Persona.ly Information Security

[Last Updated: 8 May, 2018]

Persona.ly (″Persona.ly″ ″Company″ or ″we″) is fully committed to provide its clients and users transparency regarding the security measures which the company has implemented in order to secure and protect Personal Data (as defined under applicable law, including the (i) EU General Data Protection Regulation (Regulation 2016/679) (″GDPR″); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to) processed by the Company for the purpose of providing its services as detailed in Persona.ly′s Privacy Policy.


This information security policy (″Information Security Policy″) summarizes Company′s security practices.


The Company has implemented, technical and organizational safeguards, and established a comprehensive information and cyber security program. The aforementioned is all in order to protect the Personal Data processed by the Company against unauthorized access thereto.Company takes best efforts in order to ensure its employees, as well as its clients, comply with its security protocols and this Information Security Policy.



    Security Topics
  • Physical Access Control
  • System Access Control
  • Data Access Control
  • Organizational and Operational Security
  • Transfer Control
  • Data Retention
  • Job Control
  • Availability Control
  • Data Incident Response
  • Updates
Physical Access Control

Persona.ly ensures the protection of the physical access to the servers and facilities that store the Personal Data on Persona.ly′s behalf. Persona.ly has chosen the reputable Amazon and Digital Ocean, as its main cloud storage providers. Some of the Personal Data collected by Persona.ly is stored in the AWS data servers, for more information regarding the data security provided by AWS, please see:https://aws.amazon.com/security/.


Furthermore, some of the Personal Data collected by Persona.ly is stored in the Digital Ocean′s data servers, for more information regarding the data security provided by Digital Ocean, please see:https:/www.digitalocean.com/security/.


Further, Persona.ly secures the physical access to its offices using a passcode to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access Persona.ly′s offices. The Persona.ly′s offices include fire and smoke alarms in place. All data backups are stored in data safes protected from fire and water.

System Access Control

The access to Persona.ly′s systems is restricted, based on protections implemented therein in order to ensure appropriate approvals, as well as safeguards related to remote access and wireless computing capabilities. Solely permitted IP addresses as well as authorized services have access to the Persona.ly system.


The systems are protected and solely authorized employees may access the systems by using a designated password. Each employee has a private password that allows access or use related to the Personal Data according position, and solely to the extent such access or use is required. There is constant monitoring of the access to the systems as well as real-time authentication protocols.

Data Access Control

Persona.ly restricts the access to the Personal Data solely to its employees which have requirement to access it, all in order to ensure that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely replaced, as well as blocked when applicable.


The user password is fully encrypted. The Company takes commercial reasonable precautions to prevent any SQL injections.


In addition, all of the Company′s databases are isolated from the applicable source where the data is collected. Each employee is able to perform actions solely according to the permissions determined by Persona.ly. Each access is logged and monitored, and any unauthorized access is automatically reported.


Further, Persona.ly is regularly reviewing its employees′ authorizations, to assess whether they are necessary and revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual Authorization profiles. Specific security measures are in place to prevent an individual from attaining an overly powerful leading role through the concentration of various combined roles and access rights.


As a safety measure for preventing unauthorized access or preventing loss of Personal Data, the employees of the Company are prohibited from storing any Personal Data, either 1st or 3rd party (i.e. other advertising platforms), on the organizational or personal devices.

Organizational and Operational Security

Persona.ly is investing efforts and resources in order to ensure cross organization compliance with its security practices, as well as continuously provides employees training in this regard. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, Persona.ly implemented applicable safeguards for its hardware and software, including firewalls and anti-virus software on applicable Company property in order to protect against malicious software as well as any intrusions to the Company′s systems.

Transfer Control

The Company does not transfer any Personal Data outside of the Company′s datacenters. Backup files are checked with checksums daily and stored on a local disk. In order to minimize the risk of Personal Data being accessed by unauthorized third parties during an electronic transmission, Persona.ly has implemented applicable safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data.

Data Retention

Personal Data and raw data are all deleted at the time it is no longer required to provide the Persona.ly Services, all in accordance with applicable laws.

Job Control

All of Persona.ly′s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In addition, employees undergo a screening process applicable per regional law.


In the event of a breach of an employee′s obligation or noncompliance with Persona.ly′s policies, applicable disciplinary actions are taken, including without limitation termination. In addition, prior to Persona.ly′s engagement with third party contractors, Persona.ly reviews such third party′s security policies, specifically information data security policies. Third party contractors may solely access the Personal Data as explicitly instructed by the Persona.ly.


Furthermore, the destruction of Personal Data following termination of the engagement is included within the engagement between the parties. In addition, to the extent applicable, Persona.ly’s partners are required to execute an applicable Data Processing Agreement.

Availability Control

The Company has a backup concept which includes daily backups that has a named individual as fully responsible for the backups. Periodical checks are preformed to determine that the backup have occurred. There is an emergency plan in place in which the steps to be implemented are described and determined, including which persons particularly on the side of a contractor, to the extent applicable, or a Company employee are to be notified of an incident. Regular controls of the condition and labelling of data storage devices for data security. The existence and regular examination of emergency generators and overvoltage protection devices. In addition, permanent monitoring of all data backup operational parameters. Moreover, devices are in place to monitor the temperature and humidity in server rooms which host backups, at all times.

Data Incident Response

Our incident response program is managed by our most experienced backend engineers and product team members to ensure the response is swift and addresses the challenges presented by each incident. The following teams are likely relevant for data-related incidents:


  • DevOps
  • Data Product Team
  • Java Backend Team
  • MLOps

These teams are all well equipped to identify, isolate, resolve and remedy any potential data breach or similar challenging situations. The product team will mostly act as a coordinator between the three other teams to ensure all ends are covered and that any potential damage is communicated accurately.


Team organization


When an incident is declared, one of the following stakeholders will act as the incident commander, based on general load at the time of the incident:


  • The product team lead
  • The company′s CTO
  • The company′s CEO

The incident commander will select key personel from the relevant developer/Ops teams to form a response team and will then delegate responsibilities between them. The following diagram represents an example setup of a response team:


Setup Team Diagram

Incident Response Process


In case of a data incident the main goal of the respons team is to protect our data, ensure service is not interuppted, and to meet compliance requirements. The steps described in the following table describe how these goals are achieved but the incident response team.


Incident stepGoalDescription
IdentificationDetectionScripts that were written ahead of time to detect vulnerabilities or possible issues are ran automatically on a daily basis, and manually by the various team members in cases of pre-determined vulnerabilities.
ReportingAny issues found while running the aforementioned scripts are reported back to all potential incident commander and one is selected to lead the incident response team based on general load.
CoordinationPrioritizationThe incident commander, together with the team leads:
  • Assess the severity of the incident.
  • Assigns the relevant personel to the incident response team.
Response team engagementThe assigned Incident response team evaluates incident and response effort.
ResolutionInvestigationThe Incident response team gathers all facts about the incident, it’s cuase, the extent of damange, etc.
Remedy and recoveryThe incident commander defines immediate steps to complete the following:
  • Stop the ongoing damage.
  • Fix the technical issue causing the incident.
  • Restore affected services to normal.
Communication
  • Key facts are evaluated to determine whether a notification to clients is required.
  • The incident commander develops a communication plan with the appropriate leads.
ClosureLessons learned
  • Incident response team retrospects on incident and the response efforts taken.
  • If required, the Incident commander will designate owners for long-term improvements.
Improving Incident
Response Procedures
Quarterly MeetingsAll relevant and potential incident response team members meet on a quarterly basis to discuss ans assess current procedures, and put new ones in place if required.

The following sections describe each step in more detail.


Identification


Early identification is crucial for handling icidents well and in a timely manner. Our on-call DevOps personnel is required to monitor automatic vulnerability checks and relevant metrics captured by our backend as the first and foremost layer of detection, but other tools and processes are placed as well. Here’s the a full list of them:


  • Automated and manual log analysis: automated analysis of the logs output by our vulnerability detection scripts along with daily manual review of access logs by the on call DevOps team member helps identify suspicious, abusive, or unauthorized activity and escalates to potential incident commanders.
  • The DevOps team
  • Internal code reviews: code review can help detect vulnerabilities, design flaws, and verifies if key security controls are implemented.
  • several

Coordination


When the on-call DevOps team member detects an incident, he will evaluatle the nature of the incident and provide all the relevant data to the potential incident commanders to decide if a response team setup is required.


After confirmation, the selected incident commander will decide whether to gather the relevant team leads and assemble the response team or handle the issue directly with the on-call DevOps, depending on its severity.


Many aspects of our response depend on the assessment of severity, which is based on key facts that are gathered and analyzed by the incident response team. These key facts include the following:


  • Potential for harm to customers and Persona.ly
  • Nature of the incident (whether data was damanged, accessed, or became unavailable)
  • Type of data that might be affected
  • Impact of the incident on the operations teams′ ability to use the service
  • Status of the incident (isolated, continuing, or contained)

The incident commander and other leads periodically re-evaluate these factors during quarterly meetings.


Resolution


At the resolution team, the hands-on part of the incident response team (comprised of a senior backend developer, a senior DevOps team member and the MLOps lead) will focus on:


  • Limiting the impact of the incident and resolving any immediate risks if they still exist
  • Isolating the root cause for the issue
  • Remedying the affected systems and services and implementing fixes if required.

Efforts will be made to restore data to its original state as soon as possible, depending on the particular incident.


As soon as it is determined that customer data was affected, a notification will be sent to any customer that had it’s data impacted in any way. The issue would be first communicated in simple terms to inform the client of the apparent issue, and after it’s resolution, a longer form email including the root cause, details of the incident, and the steps take to mitigate future risks would be sent to the affected clients.


Closure


As soon as the data incident is successfully remedied, the incident response team meets in order to collect and log any lessons learned, and if any critical issues are raised the required changes to the relevant code or information security procedures become the highest priority tasks in our development roadmap and their development is monitored carefully till their successful deployment.


Continuous improvement


Even when incidents don’t occur, all relevant members of the Persona.ly team gather for a quarterly assesment of our current protocols and procedures in relation to data incidents to ensure they are up to date and that the team is in sync in case of any future incidents.


We conduct yearly data-secuity awareness training company wide, even for team members without any or with limited access to our databases in order to reduce any potential future incidents.


Summary


Data and information security is crucial to our success and to our clients trust in our capabilities. We continually invest in making sure our protocols are up to date and that our team has the expertise required to respond effectively to any potential threats or incidents.


Updates

This Information Security Policy is an overview of Persona.ly security practices and may be updated from time to time, according to any applicable laws as well the company′s internal policies. The updated date at the top of the Information Security Policy will be reflected in the ″last updated″ heading.

Ready to go?

Lets take your app to the next level.