STARTAPP INFORMATION SECURITY
[Last Updated: 20 April, 2018]
StartApp Inc. (“Company”) takes information security seriously. This information security overview and policy (“Security Policy”) applies to the safeguarding of users Personal Data (as defined by applicable legislation, including the EU General Data Protection Regulation “GDPR”) processed or collected in connection with the delivery of Company’s various services, apps, advertising network and platforms (“Service(s)”).
The Company has established a comprehensive information and cyber security program which all employees and personal need to comply with, including the Company’s customers and business partners. The Company has implemented the below technical and organizational measures to protect the Personal Data processed by it against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc.
The Company has prepared this Security Policy to provide you with a summary of the security measures and policies it obtains when providing the Services and thereafter.
Physical and System Access Control
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
The Company secures any physical access to facilities that contain Personal Data, such as the Company’s offices and server centers. The Company secures access to its offices using advanced biometric technology to ensure that solely authorized persons have access. Further, an alarm system is installed in the premises which is activated at all times during non-working hours. The Company’s servers are located in a protected facilities in which the physical access is controlled by professional security staff.
In addition, when the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner. The Company’s servers are protected by industry best standards of security systems and measures (among others): SOC2, SOC3, PCI-DSS and ISO 27001 (as well as: FISMA, DIACAP, FedRAMP, DOD CSML, ISO 9001/ ISO 27001. SOC1/SSAE 16/ISAE, etc.)
The systems are also protected and solely authorized employees may access the systems by using a designated password.
The Company balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability
Data Access Control
The access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured by VPN and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled.
Organizational and Operational Security
It is the responsibility of the individuals across the organization to comply with these practices and standards. The Company educates its employees and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing are done on a regular basis.
The Company’s IT team ensures security of all hardware and software available within the Company, such as: install anti-malware software on computers to protect against malicious use and malicious software (additional controls may be implemented based on risk), virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc.
The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. The Company prevents from any unneeded creation of copies and has incorporated prevention of non-digital output transmission of the data sets (including the Personal Data). Further, any access to the Personal Data from beyond the Company network is solely possible by means of a secured VPN access.
Personal Data and raw data are all deleted as soon as possible or legally applicable.
Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations. Further, as part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow the Company’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. In addition, the Company hold annual compliance training which include data security education.
THE INFORMATION SECURITY, LEGAL, PRIVACY AND COMPLIANCE DEPARTMENTS WORK TO IDENTIFY REGIONAL LAWS, REGULATIONS APPLICABLE TO COMPANY’S COMPLIANCE. MECHANISMS SUCH AS THE INFORMATION SECURITY PROGRAM, PRIVACY COUNCIL, INTERNAL AND EXTERNAL REVIEW OR ASSESSMENTS, INTERNAL AND EXTERNAL LEGAL COUNSEL CONSULTATION, INTERNAL CONTROLS ASSESSMENT, INTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENTS, CONTRACT MANAGEMENT, SECURITY AWARENESS, SECURITY CONSULTING, POLICY EXCEPTION REVIEWS AND RISK MANAGEMENT COMBINE TO DRIVE COMPLIANCE WITH THESE REQUIREMENTS. THIS SECURITY POLICY MAY BE UPDATED FROM TIME TO TIME, ACCORDING TO ANY APPLICABLE LEGISLATION OF INTERNAL POLICIES.