This information security policy (″Information Security Policy″) summarizes Company′s security practices.
The Company has implemented, technical and organizational safeguards, and established a comprehensive information and cyber security program. The aforementioned is all in order to protect the Personal Data processed by the Company against unauthorized access thereto.Company takes best efforts in order to ensure its employees, as well as its clients, comply with its security protocols and this Information Security Policy.
Persona.ly ensures the protection of the physical access to the servers and facilities that store the Personal Data on Persona.ly′s behalf. Persona.ly has chosen the reputable Amazon and Digital Ocean, as its main cloud storage providers. Some of the Personal Data collected by Persona.ly is stored in the AWS data servers, for more information regarding the data security provided by AWS, please see:https://aws.amazon.com/security/.
Furthermore, some of the Personal Data collected by Persona.ly is stored in the Digital Ocean′s data servers, for more information regarding the data security provided by Digital Ocean, please see:https:/www.digitalocean.com/security/.
Further, Persona.ly secures the physical access to its offices using a passcode to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access Persona.ly′s offices. The Persona.ly′s offices include fire and smoke alarms in place. All data backups are stored in data safes protected from fire and water.
The access to Persona.ly′s systems is restricted, based on protections implemented therein in order to ensure appropriate approvals, as well as safeguards related to remote access and wireless computing capabilities. Solely permitted IP addresses as well as authorized services have access to the Persona.ly system.
The systems are protected and solely authorized employees may access the systems by using a designated password. Each employee has a private password that allows access or use related to the Personal Data according position, and solely to the extent such access or use is required. There is constant monitoring of the access to the systems as well as real-time authentication protocols.
Persona.ly restricts the access to the Personal Data solely to its employees which have requirement to access it, all in order to ensure that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely replaced, as well as blocked when applicable.
The user password is fully encrypted. The Company takes commercial reasonable precautions to prevent any SQL injections.
In addition, all of the Company′s databases are isolated from the applicable source where the data is collected. Each employee is able to perform actions solely according to the permissions determined by Persona.ly. Each access is logged and monitored, and any unauthorized access is automatically reported.
Further, Persona.ly is regularly reviewing its employees′ authorizations, to assess whether they are necessary and revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual Authorization profiles. Specific security measures are in place to prevent an individual from attaining an overly powerful leading role through the concentration of various combined roles and access rights.
Persona.ly is investing efforts and resources in order to ensure cross organization compliance with its security practices, as well as continuously provides employees training in this regard. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, Persona.ly implemented applicable safeguards for its hardware and software, including firewalls and anti-virus software on applicable Company property in order to protect against malicious software as well as any intrusions to the Company′s systems.
The Company does not transfer any Personal Data outside of the Company′s datacenters. Backup files are checked with checksums daily and stored on a local disk. In order to minimize the risk of Personal Data being accessed by unauthorized third parties during an electronic transmission, Persona.ly has implemented applicable safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data.
Personal Data and raw data are all deleted at the time it is no longer required to provide the Persona.ly Services, all in accordance with applicable laws.
All of Persona.ly′s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In addition, employees undergo a screening process applicable per regional law.
In the event of a breach of an employee′s obligation or noncompliance with Persona.ly′s policies, applicable disciplinary actions are taken, including without limitation termination. In addition, prior to Persona.ly′s engagement with third party contractors, Persona.ly reviews such third party′s security policies, specifically information data security policies. Third party contractors may solely access the Personal Data as explicitly instructed by the Persona.ly.
Furthermore, the destruction of Personal Data following termination of the engagement is included within the engagement between the parties. In addition, to the extent applicable, Persona.ly’s partners are required to execute an applicable Data Processing Agreement.
The Company has a backup concept which includes daily backups that has a named individual as fully responsible for the backups. Periodical checks are preformed to determine that the backup have occurred. There is an emergency plan in place in which the steps to be implemented are described and determined, including which persons particularly on the side of a contractor, to the extent applicable, or a Company employee are to be notified of an incident. Regular controls of the condition and labelling of data storage devices for data security. The existence and regular examination of emergency generators and overvoltage protection devices. In addition, permanent monitoring of all data backup operational parameters. Moreover, devices are in place to monitor the temperature and humidity in server rooms which host backups, at all times.
Our incident response program is managed by our most experienced backend engineers and product team members to ensure the response is swift and addresses the challenges presented by each incident. The following teams are likely relevant for data-related incidents:
These teams are all well equipped to identify, isolate, resolve and remedy any potential data breach or similar challenging situations. The product team will mostly act as a coordinator between the three other teams to ensure all ends are covered and that any potential damage is communicated accurately.
When an incident is declared, one of the following stakeholders will act as the incident commander, based on general load at the time of the incident:
The incident commander will select key personel from the relevant developer/Ops teams to form a response team and will then delegate responsibilities between them. The following diagram represents an example setup of a response team:
Incident Response Process
In case of a data incident the main goal of the respons team is to protect our data, ensure service is not interuppted, and to meet compliance requirements. The steps described in the following table describe how these goals are achieved but the incident response team.
|Identification||Detection||Scripts that were written ahead of time to detect vulnerabilities or possible issues are ran automatically on a daily basis, and manually by the various team members in cases of pre-determined vulnerabilities.|
|Reporting||Any issues found while running the aforementioned scripts are reported back to all potential incident commander and one is selected to lead the incident response team based on general load.|
|Coordination||Prioritization||The incident commander, together with the team leads:|
|Response team engagement||The assigned Incident response team evaluates incident and response effort.|
|Resolution||Investigation||The Incident response team gathers all facts about the incident, it’s cuase, the extent of damange, etc.|
|Remedy and recovery||The incident commander defines immediate steps to complete the following:|
|Quarterly Meetings||All relevant and potential incident response team members meet on a quarterly basis to discuss ans assess current procedures, and put new ones in place if required.|
The following sections describe each step in more detail.
Early identification is crucial for handling icidents well and in a timely manner. Our on-call DevOps personnel is required to monitor automatic vulnerability checks and relevant metrics captured by our backend as the first and foremost layer of detection, but other tools and processes are placed as well. Here’s the a full list of them:
When the on-call DevOps team member detects an incident, he will evaluatle the nature of the incident and provide all the relevant data to the potential incident commanders to decide if a response team setup is required.
After confirmation, the selected incident commander will decide whether to gather the relevant team leads and assemble the response team or handle the issue directly with the on-call DevOps, depending on its severity.
Many aspects of our response depend on the assessment of severity, which is based on key facts that are gathered and analyzed by the incident response team. These key facts include the following:
The incident commander and other leads periodically re-evaluate these factors during quarterly meetings.
At the resolution team, the hands-on part of the incident response team (comprised of a senior backend developer, a senior DevOps team member and the MLOps lead) will focus on:
Efforts will be made to restore data to its original state as soon as possible, depending on the particular incident.
As soon as it is determined that customer data was affected, a notification will be sent to any customer that had it’s data impacted in any way. The issue would be first communicated in simple terms to inform the client of the apparent issue, and after it’s resolution, a longer form email including the root cause, details of the incident, and the steps take to mitigate future risks would be sent to the affected clients.
As soon as the data incident is successfully remedied, the incident response team meets in order to collect and log any lessons learned, and if any critical issues are raised the required changes to the relevant code or information security procedures become the highest priority tasks in our development roadmap and their development is monitored carefully till their successful deployment.
Even when incidents don’t occur, all relevant members of the Persona.ly team gather for a quarterly assesment of our current protocols and procedures in relation to data incidents to ensure they are up to date and that the team is in sync in case of any future incidents.
We conduct yearly data-secuity awareness training company wide, even for team members without any or with limited access to our databases in order to reduce any potential future incidents.
Data and information security is crucial to our success and to our clients trust in our capabilities. We continually invest in making sure our protocols are up to date and that our team has the expertise required to respond effectively to any potential threats or incidents.
This Information Security Policy is an overview of Persona.ly security practices and may be updated from time to time, according to any applicable laws as well the company′s internal policies. The updated date at the top of the Information Security Policy will be reflected in the ″last updated″ heading.