INFORMATION SECURITY POLICY
[Last Updated: 14 June, 2018]
Intango Ltd. (“Company”, “we” or “us”) takes information security seriously and has created this security overview and policy (“Security Policy”) to disclose its practices in safeguarding Personal Data processed through our services (“Service(s)”). We have implemented the below technical and organizational measures to protect the Personal Data, processed by us, against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc.
As part of our GDPR compliance process we have prepared this Security Policy to provide you with a summary of the security measures and policies it obtains, further, we require our partners and employees to comply with these standards and implement the same security measures when working with us.
THIS SECURITY POLICY OUTLINES THE COMPANY’S CURRENT SECURITY PRACTICES AS OF THE “LAST UPDATED” DATE INDICATED ABOVE. WE WILL KEEP UPDATING THIS POLICY FROM TIME TO TIME, AS REQUIRED BY APPLICABLE LAWS AND OUR INTERNAL POLICIES.
System Access Control
Company’s database and big-data is accessible only by a hand-full of people directly via SQL queries, all accessible only from either within the Company office or via VPN access, given to certain certified personnel.
Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password and user name protections.
Physical Access Control
The Company secures any physical access to its offices and server centers. Personal computers are locked in cabinets when not in use. The Company secures access to its offices and ensures that solely authorized persons have access such as employees and visitors. The offices are protected by a physically guarded surveillance system as well as a guard at the lobby. The servers are located in a protected facility, in which the physical access is controlled by professional security staff. We work with IBM SoftLayer datacenter, as its main storage processor, therefore if you need more information we recommend to review IBM’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner. Further, the Company has entered in to applicable and binding processing agreements with each service provider.
Data Access Control
The access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
Organizational and Operational Security
The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Our IT team ensures security of all hardware and software by installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.
The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Thus, any access to the Personal Data from beyond the Company network is solely possible by means of a secured VPN access. Further, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted.
Personal Data and raw data are all deleted as soon as possible or legally applicable.
Employees, partners and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company hold annual compliance training which include data security education.
The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the GDPR. Our Legal team is busy ensuring our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR.