Description of the technical and organisational measures implemented by the data importer(s)(including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons
The product-specific measures are described in the corresponding Product Fact Sheet(s). This may include details such as pseudonymization and encryption, back-ups, firewalls, anti-virus information and more.
In addition to this:
1. Information Security Program. We will maintain an information security program designed to: (a) enable You to secure Your Customer Data against accidental or unlawful loss, access or disclosure, (b) minimise physical and logical security risks to the relevant Access Product(s), including through regular testing. We will designate one or more employees to coordinate and be accountable for the information security program.
Our information security program will include the following measures:
1.1. Logical Security.
A. Aspire Digitel Group Controls. We will make Aspire Digitel Group Product(s) accessible only to authorised personnel, and only as necessary to maintain and provide the services. We will maintain access controls and policies to manage authorisations for access to the Aspire Digitel Group Product(s) from each network connection and user, including through the use of firewalls or functionality equivalent technology and authentication controls. We will maintain access controls designed to: (i) restrict unauthorised access to data, and; (ii) segregate each customer’s data from other customers’ data.
B. Restricted User Aspire Digitel Group. We will: (i) provision and restrict user access to the Aspire Digitel Group Product(s) in accordance with least privilege principles based on personnel job functions; and (ii) require review and approval prior to provisioning access to the Aspire Digitel Group Product(s) above least privileged principles, including administrator accounts.
C. Vulnerability Assessments. We will perform regular external vulnerability assessments and penetration testing of the Aspire Digitel Group Product(s), and will investigate identified issues and track them to resolution in a timely manner.
D. Application Security. Before launching new Aspire Digitel Group Product(s) and or significant new features of existing Aspire Digitel Group Products, We will perform application security reviews designed to identify, mitigate and remediate security risks.
E. Change Management. We will maintain controls designed to log, authorise, test, approve and document changes to existing Aspire Digitel Group Products, and will document change details within its change management or deployment tools. We will test changes according to its change management standards prior to migration to production. We will maintain processes designed to detect unauthorised changes to the Aspire Digitel Group Product(s) and track identified issues to a resolution.
F. Data Integrity. We will maintain controls designed to provide data integrity during transmission, storage and processing within the Aspire Digitel Group Product(s). We will ensure there is the ability to delete Your Customer Data from the Aspire Digitel Group Product(s).
G. Business Continuity and Disaster Recovery. We will maintain a risk management program designed to support the continuity of Our critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Our provision of the services (“BCP Event”). The Business Continuity Program includes a three-phased approach that We will follow to manage BCP Events:
a. Activation & Notification Phase. As We identify issues likely to result in a BCP Event, We will escalate, validate and investigate those issues. During this phase, We will analyse the root cause of the BCP Event.
b. Recovery Phase. We assign responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected services.
c. Reconstitution Phase. Our leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the services and or Aspire Digitel Group Product(s) have been restored. Following such confirmation, We may conduct a postmortem analysis of the BCP Event.
H. Incident Management. We will maintain corrective action plans an incident response plans to respond to potential security threats. The incident response plans will have defined processes to detect, mitigate, investigate, and report security incidents. Our incident response plans include incident verification, analysis, containment, data collection and problem remediation.