Viisights Solutions Ltd. (“Company” or “we”) is committed to provide transparency regarding the security measures and policies which it has implemented in order to secure and protect personal data and personal identifying information (together “Personal Data“), all as defined under applicable data protection law, including without limitations, including without limitations, the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (all collectively shall be defined herein as the “Data Protection Regulation”).
This information security policy outlines the Company’s security, technical and organizational practices.
As part of our data protection compliance process we have implemented technical, physical and administrative security measures to protect the Personal Data, including upholding standards of Cybersecurity and Infrastructure Security Agency and the national institute standards and technology and technology and the GDPR TOM requirements.
Physical Access Control
The Company ensures the protection of the physical access to the data servers which store the Personal Data. The data processed by the Company as a Processor (as such term is defined under the GDPR) may be stored on any cloud of its customers’ choosing including, but not limited to, Amazon Web Services (AWS), Google Cloud Platform and Microsoft Azure. Please see AWS’s security measures here, Google Cloud Platform’s security measures here and Microsoft Azure’s security measures here. Further, the Company secures the physical access to its offices (i.e – alarm systems, code locks) and maintain records of any physical access to the protected Personal Data in order to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access the Company’s offices.
Security Risk Analysis and Management.
The Company conducting an accurate and thorough assessment of the potential risks and vulnerabilities of the Company’s Personal Data to ensure the confidentiality, integrity, and availability of electronic Personal Data. The Company applies a periodic testing of the policies in order to ensure that the Company can cope with a consummation of any disaster and emergency case. The Company’s office is equipped with fire detectors, fire extinguishers and other applicable measures for the case of consummation of a nature disaster.
System Control
Access to the Company’s database is highly restricted in order to ensure that solely the appropriate prior approved personnel can access the Company’s Personal Data. Safeguards related to remote access and wireless computing capabilities are in implemented therein. Employee are required to comply with the Company’s password policy when composing a password in order to allow strict access or use related to Personal Data all in accordance with position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access. The Company is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
Data Access Control
There are restrictions in place to ensure that the access to the Personal Data is restricted to employees which have a permission to access it. Any permission is granted by the Company’s authorized personal. The Personal Data information shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data information, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, the Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
Organizational and Operational Security
The Company invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees on-going training and periodic updates regarding Company’s security procedures. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, the Company implemented applicable safeguards for its hardware and software, including web content filtering, firewalls and anti-virus software (“Protection Measures”) on applicable Company hardware, software or employee’s computer, in order to protect against virus, worms, Trojan identifications or any other malicious software. The Protection Measures cannot be deactivated by any user other than the Company’s cyber security officer and according to the Company’s policies.
Transfer Control
Except for transfer data to our business partners, The Company does not transfer any Personal Data outside of the Company’s cloud servers. All transfer of Personal Data between the client side and the Company’s servers is protected using encryption and safeguards. The Company’s servers are protected by industry standards. Furthermore, the destruction of Personal Data following termination of the engagement is included within the contract between the parties. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws.
International Transfer
On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S.
We ensure any data transfer is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer as well as contractually sign a Data Processing Agreement which incorporate the Standard Contractual Clauses which remain a valid data export mechanism and which automatically apply in accordance our Data Processing Agreement.
Over the coming months, we anticipate that EU data protection regulators will issue additional guidance on the CJEU decision, including what the supplementary measures could consist of for those transferring data in reliance on the SCCs. In addition, the current form of the SCC was written before the GDPR went into effect and will be updated at some point in time. We will continue to keep a close eye on forthcoming guidance to stay up to date and assess whether we need to make any changes to our existing practices.
Viisights Products
The Company review all of its products for commonly known vulnerabilities, including those identified by the Open Web Application Security Project (OWASP) and critical or high severity vulnerabilities in the National Vulnerability Database (NVD), and remediating or otherwise mitigating any such vulnerabilities; In addition the Company deploy appropriate safeguards and tests in order to insure that the Company’s products to not circumvent or bypass, in whole or in part, any third-party security feature.
Data Retention
Personal Data is retained for as long as needed to provide the services or as required under applicable laws. Individuals may request data deletion; however, this request is not absolute and is limited, all as detailed in the Company Privacy Policy.
Job Control All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions binding them to comply with the Company’s policies, in particular the computer security policy. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company includes repercussions to ensure compliance with the policies. In addition, prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Company’s standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Company.
Reporting a security issue
Viisights is exerting considerable resources to ensure a secure code and infrastructure for all of its products. If you believe that you have found a security vulnerability in any of our products, please report it to us straight away via e-mail to privacy@viisights.com . Please be sure to include a brief description, detailed steps to reproduce and what might be the impact.
Responsible disclosure policy
We encourage responsible disclosure, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of our any data you come across, avoiding violating the privacy of any person or degrading our offerings. Please provide Viisights reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.