SECURITY POLICY OVERVIEW
[Last Amended: January 17, 2021]
BIG Cyber, LLC (“Company” or “we”) is committed to providing transparency regarding the security measures and policies which it has implemented in order to secure and protect Personal Data and Personal Information (as such terms are defined under applicable data protection law, including without limitations, the Australian National Privacy Principles in the Privacy Act 1988 (“APP”), the European Union General Data Protection Regulation (“GDPR”), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) as well as the California Consumer Privacy Act (“CCPA“). Personal Data and Personal Information shall be collectively referred to herein as “Personal Data”.
This Security Policy Overview outlines the Company’s security, technical and organizational practices.
As part of our data protection compliance process we have implemented technical, physical and administrative security measures to protect Personal Data, including the GDPR Technical Organizational Measures (“TOM”) requirements.
Physical Access Control
The Company ensures the protection of the physical access to the data servers which store the Personal Data. The Personal Data processed by the Company is stored within Google Cloud. Furthermore, the Company secures the physical access to its offices (i.e., alarm systems, code locks, etc.) and maintains records of any physical access to the protected Personal Data in order to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, authorized visitors, etc.) can access the Company’s offices.
Security Risk Analysis and Management
The Company conducts an accurate and thorough assessment of the potential risks and vulnerabilities of the Company’s Personal Data to ensure the confidentiality, integrity, and availability of electronic Personal Data. The Company’s servers include an automated back-up procedure. The Company’s office is equipped with fire detectors, fire extinguishers and other applicable measures in the event of a natural disaster.
Access to the Company’s database is highly restricted in order to ensure that solely the appropriate prior approved personnel can access the Company’s Personal Data. Safeguards related to remote access and wireless computing capabilities are implemented therein. Employees are required to comply with the Company’s password policy when composing a password in order to only allow strict access or use related to Personal Data all in accordance with the employee’s position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access. Electronic procedures that automatically terminate an inactive session are also in use by the Company.
Data Access Control
There are restrictions in place to ensure that the access to the Personal Data is restricted to employees and service providers which have permission to access it and solely on a “need to know” basis. The Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. Access to the Personal Data, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed and fully encrypted, as well as blocked when applicable. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, the Company continuously reviews which employees’ have authorizations to access Personal Data and whether such access is still required. The Company will revoke an employee’s access immediately upon his or her termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
Organizational and Operational Security
The Company invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees on-going training and periodic updates regarding Company’s security procedures. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, the Company implemented applicable safeguards for its hardware and software, including web content filtering, firewalls and anti-virus software (“Protection Measures”) on applicable Company hardware, software or employee’s computer, in order to protect against virus, worms, Trojan identifications or any other malicious software.
Except for when we transfer data to our business partners, the Company does not transfer any Personal Data outside of the Company’s cloud servers. All transfer of Personal Data between the customer side and the Company’s servers is protected using encryption safeguards, as well as encryptions of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards Furthermore, the destruction of Personal Data following the termination of the engagement will be included within the contract between the parties. On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transferring Personal Data from Switzerland to the U.S. We ensure that any data transfer is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer. Additionally, we will ensure to contractually protect the Personal Data by signing a Data Processing Agreement that incorporates the Standard Contractual Clauses (“SCC“) which remains a valid data exporting mechanism and which automatically applies in accordance with our Data Processing Agreement. Over the coming months, we anticipate that EU data protection regulators will issue additional guidance regarding the CJEU decision, including what supplementary measures could consist of for those relying on the SCC to transfer data. In addition, the current form of the SCC was written before the GDPR went into effect and will be updated at some point in the future. We will continue to keep a close eye on any forthcoming guidance to stay up to date and in order to assess whether we need to make any changes to our existing practices.
All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions which obligate them to comply with the Company’s policies. In addition, employees undergo a screening process as applicable in accordance with regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the employee will face the necessary consequences for his or her actions, all in accordance with the Company’s internal policies. In addition, prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Company’s standards for data security protection. Third party contractors may only access the Personal Data as explicitly instructed by the Company.