summary of the security measures and policies it obtains, further, we require our partners and employees to comply with these standards and implement the same security measures when working with us.
THIS SECURITY POLICY OUTLINES THE COMPANY’S CURRENT SECURITY PRACTICES AS OF THE “LAST UPDATED” DATE INDICATED ABOVE. WE WILL KEEP UPDATING THIS POLICY FROM TIME TO TIME, AS REQUIRED BY APPLICABLE LAWS AND OUR INTERNAL POLICIES.
SYSTEM ACCESS CONTROL
Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. The personal data processed and stored by Company is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password and user name protections.
PHYSICAL ACCESS CONTROL
The Company secures any and all physical access to its offices. The Company secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors and non-company persons which visit the Company facilities are accompanied by Wochit employees at all times. Company works with Amazon Web Services datacenter, as its main storage processor, therefore if you need more information Company recommends that you review Amazon’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner. Further, the Company has entered in to applicable and binding data processing agreements with its vendors and customers.
DATA ACCESS CONTROL
All access to a database, system or storage is solely with authorization hierarchy and password protection. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Company’s IT team ensures security of all hardware and software by installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.
The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Furthermore, Personal Data regarding employees which is transferred is transferred solely through excel files which include password protection.
The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the GDPR. Our legal team has ensured our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR.
Personal Data and raw data are all deleted as soon as possible or legally applicable.
Employees, customers, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education.