Information Security Policy

[Last Updated: September 17, 2018]

Vitalerter LTD (“Company” or “we”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect Personal Data (as defined under the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”)) processed by the us for the purpose of providing its services.

This information security policy (“Security Policy”) outlines the Company’s current security measures deployed by the Company as of the “Last Updated” date indicated above. We will keep updating this Security Policy from time to time, as required by applicable laws and our internal policies. Definitions herein shall have the meaning as set forth under the GDPR or in our Privacy Policy. 

As part of our GDPR compliance process, we have implemented, technical organizational monitoring protections, and established an extensive information and cyber security program, all with regards to Personal Data processed by Company. 

System Access Control
Access to all data processing systems is solely via Company’s user authentication systems. Only a portion of specific personnel has access to systems. All access to Company’s systems admin network are available solely from the office going through a private, dark fibre, link to the data centre. Authentication to each system is through a user-password, unique to each employee or personnel and from a different domain controller dedicated to such environment. Password control and manual and ongoing monitoring on all system access. 

Data Access Control
The access to the Personal Data is restricted to solely the employees that are required to receive access. Employees are educated with regards to security of the Personal Data. 

Physical Access Control
Vitalerter ensures the protection of the physical access to the data servers which store the Personal Data and works exclusively with Microsoft Azure, as its main cloud storage to host the Personal Data (for additional information regarding Microsoft Azure Security see here). 

Transfer Control
The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of data or during their transport in motion, to the applicable data center (i.e., HTTPS). Transmission of data during backups is encrypted. 

Availability Control and Purpose Control
The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated weekly backups. Periodical checks are preformed to determine that the backup have occurred. 

Data Retention
Personal Data as well as raw data are deleted as soon as possible or as soon as legally required.

Job Control 
Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations, including our applicable partners. Employees are bound to comply with the Company’s policies and procedures and violations shall result in disciplinary actions up to and including termination of employment. An employee will not gain access to the Personal Data until the Company has trust that the employee is well educated and responsible to handle the Personal Data, in a secure manner. Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the GDPR. Our Legal team is busy ensuring our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR. The security, legal, privacy and compliance departments work to identify regional laws, regulations applicable to Company’s compliance. Therefore, this Security Policy may be updated from time to time, according to any applicable legislation or internal policies.