INFORMATION SECURITY POLICY
[Last Updated: 17 May, 2018]
Upclick Malta Limited dba Upclick (“Upclick” “Company” or “we”) is committed to provide transparency regarding the security measures which
it has implemented in order to secure and protect Personal Data (as defined under the EU General Data Protection Regulation (Regulation 2016/679
This information security policy (“Security Policy”) outlines the Company’s current security measures deployed by the Company as of the “Last Updated” date indicated above. We will keep updating this Security Policy from time to time, as required by applicable laws and our internal policies.
As part of our GDPR compliance process (available at: www.upclick.com/gdpr) and our PCI compliance (all systems are PCI Level 1 Service Provider certified. Company is PCI-DSS level 1 requirements compliant), we have implemented, technical organizational monitoring protections, and established an extensive information and cyber security program, all with regards to Personal Data processed by Company. Company takes best efforts to ensure its employees comply with this Security Policy.
System Access Control
Access to all data processing systems is solely via Company’s user authentication systems.
only a portion of specific personnel has access to systems. All access to Company’s systems admin network is available solely from the office going through a private, dark fibre, link to the data centre. Systems are not accessible from the internet. All access to Company’s systems admin network is encrypted by VPN and TLS 1.2. authentication is multifactor. Authentication to each system is through a user-password, unique to each employee or personnel and from a different domain controller dedicated to such environment. PCI-DSS level 1 requirements compliant, such as default users are disabled, password control and manual and ongoing monitoring on all system access. UpClick has implemented extreme measures to ensure the Personal Data is protected.
Data Access Control
The access to the Personal Data is restricted to solely the employees that are required to receive access. Employees are educated and tested with regards to security of the Personal Data. The database is solely accessible to Database administrators and senior developers. All Company systems follow PCI Level 1 Service Provider compliance.
Physical Access Control
All Company systems are in a cage located in a colocation. To enter into the colocation, biometric (fingerprint) is required along with access card. Once entered the 24/7 security operator personnel has to verify the identity of the individual and log the entry and exit. Once within the Company, a key is required to open the cage padlock. All doors and corridors are under video surveillance. All video footage surveillance if stored by the Company for a period of a minimum of three months.
The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of data or during their transport in motion, to the applicable data center. Customer data is not transferred anywhere other than Company’s database. Backup is sent offsite through private link. Offsite backup area is protected by access card for physical access. Transmission of data during backups is encrypted. Encrypted files over SFTP. IPNs over TLS 1.2 and tokenized API access.
Availability Control and Purpose Control
The Company holds a disaster recovery site, located at another geographic location and is ready to continue operation in the event of system failure or security breach. This backup location is visited every year by a certified QSA. Company database backup which is sent offsite is transferred solely through a private link. Offsite backup area is protected by access card for physical access. Transmission of data during backups is encrypted as indicated within the transfer control clause. All test environments do not process or use real data.
Personal Data as well as raw data are deleted as soon as possible or as soon as legally required.
Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations. Further, as part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow the Company’s policies and procedures and violations shall result in disciplinary actions up to and including termination of employment. An employee will not gain access to the Personal Data until the Company has trust that the employee is well educated and responsible to handle the Personal Data, if needed, in a secure manner. In addition, the Company hold annual compliance training which include data security education.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the GDPR. Our Legal team is busy ensuring our legal documentation is updated to reflect any changes and to include the mandatory Processor provisions required by Article 28 of the GDPR.
THE INFORMATION SECURITY, LEGAL, PRIVACY AND COMPLIANCE DEPARTMENTS WORK TO IDENTIFY REGIONAL LAWS, REGULATIONS APPLICABLE TO COMPANY’S COMPLIANCE. THEREFORE, THIS SECURITY POLICY MAY BE UPDATED FROM TIME TO TIME, ACCORDING TO ANY APPLICABLE LEGISLATION OR INTERNAL POLICIES.