[Last Updated: 25 April, 2018]

Information security is of high importance to Cedato (“Cedato” or “we”) and we are committed to provide our business partners and users full transparency regarding the security measures we have implemented in order to secure Personal Data (as defined under applicable law, including the EU General Data Protection Regulation “GDPR”) processed or collected by us for the purpose of providing our services (“Service(s)”), as detailed in Cedato’s Privacy Policy.

Thus, we have implemented applicable safeguards, technical as well as organizational, and established a comprehensive information and cyber security program, in order to protect the Personal Data obtained by us against unauthorized disclosure or access, loss, destruction, alteration, etc.

We take commercial and administrative efforts in order to ensure our employees and personal, as well as our business partners, will comply with our security practices.

We have prepared this information security overview (“Security Policy”), which summarizes our security practices.

Physical and System Access Control

Cedato ensures the protection of the physical access to facilities that contain Personal Data, such as its serves.  For this end, Cedato has chosen the reputable IBM, as its main service provider. Cedato production system is shredded across multiple data centers located in the US and the EU, owned or operated by IBM, and subject to IBM’s strict security measures, which can be found here. Further, Cedato secures the physical access to its offices using passcode to ensure that solely authorized persons will access Cedato’s premises. Further, an alarm system is installed in the premises which is activated at all times during non-working hours.

The Access to Cedato’s systems is restricted, based on safeguards implemented in order to ensure appropriate approvals, as well as safeguards related to a remote access and wireless computing capabilities which are restricted and require that both user and system safeguards are in place. The systems are also protected and solely authorized employees may access the systems by using a designated password. Each employee is assigned with a private password that allows access or use related to the Personal Data according to its position, and solely to the extent such access or use are required.

Data Access Control

Cedato restrict the access to the Personal Information solely to its employees and personal that have the need to know or access in order to ensure that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely replaced, as well as blocked when applicable. Each employee’s password is enabling to perform action solely according to the permissions determined by Cedato.  Each access is logged and monitored, and any authorized access is reported and handled as needed. Further, Cedato is regularly reviewing its employees’ authorizations to assess whether they are necessary and revokes access immediacy upon employment termination.

Organizational and Operational Security

Cedato is investing efforts and resources in order to ensure cross organization compliance with its security practices, as well as to routinely educate its personal regarding the importance of the security of Personal Data and to raise awareness to the risk involved in the processing of Personal Data. In addition, Cedato implemented applicable safeguards for its hardware and software, including firewalls and anti-malware software on applicable devices in order to protect against malicious use and malicious software.

Transfer Control

In order to minimize the risk of Personal Data being read, copied, modified or removed by unauthorized parties during an electronic transmission, Cedato have implemented applicable safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to its transfer. Further, any access to the Personal Data from beyond Cedato’s network is possible solely by means of a secured VPN access.

Data Retention

Personal Data and raw data are all deleted as soon as it is not required in order to provide the Services, or as soon as legally applicable.

Job Control

Cedato’s employees are required to sign on applicable provisions binding them to comply with applicable data security practices and confidentiality. Further, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or noncompliance with Cedato’s policies, applicable disciplinary actions including termination when needed. In addition, prior to Cedato’s engagement with third party contractors, Cedato is giving significant weight to diligence considerations, with particular regard to data security. The third-party contractor’s authorized actions with respect to its access to Personal Data are explicitly detailed, as well as the destruction of Personal Data following termination of the engagement. In addition, Cedato’s partners are being signed on an applicable Data Processing Agreement.